The volume and severity of threats is increasing every year, which means that it’s more important than ever to detect active infections swiftly.
However, achieving this against the ever growing mountain of security alerts that teams now face is a significant challenge. Balancing the limitations of both staffing and budgets against the sheer volume of alerts that are received, means that there are often some tough choices to make when it comes to evaluating which security alerts should be investigated.
In fact, findings from a recent report by the Ponemon Institute with organisations across EMEA suggests that IT teams are struggling with the resources, or expertise, to block or detect serious malware. It revealed that only a small fraction – just 3.5% of all alerts received – are investigated.
As the severity and frequency of attacks escalates, making decisions on which alerts to investigate comes with some high consequences. If you kick a device off the network, there is a trade off in terms of business downtime. However failing to detect an active infection which results in a data breach can have far more serious repercussions. With latest reports revealing that 90% of large companies have suffered a data breach over the last year – at an estimated cost of between £1.46 million and £3.14 million*– missing just one active infection could have far reaching and long standing repercussions.
For this reason, responding to the ‘true positive’, active infections, to mitigate security risks should be a priority for all organisations.
The Challenges of False Positives :
The magnitude of this challenge however, should not be underestimated. The Ponemon report findings revealed that two-thirds of the time spent by security staff responding to malware alerts is wasted due to faulty intelligence. In fact IT security teams spend, on average, around 272 man hours each week responding to ‘false positive’ cyber alerts – due to erroneous or inaccurate malware alerts. This equates to an average cost of £515,964 annually, for each organisation, in lost time. This has significant implications, meaning that not only are security teams focussed on activity which poses no threat to their data security, but they are also distracted from dealing with threats that can lead to compromise.
Findings from the report also suggest that many organisations are taking an unstructured approach to malware containment. Nearly a quarter of respondents – 23% – report that they have an “ad hoc” approach to containment, with 38% responding that there is no one person accountable for the containment of malware. Moreover, only around a third, 37%, of respondents reported that their organisation has automated tools to capture intelligence and evaluate the true threat driven by malware.
So what measures should organisations be taking to make the best use of their finite resources and to prevent active infections from slipping through the net?
Structure is Key for Containment :
Taking a more systemised, policy driven and automated response mechanism to threat detection is key if teams are to get the edge over the attackers. It’s important to take measures which make the best use of resources so that they can hone in on the real threats.
- Automated malware detection
Skilled manpower is in finite supply and organisations simply can’t rely on intensely manual activities for threat detection or intelligence gathering. Technology that helps organisations to automatically detect an infection hidden in the network eliminates the risk of human error, removes labour-intensive activities and can also significantly reduce the response time.
- Proof and Corroboration
On its own, an alert is simply an uncorroborated artefact from system log data. However, just as in court of law certainty of claims must be proven ‘beyond all reasonable doubt’, organisations need corroborating evidence to prove a ‘true positive’ infection exists.
- A Framework for Breach Readiness
Shifting towards an approach built on breach-readiness is imperative. Rather than taking an ad hoc or unstructured approach to containment, organsiations need to develop a framework for dealing with threats and being armed with advanced detection. A structured approach that incorporates automated tools can help to make the best use of limited manpower.
These steps can help to ensure that security teams have the confidence of knowing exactly where the real threats are and can allocate their time and efforts to where it is needed most; on finding and quickly remediating the active infections before it’s too late.[su_box title=”About Damballa” style=”noise” box_color=”#336588″]
As a leader in automated breach defence, Damballa delivers advanced threat protection and containment for active threats that bypass all security prevention layers. Born for breach defence, Damballa rapidly discovers infections with certainty, pinpointing the compromised devices that represent the highest risk to a business, and enabling prioritized response and refocusing of security experts to the areas of greatest risk to an enterprise. Our patented solutions leverage Big Data from one-third of the worlds Internet traffic, combined with machine learning, to automatically discover and terminate criminal activity, stop data theft, minimize business disruption, and reduce the time to response and remediation. Damballa protects any device or OS including PCs, Macs, Unix, iOS, Android, and embedded systems. Damballa protects more than 400 million endpoints globally at enterprises in every major market and for the world’s largest ISP and telecommunications providers.[/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.