Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
5/28/2015
01:30 PM
Torry Campbell
Torry Campbell
Partner Perspectives
50%
50%

What Are You Doing During The Golden Hour After An Attack?

Take the time to detect the attack, isolate the infected machines, and restore them to a known state.

Are you one of the lucky 12%? That is how few companies we surveyed did not experience a successful targeted cyberattack in 2014. If you are one of the few, and think your luck is going to hold in 2015, you can skip to the next article. Otherwise, please read on.

We recently concluded a research study with Vanson Bourne of security professionals at large and mid-size companies around the world (see chart below). According to the study, most of you are very busy analyzing large volumes of data as you try to find actionable issues amidst the noise. On average, you are responding to an attack every five to 10 days. Half of these attacks are generic malware or adware, annoying to users but not an especially large threat to your company. However, whether you are dealing with some generic malware or a targeted attack, it takes time to detect the attack, isolate the infected machines, and restore them to a known state.

 

Almost 30% of the attacks are finely tuned and targeted at a specific company, department, or even a few individuals. Why do the survey respondents think these attacks are having increased success? You told us that the attacks are often socially engineered to appeal to the target, and are leveraging multiple channels such as social networks, non-PC devices, and external cloud-based tools. As a result, they are more difficult to detect, and even security-savvy users are having a more difficult time telling which communications are malicious.

When fighting a targeted attack, security professionals surveyed reported that, on average, it took six days to move from discovery to remediation. Financial services, insurance, construction, business or consumer services, and energy and utility companies took the longest time -- eight to 10 days. Government, IT, transportation, and healthcare took the shortest time, at three to four days. Once discovered, things moved more quickly, taking on average nine hours to contain the infected systems, 19 hours to restore them to their normal state, and 30 hours to identify the attack vector and ensure that the security defenses were ready to handle a repeat occurrence.

What is taking up the most time? The top three are at the intersection of human expertise and security data: scoping out the size of an incident, containing it, and working to detect the next one. All of these can be improved through faster interpretation of relevant data and appropriate automation. If so much time is spent trying to determine the scope of an attack, doing that faster means containing it and getting back to normal sooner.

Next, we asked “What is inhibiting your ability to quickly understand what is happening in the organization?” Two of the top issues were an inadequate understanding of user behavior and network behavior. These are not requests for more data, but more comprehension. Like many of the respondents, you are probably already flooded with data, collecting firewall logs, networking events, rule sets, and even data packets. These are requests for better tools and more effective ways to interpret the data.

Fighting The Good Fight

The survey respondents also told us that they are in a fight that is sometimes biased against them. Incident detection and response is a mix of disparate tasks, manual processes, and inefficiencies that slow down response time and cleanup. Respondents asked for monitoring tools that can generate a better understanding of normal behavior, whether it is users, network traffic, servers, or applications. This is critical to being able to quickly identify anomalous activity and separate critical alerts from the cacophony of security noise. And 80% of respondents believe that lack of security technology integration is an obstacle. According to the study, security professionals would like a higher level of tool integration, both between tools and from the security operations center to endpoint.

Finally, we asked what help was wanted to boost efficiency and effectiveness of incident response efforts. The top two requests, obviously related to that number one time sink, were better detection tools and better analysis tools. The next two asked for more training and more people. Surprising to me, only 15% asked for more automation. When I look overall at these responses, I see a need for better analytics and more automation.

Analytics will help improve detection accuracy based on deeper inspection and better threat intelligence. Automation is a necessity because we all know there are not enough people to deal with the volume of attack we face. Historically, the reasons not to automate have been fear of false positives and loss of control. However, in order to scale staff and skills to the volume of events, we need to harness intelligent analytics to identify incidents from the mountains of event data.

To gather information for the survey, we spoke with 700 IT security decision makers during February and March 2015, at mid-market companies (500-999 employees), large companies (1,000-4,999 employees), and large enterprises (5,000 or more employees). These people were located in Australia, Brazil, France, Germany, the United Kingdom, and the United States. They represented more than 10 different industries, including information technology, manufacturing, financial services, government, retail, and transportation. You can read the full report at http://www.mcafee.com/us/resources/reports/rp-esg-tackling-attack-detection-incident-response.pdf

Torry Campbell is the Chief Technology Officer for Endpoint and Management technologies for Intel Security, formerly McAfee. From a decade at McAfee, he couples his security operations background with product management, development, and customer implementation experience to ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
TorryCampbell
50%
50%
TorryCampbell,
User Rank: Apprentice
6/8/2015 | 5:14:20 PM
Re: #Attacks vs Size

The proportion of targeted attacks was about the same independent of employee count. However, the average of 78 security investigations (found in the full report) varied a bit more based on employee count.

LoadingDose
50%
50%
LoadingDose,
User Rank: Apprentice
6/8/2015 | 10:40:36 AM
#Attacks vs Size
I would be interested to know how well (or not) the number of attacks correlates with the number of employees in your sample.  Is there a systematic relationship?  Correlation is not causation, but graphs of attacks vs size (revenue, #employees, etc) would be interesting nevertheless.  I did not see this info during a quick scan of the report.  Could you show us these?

 
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
5/31/2015 | 11:26:59 PM
Discovery
> When fighting a targeted attack, security professionals surveyed reported that, on average, it took six days to move from discovery to remediation.

Keyword: Discovery

More the point, last I heard it takes enterprises an average of six months to discover an attack.

Agility is key.
News
A Startup With NSA Roots Wants Silently Disarming Cyberattacks on the Wire to Become the Norm
Kelly Jackson Higgins, Executive Editor at Dark Reading,  5/11/2021
Edge-DRsplash-10-edge-articles
Cybersecurity: What Is Truly Essential?
Joshua Goldfarb, Director of Product Management at F5,  5/12/2021
Commentary
3 Cybersecurity Myths to Bust
Etay Maor, Sr. Director Security Strategy at Cato Networks,  5/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google Maps is taking "interactive" to a whole new level!
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-18194
PUBLISHED: 2021-05-17
Cross Site Scripting (XSS) in emlog v6.0.0 allows remote attackers to execute arbitrary code by adding a crafted script as a link to a new blog post.
CVE-2020-18195
PUBLISHED: 2021-05-17
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete a specific article via the component " /admin.php?action=page."
CVE-2020-18198
PUBLISHED: 2021-05-17
Cross Site Request Forgery (CSRF) in Pluck CMS v4.7.9 allows remote attackers to execute arbitrary code and delete specific images via the component " /admin.php?action=images."
CVE-2020-21831
PUBLISHED: 2021-05-17
A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_section_handles ../../src/decode.c:2637.
CVE-2020-21842
PUBLISHED: 2021-05-17
A heap based buffer overflow vulnerability exists in GNU LibreDWG 0.10 via read_2004_section_revhistory ../../src/decode.c:3051.