Damballa’s Q1 2014 State of Infections Report analyzed 50% of North American ISP internet traffic and 33% of mobile traffic, plus large volumes of traffic from global ISPs and enterprise customers. In addition to the average event data, Damballa also discovered that large, globally dispersed enterprises were averaging 97 active infected devices each day and leaking an aggregate average of more than 10GB of data per day.
Clearly, it’s a daunting task for security staff to manually trawl through mountains of alerts to discover which (if any) constitute a real and present threat. The findings also shed light on why recent high-profile attacks at organizations like Target were undetected for so long, because it's important to remember that alerts don’t equal infections.
Damballa noted that the only way to determine if a device is infected is to correlate logged activity, which takes far too much time and man hours. Accordingly, the Ponemon Institute reported that it takes companies an average of nearly three months (90 days) to discover a malicious breach and four months or longer to resolve it.
“We are already facing a profound scarcity of skilled security professionals, which the latest Frost & Sullivan figures estimate will equate to a 47% shortfall by 2017,” said Brian Foster, CTO of Damballa. “If we compound this fact with the increase in data breaches and the scope of work required to identify a genuine infection from the deluge of security events hitting businesses every day, we can see why security staff are struggling to cope.”
A more specific illustration of the problem is the use of advanced techniques such as domain generation algorithms (DGA), used by threat actors to generate vast quantities of random domain names, which can evade prevention controls and delay identification of actual infections.
“These techniques require security teams to wade through thousands of anomalous IP domains in order to find the IP address that carries the real payload,” the company noted.
In a test conducted by Damballa Labs, where ‘dirty’ network traffic was replayed past more than 1,200 simulated endpoints, 538 pieces of evidence was collected and correlated for each actual infection – nearly impossible to do manually.
“Bystanders may think it’s outrageous that a breach could go undetected for months,” wrote Andrew Hobson, vice president of R&D at Damballa, in a blog. “But the people engaged in daily hand-to-hand combat know that an alert doesn’t equal an infection, and that finding the truly infected devices that are most likely to cause harm is an ongoing challenge. There aren’t enough trained security professionals in the world to solve the problem manually. The ability to automatically identify, prioritize and remediate those truly infected assets is critical to today’s enterprise.”