The Inquirer-Home

Business staff can't manage the huge volume of security alerts

Up to 150,000 events per day make firms vulnerable to attack
Tue May 13 2014, 14:47
Malware cyber criminal

BUSINESSES ARE VULNERABLE to cyber attacks because of the huge number of security events per day that staff struggle to manage, security firm Damballa has reported.

The report's findings revealed that the devices in an average company's network are generating an aggregate average of 10,000 security events per day, with the most active generating around 150,000 events per day.

The report also discovered that large, globally-dispersed enterprises were averaging 97 active infected devices each day and leaking an aggregate average of more than 10GB of data per day.

Disclosed in its first quarter 2014 State of Infections Report compiled from analysis of 50 percent of North American ISP internet traffic and 33 percent of mobile traffic - plus "large volumes of traffic" from global ISPs and enterprise customers - the data highlights the dangers of the workload security staff are confronted with when they manually trawl through mountains of alerts to discover which ones are real threats.

"But the people engaged in daily hand-to-hand combat know that an alert doesn't equal an infection - and that's part of the problem," the report said. "A human must correlate an alert with other logged activity to determine whether or not a device is infected. The time it takes to gather evidence and remediate creates a gap between when an infection occurs and when the enterprise can respond, and that's when damage can be done."

Such figures also suggest why recent high profile attacks at organisations like Target were undetected for so long, since alerts don't equal infections.

"The only way to determine if a device is infected is to correlate logged activity, which takes far too much time and man hours," the report said, adding that advanced techniques such as Domain Generation Algorithms (DGA) used by threat actors to generate vast quantities of random domain names can evade prevention controls and delay identification of actual infections.

"These techniques require security teams to wade through thousands of anomalous IP domains in order to find the IP address that carries the real payload."

Damballa conducted a test in which "dirty" network traffic was replayed past more than 1,200 simulated endpoints and 538 pieces of evidence were collected and correlated for each actual infection, which it said is "nearly impossible" to do manually.

"With the increase in data breaches and the scope of work required to identify a genuine infection from the deluge of security events hitting businesses every day, we can see why security staff are struggling to cope," said Damballa CTO Brian Foster.

"Automated incident detection is an important part of the solution to free valuable security staff from the labor-intensive task of sifting through false-positives, to focus on the more important issues of speedy remediation and threat mitigation."

The ability to reduce the time to discovery from 90 days to one day across those 97 infected devices would result in a savings of 89 "man-days" per device, as Damballa called them, or 8,633 man-days amounting to 23.65 years per enterprise.

"Not only is this a tremendous saving in time, but it significantly shrinks the window of when an enterprise is vulnerable to that particular attack," the firm claimed. µ


Share this:

blog comments powered by Disqus
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

INQ Poll

Happy new year!

What tech are you most looking forward to in 2015