By HP Security Strategist Stan Wisseman
Malware is the most widespread external threat to IT platforms, causing pervasive damage and disruption and necessitating extensive recovery efforts within most enterprises. What is malware and how can we better control its spread?
Malicious software is defined by NIST’s Guide to Malware Incident Prevention and Handling for Desktops and Laptops (Special Publication 800-83) as “a program that is covertly inserted into another program with the intent to destroy data, run destructive or intrusive programs, or otherwise compromise the confidentiality, integrity, or availability of the victim’s data, applications, or operating system.”
Malware continues to grow as an instrument for cybercrime. It is not uncommon to find multiple platforms in an environment that have been infected with one or more different types of malware. While older types of malware (fast-spreading and easy to notice) can still be a threat, many of today’s malware packages are stealthy and specifically designed to silently, slowly spread to other hosts.
A common security control deployed by enterprises to detect and prevent malware is antivirus (AV) software. However, containment through AV software is not as robust and effective as it used to be. AV products detect malware primarily by looking for certain characteristics of known instances of malware, but do not do extremely well at stopping previously unknown threats. A study conducted by Lastline Labs malware researchers showed that most AV software does a poor job detecting advanced malware. On day 0, only 51% of AV scanners detected new malware samples and detection rates bumped up to only 61% after two weeks, indicating a common lag for AV signatures. In fact, Netflix recently decided to get rid of AV software on the computers of its employees.
Early detection of malware is particularly important to reduce the impact of an incident since malware infections are more likely to increase their disruptive impact over time. Most malware communicates back to a controller once it has successfully infected a host. Speedy detection and handling can help reduce the number of infected hosts and the damage done once under remote control. However, malware analysis can take substantial amount of time and require specialize technical knowledge to confirm that an incident has been caused by malware, particularly if the malware threat is new and unknown.
Security operation organizations everywhere are stretched thin trying to get a handle on the growing malware problem. On average, enterprises have 17K malware alerts per week, and spend an average of $1.27M annually in time and resources responding to inaccurate and erroneous event data. Due to the volume of data that SecOps analysts must monitor, approximately 4% percent of all malware alerts are actually investigated, leaving a significant gap in remediation of infected endpoints.
One potential approach to identifying infected hosts with higher fidelity is to detect the malware callback messages in Domain Name Service (DNS) traffic. Of course the issue with using DNS traffic is the significant data volume DNS servers produce. This was a perfect big data security analytics use case for HP to tackle. In partnership with HP Labs, HP’s central research organization, and HP’s internal Cyber Defense Center, HP ArcSight DNS Malware Analytics was developed to identify infected hosts by inspecting DNS traffic in a unique manner.
DNS Malware Analytics (DMA) is a clientless, algorithmic-driven service that automates the analysis of infected hosts (servers, desktops, and mobile devices). Aided by some cool visualization, analysts will be empowered to detect threats in near real-time and to dramatically decrease malware dwell time, often reducing troubleshooting down from days/months to minutes.
The resulting increased effectiveness in coping with malware is also an opportunity to demonstrate business value through operational savings. Whether its network downtime, analysts attempting to track down/contain malware infections, or endpoint remediation, time is money. The number of malware incidents reduced multiplied by the time to remediate results in clearly quantifiable savings. That should make your CFO happy!
Learn more about HP Enterprise Security.
Figure source: https://www.fireeye.com/content/dam/legacy/blog/2013/09/attack-stages.png
from cyber security caucus http://ift.tt/1MbcNXY
via IFTTT
No comments:
Post a Comment