Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


05:13 PM
Connect Directly

Forensics Out Of Reach For Most Small To Midsize Organizations

As breach, malware infection cycle continues for SMBs, affordable managed forensics services needed, experts say

Most forensics and incident response offerings are too expensive and too technical for small to midsize businesses (SMBs), leaving them prone to serial infections and breaches.

With the average cost of anywhere from a few thousand dollars for a mom and pop shop to tens of thousands of dollars for a breach at a larger organization, according to Mandiant estimates, investigating a security incident with forensics tools, manpower, or outside consultants is far out of reach of the typical SMB or other cash-strapped organization.

Open-source forensics tools require some incident response know-how, as do the freebie forensic tools from vendors such as Mandiant and HBGary, which recently released a fingerprinting tool that gleans intelligence about the actual attacker behind the malware and FGET, which collects sets of forensics data from one or more remote Windows machines. Without the in-house expertise, these free tools don't do much to help SMBs, and in some cases, they are overkill, anyway.

Instead, most SMBs rely on their antivirus software or other security tools.

"They are not using incident response -- that would be very rare," says Andrew Hay, senior analyst with the 451 Group's enterprise security practice. "Incident response is low on the priority list: A lot of SMBs are hoping and praying their defense is enough to stave off disaster. If an incident were to happen, most would be completely unprepared."

Reimaging infected machines is the usual incident response steps these organizations take once they discover malware on their systems. That's not only pricey, but it can severely disrupt operations. A 600-bed West Coast-based hospital was recently knocked offline for more than a week in order to clean up a malware infection, says Greg Hoglund, founder and CEO of HBGary, a forensics vendor. Like many SMBs, the hospital relied mostly on its antivirus software to remedy the breach. The shutdown resulted in the hospital suffering a $27 million backlog in billing during the outage, which was the only option to prevent the infection from spreading further, he says.

"AV kept giving them a new DAT file. But that didn't solve the problem," he says. "They didn't have any other options, and the AV company failed five times in a row."

Reimaging infected machines only solves the problem in the short-term. Most SMBs just don't have a long-term, proactive incident response strategy, so they get reinfected and the cycle just continues, forensics experts say. "It's akin to duct tape security," 451's Hay says. If another malware attack occurs, they just apply more "duct tape," he says.

And without someone able to analyze the infection or attack itself, there's no way to apply that knowledge to prevent subsequent attacks. HBGary's Hoglund says forensics technology could be overkill, anyway, for a small hospital, for instance, if it doesn't have the expertise for it. "You have to have someone who can use the information you're gathering, to make a better intrusion detection system," for instance, he says. "But if you're just reimaging machines when you get AV, you don't need forensics ... But you're just going to get reinfected."

Experts in incident response are few and far between, too. "It's hard to find talent in this field," Hoglund says. "Gaining expertise is so hard. Most only do [hard] drive forensics, and don't have basic knowledge of time line analysis."

A better option for SMBs would be an affordable services model, such as a pay-per-use software-as a-service approach, experts say. HBGary's Hoglund says his company has looked at this model, but hasn't started creating any services, per se.

Trustwave's SpiderLabs, for example, offers with its managed security services an incident response option as a value-added service, 451 Group's Hay notes. The managed service provider model makes sense for financial services, healthcare, and energy firms in the midsize range, he says.

A few vendors, such as AccessData, are working on making a midmarket forensics offering, as well with its free Helix 3 and Live Response tools used by law enforcement and government agencies, he says, which include technical support from AccessData.

Dave Merkel, vice president of products and threat management services at Mandiant, concurs that more managed service incident response offerings would help, such as ones with a low-cost per incident. "I see how SMBs have a pretty serious issue of cost," says Merkel, whose company offers some free forensics tools. "We'll occasionally get support calls that they have downloaded the free tool, but they don't know how to interpret the data. We find they will try to outsource it if they have a problem."

Hiring in-house expertise is cost-prohibitive for these firms, as well, with a salary of $90,000 to $150,000 for one person. "If they're a small business, how much IR are they really going to be doing? A few times a year, maybe … buying that when you need it with outsourcing" makes more sense, Merkel says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google Maps is taking "interactive" to a whole new level!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-17
When subscribing using AcyMailing, the 'redirect' parameter isn't properly sanitized. Turning the request from POST to GET, an attacker can craft a link containing a potentially malicious landing page and send it to the victim.
PUBLISHED: 2021-05-17
There is functionality in the Store Locator Plus for WordPress plugin through 5.5.14 that made it possible for authenticated users to update their user meta data to become an administrator on any site using the plugin.
PUBLISHED: 2021-05-17
There are several endpoints in the Store Locator Plus for WordPress plugin through 5.5.15 that could allow unauthenticated attackers the ability to inject malicious JavaScript into pages.
PUBLISHED: 2021-05-17
The Happy Addons for Elementor WordPress plugin before 2.24.0, Happy Addons Pro for Elementor WordPress plugin before 1.17.0 have a number of widgets that are vulnerable to stored Cross-Site Scripting(XSS) by lower-privileged users such as contributors, all via a similar method: The â€&oe...
PUBLISHED: 2021-05-17
It was possible to exploit an Unauthenticated Time-Based Blind SQL Injection vulnerability in the Spam protection, AntiSpam, FireWall by CleanTalk WordPress Plugin before 5.153.4. The update_log function in lib/Cleantalk/ApbctWP/Firewall/SFW.php included a vulnerable query that could be injected via...