Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:13 PM
Connect Directly

Forensics Out Of Reach For Most Small To Midsize Organizations

As breach, malware infection cycle continues for SMBs, affordable managed forensics services needed, experts say

Most forensics and incident response offerings are too expensive and too technical for small to midsize businesses (SMBs), leaving them prone to serial infections and breaches.

With the average cost of anywhere from a few thousand dollars for a mom and pop shop to tens of thousands of dollars for a breach at a larger organization, according to Mandiant estimates, investigating a security incident with forensics tools, manpower, or outside consultants is far out of reach of the typical SMB or other cash-strapped organization.

Open-source forensics tools require some incident response know-how, as do the freebie forensic tools from vendors such as Mandiant and HBGary, which recently released a fingerprinting tool that gleans intelligence about the actual attacker behind the malware and FGET, which collects sets of forensics data from one or more remote Windows machines. Without the in-house expertise, these free tools don't do much to help SMBs, and in some cases, they are overkill, anyway.

Instead, most SMBs rely on their antivirus software or other security tools.

"They are not using incident response -- that would be very rare," says Andrew Hay, senior analyst with the 451 Group's enterprise security practice. "Incident response is low on the priority list: A lot of SMBs are hoping and praying their defense is enough to stave off disaster. If an incident were to happen, most would be completely unprepared."

Reimaging infected machines is the usual incident response steps these organizations take once they discover malware on their systems. That's not only pricey, but it can severely disrupt operations. A 600-bed West Coast-based hospital was recently knocked offline for more than a week in order to clean up a malware infection, says Greg Hoglund, founder and CEO of HBGary, a forensics vendor. Like many SMBs, the hospital relied mostly on its antivirus software to remedy the breach. The shutdown resulted in the hospital suffering a $27 million backlog in billing during the outage, which was the only option to prevent the infection from spreading further, he says.

"AV kept giving them a new DAT file. But that didn't solve the problem," he says. "They didn't have any other options, and the AV company failed five times in a row."

Reimaging infected machines only solves the problem in the short-term. Most SMBs just don't have a long-term, proactive incident response strategy, so they get reinfected and the cycle just continues, forensics experts say. "It's akin to duct tape security," 451's Hay says. If another malware attack occurs, they just apply more "duct tape," he says.

And without someone able to analyze the infection or attack itself, there's no way to apply that knowledge to prevent subsequent attacks. HBGary's Hoglund says forensics technology could be overkill, anyway, for a small hospital, for instance, if it doesn't have the expertise for it. "You have to have someone who can use the information you're gathering, to make a better intrusion detection system," for instance, he says. "But if you're just reimaging machines when you get AV, you don't need forensics ... But you're just going to get reinfected."

Experts in incident response are few and far between, too. "It's hard to find talent in this field," Hoglund says. "Gaining expertise is so hard. Most only do [hard] drive forensics, and don't have basic knowledge of time line analysis."

A better option for SMBs would be an affordable services model, such as a pay-per-use software-as a-service approach, experts say. HBGary's Hoglund says his company has looked at this model, but hasn't started creating any services, per se.

Trustwave's SpiderLabs, for example, offers with its managed security services an incident response option as a value-added service, 451 Group's Hay notes. The managed service provider model makes sense for financial services, healthcare, and energy firms in the midsize range, he says.

A few vendors, such as AccessData, are working on making a midmarket forensics offering, as well with its free Helix 3 and Live Response tools used by law enforcement and government agencies, he says, which include technical support from AccessData.

Dave Merkel, vice president of products and threat management services at Mandiant, concurs that more managed service incident response offerings would help, such as ones with a low-cost per incident. "I see how SMBs have a pretty serious issue of cost," says Merkel, whose company offers some free forensics tools. "We'll occasionally get support calls that they have downloaded the free tool, but they don't know how to interpret the data. We find they will try to outsource it if they have a problem."

Hiring in-house expertise is cost-prohibitive for these firms, as well, with a salary of $90,000 to $150,000 for one person. "If they're a small business, how much IR are they really going to be doing? A few times a year, maybe … buying that when you need it with outsourcing" makes more sense, Merkel says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/22/2020
How an Industry Consortium Can Reinvent Security Solution Testing
Henry Harrison, Co-founder & Chief Technology Officer, Garrison,  5/21/2020
Is Zero Trust the Best Answer to the COVID-19 Lockdown?
Dan Blum, Cybersecurity & Risk Management Strategist,  5/20/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-05-25
The Knock Knock plugin before 1.2.8 for Craft CMS allows IP Whitelist bypass via an X-Forwarded-For HTTP header.
PUBLISHED: 2020-05-25
The Knock Knock plugin before 1.2.8 for Craft CMS allows malicious redirection.
PUBLISHED: 2020-05-25
EM-HTTP-Request 1.1.5 uses the library eventmachine in an insecure way that allows an attacker to perform a man-in-the-middle attack against users of the library. The hostname in a TLS server certificate is not verified.
PUBLISHED: 2020-05-25
An issue was discovered in the Image Resizer plugin before 2.0.9 for Craft CMS. There are CSRF issues with the log-clear controller action.
PUBLISHED: 2020-05-25
An issue was discovered in the Image Resizer plugin before 2.0.9 for Craft CMS. There is stored XSS in the Bulk Resize action.