When Target Corp. suffered a massive breach in 2013, multiple security products provided alerts to the retailer's SOC of the initial malware infection, yet no action
For its newly released Q1 State of Infections report, threat detection vendor Damballa Inc. gathered data from customers of its Failsafe product, which it said provides data on 50% of all North American Internet service providers' traffic and 33% of mobile traffic.
With the work required to identify a genuine infection ... it's easy to see why security staff are struggling to cope.
CTO, Damballa Inc.
The company found a typical customer faced an average of 10,000 security events per day, with some organizations encountering as many as 150,000 events per day. Though not all of those events point to an infected machine, Damballa CTO Brian Foster said there simply aren't enough trained security professionals at any given company to deal with that quantity of events.
Damballa's enterprise clients must also manage an average of 97 infected machines on a daily basis, Foster said, which for even the deepest IT security teams is a daunting figure.
For perspective on the problem, Foster pointed to recent statistics from the 2014 Verizon Data Breach Investigations Report, which indicated more than three out of every four security incidents took a day or more to discover. He said the manual processes required to identify actual infections among potentially thousands of security events simply takes too much time.
"With the work required to identify a genuine infection from the deluge of security events hitting enterprises every day," said Foster, "it's easy to see why security staff are struggling to cope."
More security automation needed
Foster said overburdened security teams are in dire need of more automated incident response processes, and Damballa's customers agreed, with 100% indicating in a recent Damballa survey that "automating manual processes is key to meeting future security challenges."
Enterprises have increasingly turned to security information and event management (SIEM) products to correlate large quantities of event data, according to Foster, but the technology still isn't capable of efficiently whittling security events down to pinpoint the ones that really matter.
"You're getting partial pictures of an elephant [with SIEM], but never the entire elephant," Foster said.
Instead of relying on SIEM, he advised enterprises to focus on security products that reduce the noise caused by false positives and generally only issue alerts for actual infections. Even much-maligned traditional antivirus products can play a part in reducing the number of security events that must be investigated, he said, because such technology is still capable of mitigating large quantities of malware before it ever hits any endpoints.
Though Foster admitted many of the enterprises he works with still want some human element in the incident response process -- leading him to prefer the term "automatable" rather than automated -- he said those companies unable to reduce the number of events they face on a daily basis are risking wasting huge amounts of man-hours.
Utilizing statistics from a 2013 Ponemon Institute report, the Damballa report indicated IT teams take on average 90 days to manually discover a breach and four months or longer to resolve it. If an enterprise could get that time to discovery down to an average of even one day, the report indicated that each individual organization could save an average of 8,633 "man-days" per year.
"You're never going to be able to automate everything [because] the cure ends up being worse than the disease" Foster said. "But there [are] just not enough trained humans in IT to deal with the huge number of alerts and suspicious events facing enterprises today."