State of Infections ReportQ4 2014

State of Infections Report: Q4 2014

Section 1: The Science of Threat Detection in an Age of Pandemic Breaches ....................................3

Infection Dwell Time is a Byproduct of Failed Prevention .......................................................3

Security Manpower is a Finite Resource ............................................................................................4

Section 2: Turn the Tables of Infection Dwell Time ....................................................................................5

Conclusion ...............................................................................................................................................................7

About Damballa ......................................................................................................................................................7

Table of Contents

DAMBALLA

2

alvarezassociates.com

State of Infections Report: Q4 2014

To demonstrate the limitations of a prevention-centric approach, Damballa conducted a comparison study from January –October, 2014. We analyzed a sample set of tens of thousands of files sent to us by enterprises for review. The files detected as malicious by our Damballa Failsafe system were also scanned by the four most commonly deployed Antivirus (AV) products.

Within the first hour of submission, the AV products missed nearly 70% of the malware. We systematically rescanned the same files to see how long it would take before signatures were applied to catch malicious files. After 24 hours, 66% were identified as malicious. At the seven-day mark, the accumulated total was 72%. After one month, 93% of the files were identified as malicious. It took more than six months for the AV products to create signatures to identify 100% of the malicious files.

In a real-world environment, a file would only be scanned once by AV. If the average security team receives 17,000 weekly alerts, or 2,430 daily, AV products would have missed 796 malicious files on day one. Consider the risk associated with that number of infections potentially dwelling undetected inside the network.

Section 1: The Science of Threat Detectionin an Age of Pandemic Breaches

3

DAMBALLA MBALLA

DAMBALLA.COM

Infection Dwell Time is a Byproduct of Failed Prevention

After a year of mind-boggling breach headlines, it’s clear the approach to network security has to change. Attackers continuallyget away with epic heists while defenders get tripped up by their own security weapons.

A 2015 Ponemon Institute reports shows that the average enterprise receives 17,000 malware alerts weekly from their IT security products. Only 19% are deemed to be reliable and just 4% are ever investigated, suggesting security teams don’t have the resources to take action.1 The tsunami of alerts are distracting responders from stopping crimes before damage is done. They need actionable intelligence, not needles in haystacks.

A fresh approach is overdue. For nearly 30 years, security programs have centered on prevention. RSA estimates that most organizations spend about 80% of their security budgets on prevention technologies.2 While these products have merit, they are increasingly ineffective in the face of advanced threats. Antivirus, firewalls, IPS, sandboxing and other legacy technologies only work if they see inbound malware files and match them to previously known threats. Today, nearly all advanced attacks use polymorphic malware.

If98%caught

17,000

Average # of malware alerts per week

Alerts that get

investigated

Reliablealerts

Infectionsthat go

undetected

40%19%4%MALWARE ALERTS PER WEEK

alvarezassociates.com

State of Infections Report: Q4 2014

Infection Dwell Time is a Byproduct of Failed Prevention (Continued)

Security Manpower is a Finite Resource

While large enterprises obviously deploy many layers of prevention besides AV, any technology designed to prevent infections based on one technique and/or prior knowledge of the threat will not suffice. That includes signature and reputation-based products as well as those using a single method to analyze traffic or payloads, like sandboxes. If a product ultimately relies on seeing the inbound malware file first, it will miss the forest for the trees.

An analogy from everyday life is the flu vaccine. Every year, the global Centers for Disease Control select the three or four most prevalent strains. Drug manufacturers create a vaccine based on the selected strains, which takes about ten months. The entire process hinges on people making best-guess decisions about known viruses already circulating in the population.3

But viruses morph and new ones can appear during the time it takes to produce the flu shot. Sometimes the vaccine works and sometimes it doesn’t. Experts say the 2014-15 flu vaccine is only 33 percent effective because the viruses mutated after the vaccine was created.4

The same is true of prevention products, which only address the most commonly found malware. If a file morphs or new variants appear, it takes time for those products to be updated with signatures. So essentially if you rely on prevention, you’re treating malware threats with the equivalent of a flu shot.

In Damballa’s study, it took more than six months for AV products to reach the point of 100% identification of the malware. The longer an infection dwells, before discovery and remediation, the odds of data exfiltration increases.

