Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:13 PM
Connect Directly

Forensics Out Of Reach For Most Small To Midsize Organizations

As breach, malware infection cycle continues for SMBs, affordable managed forensics services needed, experts say

Most forensics and incident response offerings are too expensive and too technical for small to midsize businesses (SMBs), leaving them prone to serial infections and breaches.

With the average cost of anywhere from a few thousand dollars for a mom and pop shop to tens of thousands of dollars for a breach at a larger organization, according to Mandiant estimates, investigating a security incident with forensics tools, manpower, or outside consultants is far out of reach of the typical SMB or other cash-strapped organization.

Open-source forensics tools require some incident response know-how, as do the freebie forensic tools from vendors such as Mandiant and HBGary, which recently released a fingerprinting tool that gleans intelligence about the actual attacker behind the malware and FGET, which collects sets of forensics data from one or more remote Windows machines. Without the in-house expertise, these free tools don't do much to help SMBs, and in some cases, they are overkill, anyway.

Instead, most SMBs rely on their antivirus software or other security tools.

"They are not using incident response -- that would be very rare," says Andrew Hay, senior analyst with the 451 Group's enterprise security practice. "Incident response is low on the priority list: A lot of SMBs are hoping and praying their defense is enough to stave off disaster. If an incident were to happen, most would be completely unprepared."

Reimaging infected machines is the usual incident response steps these organizations take once they discover malware on their systems. That's not only pricey, but it can severely disrupt operations. A 600-bed West Coast-based hospital was recently knocked offline for more than a week in order to clean up a malware infection, says Greg Hoglund, founder and CEO of HBGary, a forensics vendor. Like many SMBs, the hospital relied mostly on its antivirus software to remedy the breach. The shutdown resulted in the hospital suffering a $27 million backlog in billing during the outage, which was the only option to prevent the infection from spreading further, he says.

"AV kept giving them a new DAT file. But that didn't solve the problem," he says. "They didn't have any other options, and the AV company failed five times in a row."

Reimaging infected machines only solves the problem in the short-term. Most SMBs just don't have a long-term, proactive incident response strategy, so they get reinfected and the cycle just continues, forensics experts say. "It's akin to duct tape security," 451's Hay says. If another malware attack occurs, they just apply more "duct tape," he says.

And without someone able to analyze the infection or attack itself, there's no way to apply that knowledge to prevent subsequent attacks. HBGary's Hoglund says forensics technology could be overkill, anyway, for a small hospital, for instance, if it doesn't have the expertise for it. "You have to have someone who can use the information you're gathering, to make a better intrusion detection system," for instance, he says. "But if you're just reimaging machines when you get AV, you don't need forensics ... But you're just going to get reinfected."

Experts in incident response are few and far between, too. "It's hard to find talent in this field," Hoglund says. "Gaining expertise is so hard. Most only do [hard] drive forensics, and don't have basic knowledge of time line analysis."

A better option for SMBs would be an affordable services model, such as a pay-per-use software-as a-service approach, experts say. HBGary's Hoglund says his company has looked at this model, but hasn't started creating any services, per se.

Trustwave's SpiderLabs, for example, offers with its managed security services an incident response option as a value-added service, 451 Group's Hay notes. The managed service provider model makes sense for financial services, healthcare, and energy firms in the midsize range, he says.

A few vendors, such as AccessData, are working on making a midmarket forensics offering, as well with its free Helix 3 and Live Response tools used by law enforcement and government agencies, he says, which include technical support from AccessData.

Dave Merkel, vice president of products and threat management services at Mandiant, concurs that more managed service incident response offerings would help, such as ones with a low-cost per incident. "I see how SMBs have a pretty serious issue of cost," says Merkel, whose company offers some free forensics tools. "We'll occasionally get support calls that they have downloaded the free tool, but they don't know how to interpret the data. We find they will try to outsource it if they have a problem."

Hiring in-house expertise is cost-prohibitive for these firms, as well, with a salary of $90,000 to $150,000 for one person. "If they're a small business, how much IR are they really going to be doing? A few times a year, maybe … buying that when you need it with outsourcing" makes more sense, Merkel says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Tor Weaponized to Steal Bitcoin
Dark Reading Staff 10/18/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-10-23
Sourcecodester Hotel and Lodge Management System 1.0 is vulnerable to unauthenticated SQL injection and can allow remote attackers to execute arbitrary SQL commands via the id parameter to the edit page for Customer, Room, Currency, Room Booking Details, or Tax Details.
PUBLISHED: 2019-10-23
XMLLanguageService.java in XML Language Server (aka lsp4xml) before 0.9.1, as used in Red Hat XML Language Support (aka vscode-xml) before 0.9.1 for Visual Studio and other products, allows a remote attacker to write to arbitrary files via Directory Traversal.
PUBLISHED: 2019-10-23
XML Language Server (aka lsp4xml) before 0.9.1, as used in Red Hat XML Language Support (aka vscode-xml) before 0.9.1 for Visual Studio and other products, allows XXE via a crafted XML document, with resultant SSRF (as well as SMB connection initiation that can lead to NetNTLM challenge/response cap...
PUBLISHED: 2019-10-23
An issue was discovered on TerraMaster FS-210 4.0.19 devices. An authenticated remote non-administrative user can read unauthorized shared files, as demonstrated by the filename=*public*%25252Fadmin_OnlyRead.txt substring.
PUBLISHED: 2019-10-23
An issue was discovered on TerraMaster FS-210 4.0.19 devices. An unauthenticated attacker can download log files via the include/makecvs.php?Event= substring.