Security engineers are playing Russian roulette with alerts: Damballa

The sheer number of alerts that security folk have to go through means they are playing a game that they will eventually lose.
Written by Chris Duckett, Contributor

A study commissioned by security vendor Damballa says that security monitoring staff are being overwhelmed by the number of alerts generated by equipment within company networks.

The research claims that in a typical week, around 17,000 malware alerts will be sent to staff. Of these, 19 percent will be deemed reliable, and only 4 percent investigated by security engineers. All up, respondents to the Cost of Malware Containment survey said that the price of investigating false alerts will tally up to $1.27 million every year, with 395 hours wasted each week.

"The challenge now is how do you deal with all that tsunami of alerts, to then be able to identify the needle in the haystack," Daniel Schneersohn, Damballa Asia-Pacific and Japan vice president, told ZDNet. "The security monitoring engineer is operating ... with a gun to his head, and they play Russian roulette with the bulk of the alerts, deciding that they have to ignore those ones because it is a false positive.

"In the case of Target, for more than three months, they had several systems that we warning them of the infection, but it is just part of the hundreds of alerts the same system was sending them; all of the other ones were false positives.

"The vendor can say: 'But we detected it'. Yes, but you're sending 500 alerts a day, one of them he ignored, all the other ones he was right to ignore, one he was not right to ignore.

"You play Russian roulette with that, and you are pretty much going to die every time."

The survey of 630 IT and security practitioners based in the US also said that many companies failed to take a structured approach to handle malware.

"Forty percent of respondents say there is no one person or function accountable for the containment of malware, and 45 percent say the CISO is most responsible," the survey said.

"The typical organisation has 17 IT or IT security staff members involved in the malware detection and containment process. On average, they have eight years' professional experience."

These results fall against a backdrop of businesses becoming more aware of the risk of data breaches, Schneersohn said.

"The biggest change compared to maybe a year ago is people know that they don't know. And the people who know they don't know, and want to know, are not just network manager or security director or the CIO; now, it's the CFO, the CEO, and the board of directors.

"Target changed the rules on all that."

Schneersohn said security professionals are moving beyond relying on purely preventative measures, such as solving each security issue with a new piece of equipment in order to keep intruders out.

"You have to know once and for all, we are not dealing with very good geek programming students in a dorm trying to break into your firewall and show that they are better than the other guy at doing it. We are dealing with very sophisticated, very resourceful organised crime organisations that have money, people, equipment, and time," he said.

"They can do it whenever, they have all the time in the world, they can wait until you do something wrong, you create the vulnerability, and bang, they will get in. And more importantly, thanks to Mr Snowden, we've all learned a lot about the fact that we deal with a few other people: NSA to PLA, and everybody in between."

According to Schneersohn, security professionals are correct in attempting to keep intruders out, but they need to accept that a data breach is inevitable.

"Some machine inside your network will be compromised, maybe outside your network, and it'll come back to your network, whatever way it might be, [and] there will be compromised assets in your network," he said.

"Preventative measures, as good as they are, there will always be someone that will figure out a way to get through, to get over them, to get around them."

But the mindset Schneersohn speaks of is not global, with those in the Asia-Pacific region lagging behind other developed nations.

"I think the level of awareness is growing, the sentiment that breaches are an American problem is only something on the surface to try to pretend that we don't have a problem, when everybody knows we have. We're just either better at hiding it, or worse at disclosing it," Schneersohn said.

"We put it all under the carpet here and hope that no one will tell.

"It's big and it's mostly US, which means there's probably three others somewhere else around the world at the same time that manage not to get into the news."

Editorial standards