Attacks/Breaches
9/8/2010
05:13 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%
Repost This

Forensics Out Of Reach For Most Small To Midsize Organizations

As breach, malware infection cycle continues for SMBs, affordable managed forensics services needed, experts say

Most forensics and incident response offerings are too expensive and too technical for small to midsize businesses (SMBs), leaving them prone to serial infections and breaches.

With the average cost of anywhere from a few thousand dollars for a mom and pop shop to tens of thousands of dollars for a breach at a larger organization, according to Mandiant estimates, investigating a security incident with forensics tools, manpower, or outside consultants is far out of reach of the typical SMB or other cash-strapped organization.

Open-source forensics tools require some incident response know-how, as do the freebie forensic tools from vendors such as Mandiant and HBGary, which recently released a fingerprinting tool that gleans intelligence about the actual attacker behind the malware and FGET, which collects sets of forensics data from one or more remote Windows machines. Without the in-house expertise, these free tools don't do much to help SMBs, and in some cases, they are overkill, anyway.

Instead, most SMBs rely on their antivirus software or other security tools.

"They are not using incident response -- that would be very rare," says Andrew Hay, senior analyst with the 451 Group's enterprise security practice. "Incident response is low on the priority list: A lot of SMBs are hoping and praying their defense is enough to stave off disaster. If an incident were to happen, most would be completely unprepared."

Reimaging infected machines is the usual incident response steps these organizations take once they discover malware on their systems. That's not only pricey, but it can severely disrupt operations. A 600-bed West Coast-based hospital was recently knocked offline for more than a week in order to clean up a malware infection, says Greg Hoglund, founder and CEO of HBGary, a forensics vendor. Like many SMBs, the hospital relied mostly on its antivirus software to remedy the breach. The shutdown resulted in the hospital suffering a $27 million backlog in billing during the outage, which was the only option to prevent the infection from spreading further, he says.

"AV kept giving them a new DAT file. But that didn't solve the problem," he says. "They didn't have any other options, and the AV company failed five times in a row."

Reimaging infected machines only solves the problem in the short-term. Most SMBs just don't have a long-term, proactive incident response strategy, so they get reinfected and the cycle just continues, forensics experts say. "It's akin to duct tape security," 451's Hay says. If another malware attack occurs, they just apply more "duct tape," he says.

And without someone able to analyze the infection or attack itself, there's no way to apply that knowledge to prevent subsequent attacks. HBGary's Hoglund says forensics technology could be overkill, anyway, for a small hospital, for instance, if it doesn't have the expertise for it. "You have to have someone who can use the information you're gathering, to make a better intrusion detection system," for instance, he says. "But if you're just reimaging machines when you get AV, you don't need forensics ... But you're just going to get reinfected."

Experts in incident response are few and far between, too. "It's hard to find talent in this field," Hoglund says. "Gaining expertise is so hard. Most only do [hard] drive forensics, and don't have basic knowledge of time line analysis."

A better option for SMBs would be an affordable services model, such as a pay-per-use software-as a-service approach, experts say. HBGary's Hoglund says his company has looked at this model, but hasn't started creating any services, per se.

Trustwave's SpiderLabs, for example, offers with its managed security services an incident response option as a value-added service, 451 Group's Hay notes. The managed service provider model makes sense for financial services, healthcare, and energy firms in the midsize range, he says.

A few vendors, such as AccessData, are working on making a midmarket forensics offering, as well with its free Helix 3 and Live Response tools used by law enforcement and government agencies, he says, which include technical support from AccessData.

Dave Merkel, vice president of products and threat management services at Mandiant, concurs that more managed service incident response offerings would help, such as ones with a low-cost per incident. "I see how SMBs have a pretty serious issue of cost," says Merkel, whose company offers some free forensics tools. "We'll occasionally get support calls that they have downloaded the free tool, but they don't know how to interpret the data. We find they will try to outsource it if they have a problem."

Hiring in-house expertise is cost-prohibitive for these firms, as well, with a salary of $90,000 to $150,000 for one person. "If they're a small business, how much IR are they really going to be doing? A few times a year, maybe … buying that when you need it with outsourcing" makes more sense, Merkel says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is Senior Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-0188
Published: 2014-04-24
The openshift-origin-broker in Red Hat OpenShift Enterprise 2.0.5, 1.2.7, and earlier does not properly handle authentication requests from the remote-user auth plugin, which allows remote attackers to bypass authentication and impersonate arbitrary users via the X-Remote-User header in a request to...

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

Best of the Web