Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/28/2013
07:37 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Struggling With Attack Detection And Analysis

New survey shows organizations don't know when they've been attacked and can't easily determine scope of attacks

Enterprises are increasingly finding it harder to detect attacks in a timely fashion or quickly determine the scope of attacks when they are discovered. A new survey out this week shows that while the majority of organizations seem confident in their ability to quickly analyze and respond to security alerts, many have a hard time finding attacks in real-time or even being sure they've experienced an attack.

Conducted among 250 decision-makers worldwide, the Bit9 survey showed that 62 percent of organizations analyze and respond to security alerts. However, more than a fifth of organizations reported their ability to protect endpoints and servers from emerging threats that have no signature to be deficient or non-existent. Nearly the same amount of organizations reported the same deficiency in their ability to determine in real-time how many systems are infected by file discovered to be malicious.

Furthermore, 55 percent of organizations reported that they either couldn't discover zero-day attacks or only could find them by accident during routine maintenance or if a user contacts help desk due to abnormal system behavior.

[Are you missing the downsides of big data security analysis? See 3 Inconvenient Truths About Big Data In Security Analysis.]

Perhaps most telling of all, though, is that a full 13 percent of decision makers reported that they didn't know whether they'd experienced an attack in the past year.

"That was a big surprise. I would expect that number to be a single digit and a low single digit at that," says Nick Levay, CSO of Bit9. "A lot of organizations don't necessarily do a good job of keeping track of metrics related security events. I have a feeling that inadequate tracking of some of that stuff results in senior decision makers not necessarily having an accurate view of what kinds of security events are occurring in the network."

It's a trend corroborated by many experts operating within the security space, who explain that organizations are not able to keep up with advanced attacks due to poor visibility across isolated systems.

"Many companies have infected machines and don't even know it, highlighting the advanced nature of certain malware," says Vann Abernethy, senior product manager at NSFOCUS. "Some very advanced malware variants can move laterally within an organization to avoid detection, then go dormant for a long time, communicate back to its command and control using encryption, or turn off common anti-virus and anti-malware."

Abernethy explains that organizations need to be able to augment existing security defenses with better forensics, so that security teams are looking closely at system behavior through "daily forensic inspection and data analysis."

Most organizations today don't focus enough on that kind of analysis, instead overly relying on alerting and prevention tools, says Jason Mical, vice president of cyber security for AccessData.

"These products only catch what you tell them to look for," he says. "At this point, organizations need to increase their visibility into what's happening in their enterprises and focus on eliminating those cyber security blind spots."

In order to do that, more security organizations have to streamline their cybersecurity infrastructure, Mical says.

This means finding ways to better enable real-time collaboration across different infosec teams and potentially considering ways to consolidate disparate analysis tools into a platform-based technology approach.

"Right now, most organizations still have disparate teams, each using several disparate tools. They have to correlate all the critical data manually," he says. "It causes dangerous delays in validating suspected threats or responding to known threats."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Sodinokibi Ransomware: Where Attackers' Money Goes
Kelly Sheridan, Staff Editor, Dark Reading,  10/15/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
7 SMB Security Tips That Will Keep Your Company Safe
Steve Zurier, Contributing Writer,  10/11/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: The old using of sock puppets for Shoulder Surfing technique. 
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8216
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure .
CVE-2019-8217
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-8218
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure .
CVE-2019-8219
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions , 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-8220
PUBLISHED: 2019-10-17
Adobe Acrobat and Reader versions, 2019.012.20040 and earlier, 2017.011.30148 and earlier, 2017.011.30148 and earlier, 2015.006.30503 and earlier, and 2015.006.30503 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .