According to Damballa, too-few security professionals sort through too-many alerts, most of which are false alarms. Is there an answer?
Much has been written about Target's data breach and why it happened. One might expect having procured an expensive antimalware system; Target prepared for every bad-actor eventuality. Yet, alerts of an intrusion anomaly were sounded, misunderstood or ignored, and have become the subject of much debate and finger-pointing.
Brian Foster, CTO of Damballa, has a different point of view — one with traction according to many security experts. Foster in the blog post Did Target's Security Blow it or Just Get Blown Up with Noisy Alerts? began by questioning how alerts are defined. "The March 13, 2014 Businessweek article, Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It, did a great job explaining what happened leading up to the Target breach," writes Foster. "But it didn't provide context about the reality of what an 'alert' means to a security team guarding a network as large and complex as Target's."
"Was Target negligent or did they just have too many noisy alerts to chase?" adds Foster. The newly-released Damballa State of Infections Report Q4 2014 sheds light on what Foster is alluding to. "A 2015 Ponemon Institute report shows that the average enterprise receives 17,000 malware alerts weekly from their IT-security products. Only 19 percent are deemed to be reliable and just 4 percent are ever investigated."
Staff becomes insensitive to alarms
Foster offers a familiar analogy: the shoplifting sensors standing sentinel duty at retail-store entrances, and how little reaction an alarm elicits from store personnel. The alarms have become a verbal cliche reminiscent of the story about the boy who cried wolf once too often. "Now step back and consider an organization the size of Target," explains Foster. "They have more than 360,000 employees worldwide, about 2,000 stores, 37 distribution centers, and a heavily trafficked retail web site. Their network is massive. A network that size may issue up to hundreds of thousands of alerts a day."
Foster then concludes his argument with the following (the emphasis is his), "It's essential to understand that an alert does NOT equal confidence that a device is infected. To prove infection, you need to correlate the alert with other activity or have a human being investigate the endpoint to see if it is infected."
Must automate technology and cut false positives
To summarize, Foster and Damballa feel there are too many alerts and too few qualified security staff available to vet each alert. The company's solution is to automate manual processes and decrease the noise from false positives. Damballa's State of Infections Report suggests employing:
- High-fidelity, automatic detection of actual infections
- Integration between detection and response systems
- Policies that allow automated response based on degree of confidence
Damballa's solution is Failsafe an automated breach defense system focused on finding and incapacitating advanced threats and malware. Once detected, Failsafe terminates the malicious activity and compiles actionable information about the attack. "Failsafe does the work that normally requires a great deal of time from several highly-trained security pros," mentions Foster in an email. "And, the evidence provided by Failsafe allows responders to go after the devices that are putting their company at risk."
SANS reviews Failsafe
Rather than take Damballa's word about Failsafe, Jerry Shenk, SANS senior analyst/instructor and holder of six GIAC Gold certifications, tested the company's claims. His conclusions are published in this 17-page report. "Damballa Failsafe uses a combination of sandboxing, threat intelligence and behavioral analysis to determine if threats are active," begins the report. "Relying on a single technology can give a false sense of security. The corroborative evidence provided by Damballa Failsafe's eight profilers (think detection engines) enables the appliance to detect threats over multiple tests and make a verdict on the level of infection of any computer on the network."
Shenk reviewed each of the eight profilers in the report, and has one slight concern. "One thing I was surprised about was that outbound spam did not trip any of the profilers," explains Shenk. "Most enterprise networks block outbound port 25 traffic... so perhaps this is not that important."
"Along with detecting infections, Damballa Failsafe also provides definitive evidence that an endpoint is infected," mentions Shenk. "Damballa Failsafe creates an extensive forensic record of each infection that helps security staff prove what happened and when it happened." The forensic trail includes: identifying downloaded files, executed files, DNS queries, sites connected to, relevant packet captures and other collected evidence.
Shenk ends on a positive note, "In our testing, Damballa Failsafe never flagged a computer as infected when it was not, and it did catch infected hosts using a variety of methods and provide ample evidence to support that conclusion."
Read these related articles: