With the average cost of anywhere from a few thousand dollars for a mom and pop shop to tens of thousands of dollars for a breach at a larger organization, according to Mandiant estimates, investigating a security incident with forensics tools, manpower, or outside consultants is far out of reach of the typical SMB or other cash-strapped organization.
Open-source forensics tools require some incident response know-how, as do the freebie forensic tools from vendors such as Mandiant and HBGary, which recently released a fingerprinting tool that gleans intelligence about the actual attacker behind the malware and FGET, which collects sets of forensics data from one or more remote Windows machines. Without the in-house expertise, these free tools don't do much to help SMBs, and in some cases, they are overkill, anyway.
Instead, most SMBs rely on their antivirus software or other security tools.
"They are not using incident response -- that would be very rare," says Andrew Hay, senior analyst with the 451 Group's enterprise security practice. "Incident response is low on the priority list: A lot of SMBs are hoping and praying their defense is enough to stave off disaster. If an incident were to happen, most would be completely unprepared."
Reimaging infected machines is the usual incident response steps these organizations take once they discover malware on their systems. That's not only pricey, but it can severely disrupt operations. A 600-bed West Coast-based hospital was recently knocked offline for more than a week in order to clean up a malware infection, says Greg Hoglund, founder and CEO of HBGary, a forensics vendor. Like many SMBs, the hospital relied mostly on its antivirus software to remedy the breach. The shutdown resulted in the hospital suffering a $27 million backlog in billing during the outage, which was the only option to prevent the infection from spreading further, he says.
"AV kept giving them a new DAT file. But that didn't solve the problem," he says. "They didn't have any other options, and the AV company failed five times in a row."
Reimaging infected machines only solves the problem in the short-term. Most SMBs just don't have a long-term, proactive incident response strategy, so they get reinfected and the cycle just continues, forensics experts say. "It's akin to duct tape security," 451's Hay says. If another malware attack occurs, they just apply more "duct tape," he says.
And without someone able to analyze the infection or attack itself, there's no way to apply that knowledge to prevent subsequent attacks. HBGary's Hoglund says forensics technology could be overkill, anyway, for a small hospital, for instance, if it doesn't have the expertise for it. "You have to have someone who can use the information you're gathering, to make a better intrusion detection system," for instance, he says. "But if you're just reimaging machines when you get AV, you don't need forensics ... But you're just going to get reinfected."
Experts in incident response are few and far between, too. "It's hard to find talent in this field," Hoglund says. "Gaining expertise is so hard. Most only do [hard] drive forensics, and don't have basic knowledge of time line analysis."
A better option for SMBs would be an affordable services model, such as a pay-per-use software-as a-service approach, experts say. HBGary's Hoglund says his company has looked at this model, but hasn't started creating any services, per se.
Trustwave's SpiderLabs, for example, offers with its managed security services an incident response option as a value-added service, 451 Group's Hay notes. The managed service provider model makes sense for financial services, healthcare, and energy firms in the midsize range, he says.
A few vendors, such as AccessData, are working on making a midmarket forensics offering, as well with its free Helix 3 and Live Response tools used by law enforcement and government agencies, he says, which include technical support from AccessData.
Dave Merkel, vice president of products and threat management services at Mandiant, concurs that more managed service incident response offerings would help, such as ones with a low-cost per incident. "I see how SMBs have a pretty serious issue of cost," says Merkel, whose company offers some free forensics tools. "We'll occasionally get support calls that they have downloaded the free tool, but they don't know how to interpret the data. We find they will try to outsource it if they have a problem."
Hiring in-house expertise is cost-prohibitive for these firms, as well, with a salary of $90,000 to $150,000 for one person. "If they're a small business, how much IR are they really going to be doing? A few times a year, maybe … buying that when you need it with outsourcing" makes more sense, Merkel says.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.