There’s no slowing down of the number of threats CISOs face, so it should be no surprise that the number of alerts infosec team members have to deal with are soaring as well. However, according to a new McAfee Labs survey, they’re having trouble keeping control.
“Most organizations are overwhelmed by alerts,” says the report released Tuesday, with 93 per cent of respondents saying they are unable to triage all relevant threats.
On average, respondents said they were unable to sufficiently investigate 25 per cent of their alerts, with no significant variation by country or company size. Almost one quarter (22 per cent) feel that they were lucky to escape with no business impact as a result of not investigating these alerts. The majority (53 per cent) reported only minor impact, but 25 per cent said they have suffered moderate or severe business impact as a result of uninvestigated alerts.
The largest organizations surveyed, perhaps because of their better monitoring capabilities and stable incident levels, were more likely to report no business impact (33 per cent).
The survey interviewed almost 400 security practitioners across several industries company sizes and geographies, including Canada.
Of the respondents reporting an increase in incidents, 57 per cent said they are being attacked more often, while 73 per cent the increase is because they are able to spot attacks better.
Almost 70 per cent used a SIEM (security information and event management suite. Those organizations using external managed security service providers (MSSPs) were highly likely (93 per cent) to have those services involved with the SIEM in some way. Most (71 per cent) ask the MSSP to run day-to-day SIEM operations. Almost half (45 per cent) of companies without a SIEM intend to deploy the functionality within the next 12 to 18 months.
The majority of organizations (55 per cent) said firewall logs are the primary source used for advanced threat detection and investigation, followed by endpoint logs (34 per cent) and system logs (32 per cent).
Organizations have to improve their ability to detect signals of potential attacks — perhaps through analytics — concludes the report, as well as improve the ability to investigate potential attacks, including scoping the full extent and impact of an attac
The survey was part of McAfee’s quarterly threat report.
To back up the probability that 2016 will be remembered as the year of ransomware, the report notes that through the end of Q3 the number of new ransomware samples this year totaled over 3,8 million, an increase of 80 per cent since the beginning of the year.
The report also notes that Trojanized legitimate software is on the rise. These Trojans hunt for backdoor access to systems which infect legitimate code and hide, hoping to go unnoticed as long as possible to maximize payouts. Inserted code can be streamlined toward the desired payload, “which can be an Achilles heel for defenses that are ill equipped to cope with such attacks,” says the report.
This largely accounts the rapid growth of Android malware in copycat apps, says the report. McAfee notes that one security vendor reported Trojanized adware masquerading as 20,000 popular apps. McAfee’s data shows this number has ballooned to nearly 700,000 in less than a year. Binary patching programs have emerged in the last couple of years to simplify the process of adding payloads to already compiled applications., the report adds. with kits such as AndroRat and Dendroid are responsible for tens of thousands of copycat Android apps concealing malicious payloads.
It is still commonplace for update servers to deliver binaries over insecure HTTP connections, McAfee notes.
End users should use a virtual private network (VPN) — some of which are free — when connecting to an untrusted network, says McAfee. Meanwhile administrators should keep security software up to date and rely on strong indicators of trust rather than those potentially forged in an attack. Behavioral monitoring, web and IP reputation, memory scanning, and application containment should also be considered.
“The problem of Trojanized legitimate applications is likely to get worse before it gets better,” it concludes