Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Flood of threat intelligence overwhelming for many firms

Maria Korolov | Nov. 4, 2016
The amount of threat information coming in from security systems is overwhelming for many companies

The high percentage of companies who had sophisticated security tools in place was a surprise, said Vikram Chabra, solution architect at NetEnrich, which sponsored the report.

However, lack of expertise remains an issue, he added.

"Despite the fact that we have the finest tools that can defend against advanced persistent threats, we still need qualified security analysts or engineers to look at the incidents thrown out by the tools, comb out false positives, and take actions," he said.

To help deal with the issue, 66 percent of companies said that they used third-party consultants or managed security service providers to develop or implement their cyber security plans.

Intergration was an issue here as well, Chabra added.

"Your security technology vendor isn't the same as your managed security service provider," he said. "You've got multiple vendors involved -- one vendor managing the security, another managing the technology, and there's a gap there."

Finally, according to a report by security vendor eSentire, despite the large amounts of data flowing in from firewalls and other security systems, a large number of attacks are still slipping through.

"There are many attacks that do not get detected by traditional defenses because the velocity at which the bad guys evolve their weaponry is so much faster than how the good guys can respond," said Mark McArdle, CTO at eSentire.

And it's not just the most clever attacks that get through.

According to a report based on two years of sensor data, 57 percent of attacks that get through firewalls and antivirus systems are unsophisticated, brute-force attacks.

This is due to ongoing, automated activity by attackers running scans looking for unpatched software, default passwords, and misconfigured systems.

"We consider that to be the 'background radiation' of the Internet," McArdle said. "There's nothing you can do to stop that from happening -- it's just one of the realities you accept the minute you connect to the internet."

These probes are constantly looking for ways that attackers can grab a foothold in a system, and there isn't much that companies can do to stop it without also locking out customers, partners, employees, and other legitimate services.

These attacks are often not picked up by SIEMs, he added.

"The SIEM's only source of visibility are the events generated by the firewalls and the antivirus," he said. "And while the SIEM will give excellent views into the attacks that it knows about, it will have nothing to say about new attacks or sophisticated attacks. There's lots of good information in it, but relying on it as the primary means of identifying threats will result in you missing significant activity."


Previous Page  1  2 

Sign up for CIO Asia eNewsletters.