Time it took for AV products to identify

100% of Malware

4

DAMBALLA.COM DAMBALLA.COM DAMBALLA MBALLA

86%of respondents agreethere is a shortage of skilled cybersecurity professionals.5

Once an inbound malware file is missed by prevention products, the ‘time-to-breach’ clock starts ticking. The burden thenshifts to security staff to find the malware infection and stop damage. In today’s threat environment, that is too large a burden for any organization to bear.

A survey by ISACA, a consortium of information security, assurance, risk management and governance professionals, found that 86% of respondents said there is a global shortage of skilled cybersecurity professionals.5 The lack of manpower further underscores the importance of a fresh approach to network security.

Slogging through uncorroborated alerts to find true infections is not sustainable and also inherently error-prone. First, prevention tools only address a fraction of malware so there is a product-related bias. Second, the process of determining which of the 17,000 alerts to investigate introduces unavoidable human biases. Without the ability to automatically detect hidden infections and respond with actionable intelligence, security teams are quickly buried under an avalanche of noise.

6 months

1 hour

1 day7 days

1 month

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

alvarezassociates.com

State of Infections Report: Q4 2014 5

DAMBALLA

Since trained security manpower is a finite resource, it’s imperative to find ways to automate manual processes and decreasethe noise from false positives. In a recent report, Forrester analyst John Kindervag asserts that security teams lack the agility and speed to stop breaches because they don’t have the right detection tools in place, and therefore can’t mandate an automated response.6 Meanwhile attackers are nimble, crafty and have time as their advantage.

Ponemon’s “Cost of Malware Containment” study adds weight to Kindervag’s assessment. Less than a quarter of security professionals surveyed said their organization had a structured, automated approach to malware containment. The intensely manual activities associated with malware containment add up to an average of 587 hours a week.7 Respondents said 67% of that time is wasted due to the unreliability of the data.

A few things are essential to reduce manual efforts. Security teams must have:High-fidelity, automatic detection of actual infections

Integration between detection and response systems

Policies that enable automated response based on a degree of confidence

Section 2: Turn the Tables on Infection Dwell Time

HOURS WASTED ON ALERTS

High-fidelity DetectionsAn alert is a single uncorroborated artifact from system log data that means nothing on its own. In a court of law, jurors are required to reach a state of ‘beyond a reasonable doubt,’ which would be impossible based on one single piece of evidence. Similarly, it’s unreasonable to expect security teams to take any action based on low-grade alerts.

High-fidelity detection can significantly reduce infection dwell time and risk of breach. For example, Damballa Failsafe uses eight detection techniques to monitor device activity over time. All the while it is automatically corroborating data and building a case of evidence. When a statistical threshold of certainty is reached, a true positive verdict of ‘infected’ is delivered to responders. This automated and scientific process counteracts the biases that are inherent in a prevention-centric environment.

Integrations & Automated ResponseJust as security teams are not likely to act on a single alert, they are also not inclined to automate a response without confidence that an infection is present. They are faced with weighty decisions like: Should I automatically kick a device off the network and risk unnecessary business downtime or loss of revenue? In hindsight, it’s easy to say that an aggressive stance could have saved an enterprise like Target tens of millions of dollars. In the heat of the moment, it’s often judgment call.

Less than a quarter ofsecurity professionals surveyed said their organization had a structured, automated approach to malware containment.1

evaluatingintelligence

of time investigating

alerts

wasted587 hours 67% 395 hours

alvarezassociates.com

If security teams can integrate high-fidelity detection with response mechanisms, like endpoint security tools and network access control systems, they can make headway. Instead of a judgment call, decisions are policy-driven.

As John Kindervag at Forrester stated, “The only way to protect the exfiltration of our data by hackers and cybercriminals is to provide our security teams with a set of rules that will incentivize automated response.”

Damballa compared a sample set of enterprise customer data from Q1 2014 through Q4 2014 to determine whether or not data exfiltration rates increased, decreased or remained steady over time. In Q1, infected assets uploaded a median of 683KB of data a day. In Q4, the median dropped to 160KB per day. The decline is encouraging. If enterprises can continue to make headway by rapidly containing and remediating infections, they can elevate their security posture. Instead of talking about Zero Day exploits, we could be talking about zero data exfiltration.

