Only one in ten organizations are not concerned about attacks using compromised credentials, but 59% admit that they cannot detect those attacks.
According to research by Rapid7 of 271 organisations, 90.17% of organizations are worried about compromised credentials being used to enable attacks. Global security strategist Trey Ford told Infosecurity that after breaches happen, people were concerned about the same details being used for webmail access. “If I am going to use your account or pwn your endpoint, am I going to point your endpoint to download tools? No I am going to use it and move around like a normal user,” he said.
“If you cannot catch the crazy man in the lobby, then are you going to approach the man with the clipboard and the suit? It is not the classic insider threat, it is simple re-use of accounts and that becomes extremely meaningful.”
The report found that 43% of respondents planned to spend more on incident response measures in 2016, while 40.88% admitted that they had no visibility into users or risks. The cases of “too many alerts” and “investigations taking too long” was cited by 40.33% of respondents.
Asked what was driving the spending, Ford said that it was a combination of executives asking questions, people being aware of accountability and a notion of maturity with the industry focused on regulation and compliance.
“The best indicator of how secure the program is isn’t just under the tape, it is more a function of where are we being hit and how do we get in front of that,” he says. “It isn’t about prepare and prevent, it is about detect and respond.”
Ford said that detect and respond is where people are moving to, as the use of intrusion prevention systems were the most common product used for incident detection and response. He says: “We are able to power people earlier and invest in their skill sets as it takes time as we have a skills shortage and we want to make the best of people, so need to make them more extensible.
“If you have got your own log correlation engine and you have your own engineers to match incidents, then that wisdom stays inside your organisation.”