One-third of companies still don’t know what caused their data security incidents over the past year, and three-quarters say it’s becoming more complex to understand their security tech stack — two key statistics that underscore the challenges security teams face in improving operations in the wake of being breached.

According to Foundry/CSO’s Security Priorities Study 2024, only 67% of security leaders are aware of what caused data security incidents at their organizations in the past 12 months.

Detecting the causes of breaches has become increasingly complex due to several converging factors.

First, identifying that a breach has occurred remains a significant challenge. According to a report from IBM, firms take an average of 207 days to identify a breach — and an additional 70 days to contain it. As a result, root cause analysis might not come into focus until at least nine months after initial access, leaving organizations hard-pressed to pinpoint causes and thus learn from security incidents.

Moreover, spotting security incidents and understanding their origins is becoming more challenging not least because attackers are becoming more skilled at avoiding detection.

“Today’s attacks are often AI-driven and tailored for stealth, making it difficult to detect breaches at their inception,” says Andrew Rose, CSO at security awareness platform SoSafe. “Financial constraints and a shortage of skilled cybersecurity professionals mean many organizations lack the resources to swiftly identify, investigate, and trace threats.”

All these issues are compounded by the challenges of securing remote work environments and IoT devices, many of which were never designed with security in mind, leaving visibility gaps that attackers can readily exploit.

Security experts canvassed by CSO broke down the breach detection problem into the following distinct challenges.

Absence of proper detection and monitoring systems

Finding the root cause of a breach relies on robust monitoring and forensic capabilities. And when security operations are outsourced — as they increasingly are — lack of familiarity with the business can play a role.

Brian Jack, CISO at KnowBe4, says a number of factors repeatedly crop up in breaches he has investigated.

“I saw several times that a breach went unnoticed for a lengthy period of time because the SOC [security operations center] function had been largely outsourced to a third party and that third party failed to notify the customer of suspicious events,” Jack explains.

“Third-party SOCs often lack the knowledge, not the skill, to tell if certain events that trigger alerts are something worth investigating,” he says. “It is very helpful in a SOC to have knowledge about the business, who the personnel are, and what organizational changes might be happening.”

Spotty incident response planning

Having a clear incident response plan in place prepares an organization for the task of investigating and uncovering the root cause of a breach if one should occur.

Paul McLatchie, security strategy consultant at Daisy Corporate Services, tells CSO: “Cyber breaches are not a case of ‘if,’ but ‘when,’ which is why organizations must be prepared by creating and following an incident response plan.”

Cyber incident response focuses on rapidly identifying security events and incidents within the organization, validating their scope and impact, and enabling effective mitigative and remedial measures in addressing them. Response plans must also extend into post-event analysis and consideration of lessons learned, so that the root cause of a breach can be identified and lessons to prevent any repetition are learned.

Understanding the cause of a breach and safeguarding against future issues is important because organizations unable to learn from incidents will be highly susceptible to further breaches.

“An ineffective plan, or steps that are not followed precisely, leads to issues,” says McLatchie. “Often organizations can ignore the final stages of an incident response plan and rush their return to operations.”

McLatchie warns: “This results in insufficient root cause analysis of the breach, or in some cases crucial evidence being inadvertently destroyed.”

KnowBe4’s Jack agrees that thorough analysis is valuable in the long run.

“Having log visibility to as many assets as possible and retaining those logs for a long enough period to have sufficient coverage to do investigations can be costly,” he says. “However, it is important in early detection and complete investigation of key breach events.”

Budgetary constraints

Security budgets are stretched thin, so many businesses are failing to invest in resources that make it easier to trace the source of a breach.

Graeme Stewart, head of public sector at Check Point Software, said that breach detection challenges are compounded by limited staffing and procedural gaps.

“With tight budgets and staffing pressures, getting systems back online becomes the immediate focus,” Stewart says. “This often means putting out the fire first, then cleaning up the aftermath, and only then understanding what caused it in the first place.”

Limited budgets often result in understaffed teams, limited capacity for root-cause analysis, and inadequate forensic capabilities.

Small and midsize firms are specifically challenged to promptly identify problems, says Conor O’Neill, cybersecurity expert and CEO and co-founder of pen-testing platform OnSecurity.

“Small businesses are more vulnerable to cyberattacks than larger corporations; this is due to limited budgets, a lack of in-house security functions, and a shortage of trained staff who know how to handle and prevent data breaches, all crucial for identifying data breaches,” he says.

Increasingly sophisticated and stealthy attacks

As attacks become more sophisticated it can become more difficult to unpack the cause of problems, says Raj Samani, SVP and chief scientist at security firm Rapid7.

