Beyond breach prevention: The need for adequate response

As threats have evolved, more enterprises are struggling with quickly finding malware that has infected their systems

If there's been any lesson learned in the past decade, it's that despite tens of billions having been spent on anti-malware, firewalls, intrusion-detection and prevention systems, and other defensive technologies -- it's just not realistic for enterprise security teams to expect to be able to stop every attack.

[Understanding incident response: 5 tips to make IR work for you]

Yet, surprisingly, enterprises focus their efforts and their budgets as if they can do precisely that. Sourcefire (recently acquired by Cisco) founder and CTO Martin Roesch, says a recent analysis by the IT security firm found that enterprises currently often only spend as little as 10% on incident response and about 30% on detection: the rest is on prevention.

While preventing successful attack attempts from becoming breaches is the ideal, there needs to be more of a focus on an organization's ability to identify breaches -- especially advanced malware -- as an attack is underway. "What we have been saying is organizations have to be able to deal with malware before [prevention], during, and after an attack," says Roesch.

The ability to spot malware in-progress is a crucial part of maintaining the operational integrity of one's environment, says Roesch. "If you can't maintain integrity then you're not really performing security. You may think your organization is secure. You may be able to get certified and be deemed compliant to regulations, but realistically you're not secure," says Roesch.

That thought certainly matches anecdotal evidence from the number of organizations that have been breached at the same time they were also compliant to government or industry security regulations, such as PCI DSS. Also, according to the 2013 Verizon Data Breach Investigation Report, 66 percent of breaches in the past year took at least months, if not years, to be identified. That 66 percent figure is up from 55 percent in 2011 and 41 percent in 2010.

Dan Polly, IT security officer at First Financial Bank, knows the steep hurdles defenders face when it comes to keeping systems secure. "It's interesting to look at malware over the last several years, and how very humbling it is when one considers the small amount of resources attackers must put into place to reach their objectives, against the rather sizable amount of resources defenders must have in place. It's an incredibly asymmetrical situation," Polly says.

[Fatal half-measures in incident response]

More business leaders and security managers are coming to that realization, says Michael Viscuso, CEO at breach detection and incident response startup Carbon Black. That's especially so after they've been breached. "Customers are coming to the realization that it's going to happen again. This inevitability of breach mindset hit the defense contractors a few years ago. Now it's hitting the general commercial market," says Viscuso.

To quickly identify breaches in-progress, more enterprises are turning to breach detection systems, which purport to pick up where intrusion detection systems and anti-malware software often fail and spot malicious files and malware as a successful attack is underway. That could include such as when files are being inserted onto an endpoint, being executed, or when the malware attempts to communicate with an attack or command and control server, as well as other bad behaviors.

In its report, Breach Detection Systems Buyer's Guide, information security research and advisory company, NSS Labs evaluated the growing security market category, and defined Breach Detection Systems as being able to detect threats on network or endpoints, or both; can identify existing breach conditions as well as malware introduced through side channels.

Breach detection systems complement existing security technologies, explains John Pirc, research vice president NSS Labs. "However, BDS is far more advanced in the ability to identify malware that is unknown and known. The big key is the ability to detect the breach based on the initial dropped file or the command and control communication outbound from your network," he says. In addition, beyond detection, which traditional host and network-based IDS do, the BSD should be able to notify if an attack was also successful.

[Incident response matters]

The IT security incident response market is set to boom. According to market research firm ABI research, the market is expected to grow from just over six billion last year to an estimated $14.79 billion by 2017. For instance, startup Carbon Black recently released Carbon Black 3.0 which attempts to provide much needed insight into potential breach situations. "We started looking at all of the technical indicators of compromise and we honed in on the five most critical pieces of information that we could use to do a better incident response," Viscuso says.

That ability to detect changes in the environment is crucial, says Roesch, if organizations are going to get better at combating advanced threats. "Being able to do so comprehensively is important. Once you get persistent embedded malware in your environment, you are going to need a comprehensive way for eliminating it or you are going to be hurt," he says.

Join the CSO newsletter!

Error: Please check your email address.

Tags sourcefiresecuritydata protection

More about CiscoCisco SecurityCisco SecurityFirst FinancialVerizonVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by George V. Hulme

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts