Intel Security research reveals real-time response and integrated intelligence as critical to an organisation’s proactive threat prevention McAfee, now part of Intel Security, have issued a new report, When Minutes Count, that assesses organisations’ abilities to detect and deflect targeted attacks. It also revealed the top eight most critical indicators of attack, and examines best practices for proactive incident response.
A survey commissioned by Intel Security and conducted by Evalueserve, in conjunction with the report, suggests that a majority of companies lack confidence in their ability to detect targeted attacks in a timely manner. Even companies best prepared to handle targeted attacks are taking the time to investigate high volumes of events. Evidently there is a sense of urgency and organisational focus on creative approaches to earlier detection and more effective mitigation.
Key UK findings:
– Over two thirds (69%) of UK respondents indicated that targeted attacks are a primary concern for their organisations
– 69% of UK organisations investigated 10 or more attacks last year in comparison to the global figure of 58%
– Less than a third (27%) of UK respondents said they are confident in their ability to detect an attack within minutes, with the global figure being just under a quarter (24%); just under half said it would take days, weeks, or even months before they noticed suspicious behaviour
– 71% of those able to detect attacks in minutes had a proactive, real-time Security Information and Event Management (SIEM) system
– Half of the companies surveyed indicated that they have adequate tools and technologies to deliver faster incident response but often critical indicators are not isolated from the alerts generated
“You only have an advantage over your attackers when you address the time-to-discovery challenge,” said Raj Samani, VP, CTO for Intel Security, EMEA. “IT departments are inundated by alerts every day and the job to sift through threat data becomes a huge task. With real time intelligence and analytics, the overwhelming process of filtering this sea of alerts and indicators can be simplified and organisations can gain a deeper understanding supporting the context of relevant events. As a result, organisations can detect and deflect attacks much more quickly.”
Detecting attacks in the first few minutes is critical. When Minutes Count uncovers the top eight most common attack activities successful organisations track to detect and deflect targeted attacks. Having a contextual understanding of the indicators proved to be most important for organisations under threat:
1) Foreign bodies: Internal hosts communicating with known bad destinations or to a foreign country where organisations don’t conduct business.
2) Inside out: Internal hosts communicating to external hosts using non-standard ports or protocol/port mismatches.
3) Leapfrog: Publically accessible or demilitarised zone (DMZ) hosts communicating to internal hosts. This allows leapfrogging from the outside to the inside and back, permitting data exfiltration and remote access to assets. It neutralises the value of the DMZ.
4) Out of hours: Off-hour malware detection. Alerts that occur outside standard business operating hours could signal a compromised host.
5) Finding the intruder: Network scans by internal hosts communicating with multiple hosts in a short time frame, which could reveal an attacker moving laterally within the network. Perimeter network defences, such as firewall, are rarely configured to monitor traffic on the internal network (but could be).
6) Recognising patterns: Multiple alarm events from a single host or duplicate events across multiple machines in the same subnet over a 24-hour period, such as repeated authentication failures.
7) Cleaning up: After being cleaned, a system is re-infected with malware within five minutes — repeated reinfections signal the presence of a rootkit or persistent compromise.
8) User error: A user account trying to login to multiple resources within a few minutes from/to different regions—a sign that the user’s credentials have been stolen or that a user is up to mischief.
“We noticed a workstation making odd authentication requests to the domain controller at two o’clock in the morning. That could be normal activity, but it could also be a sign of something malicious,” said Lance Wright, senior manager of information security and compliance at Volusion, a commerce solutions provider contributing to the report. “After that incident we set up a rule to alert us if any workstation has more than five authentication requests during non-business hours to help us identify the attack early, before any data is compromised.”
“Real-time, intelligence-aware, SIEM technologies minimise time to detection to proactively prevent breaches based on contextualisation of indicators during analysis and automated policy-driven responses,” said Samani. “With the power to accelerate their ability to detect, respond to, and learn from events, organisations can dramatically shift their security posture from that of the hunted, to the hunter.”
To view the full Intel Security When Minutes Count report, please visit: www.mcafee.com/SIEM
About Intel Security
McAfee is now part of Intel Security. With its Security Connected strategy, innovative approach to hardware-enhanced security, and unique Global Threat Intelligence, Intel Security is intensely focused on developing proactive, proven security solutions and services that protect systems, networks, and mobile devices for business and personal use around the world. Intel Security is combining the experience and expertise of McAfee with the innovation and proven performance of Intel to make security an essential ingredient in every architecture and on every computing platform. Intel Security’s mission is to give everyone the confidence to live and work safely and securely in the digital world. www.intelsecurity.com.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.