The diagram below shows how security teams can develop automated response policies based on confidence levels and risk of damage. When a device is being observed for malicious activity, no response is needed other than to keep monitoring it. Once a device moves to a state of “suspected,” you can enact automated responses like:

• Restricting access to sensitive data• Performing a ‘lite’ forensic scan of the device• Increasing logging• Limiting privileges

If the device reaches a state of “infected”, meaning a true positive conviction, you can take further automated actions like:• Quarantining the device to a security zone• Initiating a deep forensic scan• Removing privileges• Killing suspected processes

State of Infections Report: Q4 2014

DAMBALLA.COM

6

DAMBALLA

DAMBALLA | 817 West Peachtree Street, NW | Suite 800 | Atlanta, GA 30308 | Phone: 404 961 7400

Turn the Tables on Infection Dwell Time(Continued)

OBSERVEDNo responseContinue monitoring

INFECTEDAutomate responseContinue monitoring

SUSPECTEDAutomate responseContinue monitoring

IMPACT/ “RISK OF DAMAGE” HIGHLOW

HIG

HLO

WCO

NFI

DEN

CE

Figure 1: Damballa Failsafe + Automated Response

DATA EXFILTRATED BY INFECTED ASSETS

Q1 Q2 Q3 Q4

800 KB

600 KB

400 KB

200 KB

0 KB

alvarezassociates.com

State of Infections Report: Q4 2014

About Damballa

As the experts in advanced threat protection and containment, Damballa discovers active threats that bypass all securityprevention layers. Damballa identifies evidence of malicious network traffic in real time, rapidly pinpointing the compromised devices that represent the highest risk to a business.

Our patented solutions leverage Big Data from the industry’s broadest data set of consumer and enterprise network traffic, combined with machine learning, to automatically discover and terminate criminal activity, stopping data theft, minimizing business disruption, and reducing the time to response and remediation. Damballa protects any device or OS including PCs, Macs, Unix, iOS, Android, and embedded systems. Damballa protects more than half a billion endpoints globally at enterprises in every major market and for the world’s largest ISP and telecommunications providers.

To learn more about Damballa Failsafe visit our website www.alvarezassociates.com, contact us at 1-877-739-7289

7

About DamballaReferences 1. https://www.damballa.com/ponemon-institute-survey-the-cost-of-malware-containment/

2. http://www.techrepublic.com/blog/it-security/how-mid-to-large-companies-can-optimize-security-budgets/

3. http://www.cdc.gov/flu/professionals/vaccination/virusqa.htm

4. http://abcnews.go.com/Health/top-flu-questions-answered/story?id=28004030

5. ISACA, 2015 Global Cybersecurity Status Report https://mail.google.com/mail/u/0/?ui=2&ik=8d8bde3ab5&view=fimg&th=14b3b388cb857014&attid=0.0.1&disp=emb&realattid=d86b597fe37aa70_0.0.1&attbid=ANGjdJ9wtsv-c3m1ast0j0JAyyjlJ9tLiDno763GTtOOeZlqcVosPZgasthKn_wTIH9ohOvsDAIDucM3pQyp1ZfN-9RTygYZrITBEwJq0N4VIvZKxRlf0HEKPx5cR5Y&sz=w656-h412&ats=1422634172398&rm=14b3b388cb857014&zw&atsh=1http://www.isaca.org/Pages/Cybersecurity-Global-Status-Report.aspx

6. Forrester Research, “Rules Of Engagement: A Call to Action To Automate Breach Response,” December 2, 2014 By John Kindervag, Stephanie Balaouras with Glenn O'Donnell, Heidi Shey, Claire O'Malley https://www.forrester.com/Rules+Of+Engagement+A+Call+To+Action+To+Automate+Breach+Response/fulltext/-/E-RES87221

7. https://www.damballa.com/ponemon-institute-survey-the-cost-of-malware-containment/

DAMBALLA | 817 West Peachtree Street, NW | Suite 800 | Atlanta, GA 30308 | Phone: 404 961 7400 DAMBALLA.COM

DAMBALLA.COM

DAMBALLA | 817 West Peachtree Street, NW | Suite 800 | Atlanta, GA 30308 | Phone: 404 961 7400 DAMBALLA.COM

DAMBALLA

Conclusion

There is an infinite amount of malware code at attackers’ disposal yet a finite number of skilled security staff able to deal withthe volume of noise they create daily. If the last year of unending breach headlines is a barometer, it’s safe to assume that legacy approaches to security will not cut it in this new age.

Security professionals must implement a fresh approach that reduces the historical dependence on prevention tools. A forward-thinking breach readiness strategy must incorporate high-fidelity detection and automated response to slow down the trajectory of data breaches in 2015 and beyond.

alvarezassociates.com