Your IT security team is flying blind on malware. Here's why

News by Doug Drinkwater

A new report from The Ponemon Institute reveals that security staff spend a significant portion of their time chasing up 'false positive' malware alerts, with faulty cyber-intelligence to blame.

The ‘Cost of Malware Containment' report, which was commissioned by Damballa, found that security teams spend on average 272 hours each week responding to ‘false positive' alerts that are either erroneous or inaccurate. Researchers said this equates to an average cost of £515,964 annually for each firm in lost time.

The survey, which was of 551 IT and IT security practitioners across the EMEA, also found that firms were dealing with nearly 10,000 malware alerts each week and yet only 22 percent of these – just over a fifth – were considered reliable. Perhaps more worryingly, respondents said they deemed only 3.5 percent of all alerts serious enough to warrant further investigation.

“This suggests that IT teams are struggling with the resources, or expertise, to block or detect serious malware,” said the report's summary.

The report also notes how over half of respondents (57 percent) believe the severity of malware infections has “significantly increased” (14 percent) or just “increased” (43 percent) over the past year, with another 47 percent reporting that the volume of malware has increased over the last year.

Despite this, 23 percent said they had an ad hoc approach to malware containment, with 38 percent responding that there is no one person accountable for the containment of malware.  

Only 37 percent of EMEA respondents reported that their organisation has automated tools that capture intelligence and evaluate the true threat driven by malware. Organisations that did have automated tools reported that an average of 44 percent of malware containment does not require human input or intervention and can be handled by these automated tools.  

Stephen Newman, CTO of Damballa – which admittedly does provide services for automated breach response, noted in a statement to “These findings are significant as they highlight the real impact of false malware intelligence. Not only are teams devoting valuable time and resources to hunting down the false positives but they're also in danger of missing the real infections, which could have a devastating impact.”  

He continued: “The severity and frequency of attacks is increasing, so the focus really needs to be on building better intelligence, which means that organisations will have the confidence of knowing exactly where the real threats are. This means that teams can direct their efforts where it is most needed; on finding and quickly remediating the active infections.”   

James Chappell, CTO of UK-based cyber-intelligence outfit Digital Shadows, said in an email to that these failings were systematic of an IT security industry focused too much on solutions, and not on intelligence, all the while threat actors continue to see malware as a profitable business.

“The security industry as a whole has focused on pure technology solutions which are great at generating data but rarely intelligence,” he said via email.

“Solutions are often one-size fits all, and rarely focus on the specific circumstances of a consumer. The true definition of intelligence refers to information with context relevant to a specific organisation that can be used to mitigate a threat or fix a problem. Unfortunately, threat data gets mislabelled as ‘intelligence'. The confusion between threat data and true intelligence adds to the ‘noise' problem.

“Those on the front line, defending our enterprises, are struggling with the sheer volume and scale. We believe that threat information needs to become completely tailored to the specific circumstances of the organisation itself, whether it be geography, size of business, industry, most likely threats, and empower teams to thereby focus entirely on the mitigations.”

He added that human analysts are needed to interrogate data and remove disinformation, while also profiling an organisation's attackers.

“This is genuine cyber-situational awareness which enables those on the front line to take immediate action. It should become the standard for security suppliers and put the emphasis on genuine intelligence which is actionable rather than ‘noise' which isn't.”

Dave Palmer, director of technology at UK start-up Darktrace, cited the Target data breach of 2013 as a headline example of too much data to deal with, and agreed with Chappell that the threats would be different per organisation.

“I think companies have been getting inundated with data, so there's natural feeling-  which is quite understandable – that if had more data I would be more secure, so why don't we pay for some more threat intelligence, or why don't we collect some more logs of what looking at before," he said when meeting SC in London today.

But he added: “I definitely meet CISOs and security teams with almost data frustrations, saying ‘I've got all this stuff I don't need another thing to look at'.

Instead, Palmer encouraged security teams to determine the value of intelligence feeds they were buying, suggesting some information could be gathered online. “Some of this stuff you can just Google, and get just as good answers from.”

He also urged them to think carefully about their defences, their visibility into threats, and what's changing that they “wouldn't have expected or anticipated.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews