Ninety-three percent of companies' security operation centers admit they're not keeping up with the volume of threat alerts and incidents, putting them at risk.
Despite a growing focus on cyber-security—along with gobs of money and staff time thrown at the task—things just seem to get worse. According to a December 2016 report from McAfee Labs, 93 percent of organizations' security operation centers admit that they are not keeping up with the volume of threat alerts and incidents, putting them at significant risk of moderate to severe breaches.
Altogether, 67 percent of the survey respondents (more than 400 security practitioners spanning multiple countries, industries and company sizes) reported an increase in security breaches. Yet, on average, organizations are unable to sufficiently investigate 25 percent of security alerts. What's more, 26 percent acknowledge operating in a reactive mode, despite having a plan for a proactive security operation.
The hot zones for malware and breaches? New ransomware samples increased 80 percent since the beginning of 2016, and there were more than 2 million new mobile malware threats in Q3 alone.
Survey respondents reported that generic malware led the list of incidents triggering security investigations (30 percent), followed by targeted malware-based attacks (17 percent), targeted network-based attacks (15 percent), accidental insider incidents resulting in potential threats or data loss (12 percent), malicious insider threats (10 percent), direct nation-state attacks (7 percent), and indirect or hacktivist nation-state attacks (7 percent).
The common denominator? "One of the harder problems in the security industry is identifying the malicious actions of code that was designed to behave like legitimate software, with low false positives," noted Vincent Weafer, vice president of Intel Security's McAfee Labs. "The more authentic a piece of code appears, the more likely it is to be overlooked."
Honing in on threats and risks has emerged as a major roadblock. "Just as 2016 saw more ransomware become sandbox-aware, the need to conceal malicious activity is driving a trend toward Trojanizing legitimate applications," Weafer added. These developments place an ever-greater workload on an organization's security operations center—where success is predicated on the ability to detect, hunt down and eradicate attacks-in-progress quickly.
The report also outlines some of the specific ways attackers succeed: patching executables on the fly as they are downloaded through man-in-the-middle (MITM) attacks; bundling "clean" and "dirty" files together using binders or joiners; modifying executables via patchers that seamlessly maintain application use; modifying resources through interpreted, open-source or decompiled code; and poisoning the master source code, especially in redistributed libraries.
This article was originally published on 02-08-2017