Companies worry about their ability to thwart an attack, but often cannot translate those fears into action.
Just take a look at the damaging data breaches having an impact on the public and private sector this past year, from the hack of the U.S. Postal Service and the State Department’s email system, to the massive breach of Home Depot’s payment data systems.
As a result of the worries of organizations and the increase in data breaches, security firm McAfee, now part of Intel Security, released a report, “When Minutes Count,” detailing the results of a survey conducted to assess the best ways to mitigate data breaches.
Intel Security commissioned Evalueserve to survey 473 IT decision makers from companies larger than 50 employees in the U.S., UK, Germany, France and Australia.
“Despite the furor, or perhaps because of it, it’s not always easy to tell where to invest for results and peace of mind,” the report stated. “Most organizations just aren’t using the available intelligence and tools to their fullest or constructing indicators of attack into a cogent picture in a timely fashion.”
The survey found time is the key factor in effectively mitigating an attack. Not even a quarter of companies surveyed that ended up breached in the last year are confident in their ability to detect an attack within minutes. On the other hand, those companies that could detect a targeted attack within minutes experienced 10 or fewer targeted attacks last year.
While, overall, 53 percent of the organizations surveyed indicated discovery time of hours or minutes, nearly three-quarters of respondents remain highly concerned about their ability to handle targeted attacks and advanced persistent threats.
“An effective defense against advanced threats hinges not only on being able to detect pernicious intruders, but doing so in time to prevent significant damage to business operations and assets,” the report said.
“This negative impact is the key variable in the risk equation: Risk = Threat x Vulnerability x Impact. By the time forensic analysts comb through mountains of security data looking for indicators of compromise (IoCs), their organizations may have already incurred losses,” the report said.
The results of the survey indicated companies with early attack detection skills or who use a security information and event management (SIEM) platform are faring best against targeted attacks. Seventy-eight percent of those who can detect attacks within minutes use a real-time SIEM solution. However, although 93 percent of respondents in companies larger than 50 had a SIEM, only half considered themselves to have an “adequate real-time proactive SIEM.”
The report said organizations originally adopted SIEM to pass audits and log archival compliance. However, modern SIEM solutions feature the ability to “integrate threat intelligence, correlation, analytics, active response, and adaptive technologies that are specifically geared to help incident response.”
Given the importance of identifying critical indicators, the report said experts discovered eight most common attack activities that successful organizations need to be aware of to optimize their security environment:
1. Internal traffic communicating with known bad destinations or countries where business isn’t conducted
2. Internal traffic communicating to external hosts over non-standard ports or protocol mismatches
3. Publically accessible or demilitarized zone (DMZ) hosts communicating with internal hosts
4. Using off-hour malware detection
5. Rapid network scans by internal hosts to multiple hosts
6. Multiple alarms from a single host or duplicate events across multiple machines
7. Systems reinfected with malware after being cleaned
8. User accounts attempting to login to multiple resources within a few minutes from and to different regions
“The capabilities exist today to detect these and other suspicious behaviors. Unfortunately, many of our security controls are ‘selfish;’ they keep the information they need to do the job, and discard the rest,” said Michael Fey, executive vice president, general manager of corporate products, and chief technology officer for Intel Security.
Intel Security emphasizes new technologies are not essential to detecting and disrupting these common attack activities. Businesses need to leverage the technologies they already have by activating the full potential of existing countermeasures, such as changing systems from their default settings.
To improve protection and ensure faster incident response times, the key is to leverage existing technologies. By using available tools and intelligence to their fullest potential, organizations can improve their ability to detect, respond to and learn from events as they unfold.
“You only gain the upper-hand versus attackers when you address the time-to-discovery challenge,” said Ryan Allphin, senior vice president and general manager, security management at Intel Security. “Simplify the frantic work of filtering an ocean of alerts and indicators with real-time intelligence and analysis, and you can quickly gain a deeper understanding of relevant events and take action to contain and deflect attacks faster.”
Click here to download the report.