If there's been any lesson learned in the past decade, it's that despite tens of billions having been spent on anti-malware, firewalls, intrusion-detection and prevention systems, and other defensive technologies -- it's just not realistic for enterprise security teams to expect to be able to stop every attack.
[Understanding incident response: 5 tips to make IR work for you]
Yet, surprisingly, enterprises focus their efforts and their budgets as if they can do precisely that. Sourcefire (recently acquired by Cisco) founder and CTO Martin Roesch, says a recent analysis by the IT security firm found that enterprises currently often only spend as little as 10% on incident response and about 30% on detection: the rest is on prevention.
While preventing successful attack attempts from becoming breaches is the ideal, there needs to be more of a focus on an organization's ability to identify breaches -- especially advanced malware -- as an attack is underway. "What we have been saying is organizations have to be able to deal with malware before [prevention], during, and after an attack," says Roesch.
The ability to spot malware in-progress is a crucial part of maintaining the operational integrity of one's environment, says Roesch. "If you can't maintain integrity then you're not really performing security. You may think your organization is secure. You may be able to get certified and be deemed compliant to regulations, but realistically you're not secure," says Roesch.
That thought certainly matches anecdotal evidence from the number of organizations that have been breached at the same time they were also compliant to government or industry security regulations, such as PCI DSS. Also, according to the 2013 Verizon Data Breach Investigation Report, 66 percent of breaches in the past year took at least months, if not years, to be identified. That 66 percent figure is up from 55 percent in 2011 and 41 percent in 2010.
Dan Polly, IT security officer at First Financial Bank, knows the steep hurdles defenders face when it comes to keeping systems secure. "It's interesting to look at malware over the last several years, and how very humbling it is when one considers the small amount of resources attackers must put into place to reach their objectives, against the rather sizable amount of resources defenders must have in place. It's an incredibly asymmetrical situation," Polly says.
[Fatal half-measures in incident response]
More business leaders and security managers are coming to that realization, says Michael Viscuso, CEO at breach detection and incident response startup Carbon Black. That's especially so after they've been breached. "Customers are coming to the realization that it's going to happen again. This inevitability of breach mindset hit the defense contractors a few years ago. Now it's hitting the general commercial market," says Viscuso.
To quickly identify breaches in-progress, more enterprises are turning to breach detection systems, which purport to pick up where intrusion detection systems and anti-malware software often fail and spot malicious files and malware as a successful attack is underway. That could include such as when files are being inserted onto an endpoint, being executed, or when the malware attempts to communicate with an attack or command and control server, as well as other bad behaviors.
In its report, Breach Detection Systems Buyer's Guide, information security research and advisory company, NSS Labs evaluated the growing security market category, and defined Breach Detection Systems as being able to detect threats on network or endpoints, or both; can identify existing breach conditions as well as malware introduced through side channels.
Breach detection systems complement existing security technologies, explains John Pirc, research vice president NSS Labs. "However, BDS is far more advanced in the ability to identify malware that is unknown and known. The big key is the ability to detect the breach based on the initial dropped file or the command and control communication outbound from your network," he says. In addition, beyond detection, which traditional host and network-based IDS do, the BSD should be able to notify if an attack was also successful.
The IT security incident response market is set to boom. According to market research firm ABI research, the market is expected to grow from just over six billion last year to an estimated $14.79 billion by 2017. For instance, startup Carbon Black recently released Carbon Black 3.0 which attempts to provide much needed insight into potential breach situations. "We started looking at all of the technical indicators of compromise and we honed in on the five most critical pieces of information that we could use to do a better incident response," Viscuso says.
That ability to detect changes in the environment is crucial, says Roesch, if organizations are going to get better at combating advanced threats. "Being able to do so comprehensively is important. Once you get persistent embedded malware in your environment, you are going to need a comprehensive way for eliminating it or you are going to be hurt," he says.