“We must acknowledge that many threat groups take measures to obfuscate their tracks, invariably making any investigation more challenging,” he says. “However, this is often only part of the reason why identifying the source of the breach is so difficult.”

Samani adds: “Whilst technologies will aid the investigation, the time spent retroactively reviewing such incidents often competes with the urgency of the next issue, or indeed, the demand to get the environment operational again.”

Many breaches are detected long after they occur, and delays make it harder to identify root causes. Here, time is on the side of an attacker, with computer forensic capabilities fading over time as data is amended, overwritten, and deleted.

“Hackers are always finding new ways to blend into regular network traffic, so even the best detection systems can end up playing a never-ending game of ‘whack-a-mole’ with threats,” says Peter Wood, CTO at Spectrum Search. “And while the systems might flag something suspicious, figuring out exactly where it started is another story altogether.”

Attackers are increasingly stealing and using legitimate user credentials to evade detection, move laterally across systems, and blend in with regular network activity, adds David Spencer, director of technical product management at Immersive Labs.

“The situation is further complicated as most attacks involve capturing credentials from clear text files, password managers, or memory dumps, making it nearly impossible to distinguish between attacker and victim,” he says. “It’s like searching for a [specific] needle in a growing stack of needles.”

Overly complex (and disconnected) security stacks

Complexity of the security tech stack is also a growing issue.

“Many companies use multiple systems, applications, and tools, which often don’t integrate,” says Benson Varghese, founder and managing partner of US law firm Varghese Summersett.

Like solving a puzzle without all the pieces, determining where a breach occurred is difficult when systems fail to fit together.

“I’ve had clients using a mix of security solutions, some of which were outdated or didn’t communicate,” Varghese tells CSO. “My client’s breach went undetected for months because their monitoring system wasn’t aligned with their security infrastructure.”

Varghese adds: “The trail was cold when they realized what was happening.”

Many firms are burdened with technical debt, relying on outdated systems that lack comprehensive logging capabilities, making it difficult to track and analyze incidents in detail.

“One of the primary issues lies in detection and monitoring, complicated further by increasingly intricate security tech stacks,” says Kennet Harpsøe, lead security researcher at Logpoint. “Without cohesive integration among tools, critical indicators of compromise can easily be missed or delayed, leaving security teams overwhelmed by massive amounts of data — a situation where the signal is often lost in the noise of false positives.”

Ben Jarlett, senior application analyst at London Metropolitan University, tells CSO: “Security information and event management [SIEM] systems and extended detection and response [XDR] platforms can help, but they require proper tuning, regular updates, and skilled management to be effective.”

Jarlett adds: “In many cases, companies either underutilize these systems or face a barrage of false positives, which can obscure genuine threats and delay the identification of root causes.”

Lewis Duke, SecOps and threat intelligence lead at Trend Micro, believes consolidation of security tech stacks can help.

“Organizations are much better prepared when utilizing consolidated and correlated tooling to provide real context and remove operational overhead when it comes to investigation,” he says. “This is why we are seeing such an industry shift towards a platform-based security strategy that allows for faster, more effective IR [incident response], as well as obvious benefits around the cost and skills required to operate a reduced tech stack.”

Alert fatigue

Security monitoring systems generate millions of daily alerts, overwhelming SOCs and making it harder to isolate malicious behavior.

The high volume of false-positive alerts generated by many security systems creates an overwhelming “signal-to-noise” problem. “Analysts are often flooded with alerts, making it a daunting task to isolate genuine threats and determine their root causes,” says Logpoint’s Harpsøe.

Ultimately, addressing these challenges requires improved integration of detection tools, more effective prioritization of alerts, and a strategic emphasis on maintaining comprehensive visibility across all assets.

Corporate culture that undermines effective security strategy

Some organizations may not fully prioritize cybersecurity as part of their corporate culture, making it exceedingly challenging to uncover root causes.

“Despite recognizing the importance of security, many companies focus primarily on regulatory compliance, investing in cybersecurity tools to meet minimum standards without fostering a proactive security mindset,” says London Metropolitan University’s Jarlett.

Stephen McDermid, CSO for EMEA at Okta, argues that security leaders need to take the lead in forging an open and responsive corporate security culture.

“It’s the CSO’s responsibility to encourage people to make threats visible and escalate potential risks,” McDermid says. “If employees are fearful to raise issues and attempt to solve them alone, this may delay critical responses.”

Action plan

Companies can improve their resilience by investing in improved cybersecurity measures, staff training, incident response planning, and investment in detection and forensic capabilities.

“Focus on data breach prevention with tools such as vulnerability scanners and penetration testing that identify vulnerabilities and potential breaches before they hit,” OnSecurity’s O’Neill says.

Explore IT Tech News for the latest advancements in Information Technology & insightful updates from industry experts!