To quickly identify breaches in-progress, more enterprises are turning to breach detection systems, which purport to pick up where intrusion detection systems and anti-malware software often fail and spot malicious files and malware as a successful attack is underway. That could include such as when files are being inserted onto an endpoint, being executed, or when the malware attempts to communicate with an attack or command and control server, as well as other bad behaviors.
In its report, Breach Detection Systems Buyer's Guide, information security research and advisory company, NSS Labs evaluated the growing security market category, and defined Breach Detection Systems as being able to detect threats on network or endpoints, or both; can identify existing breach conditions as well as malware introduced through side channels.
Breach detection systems complement existing security technologies, explains John Pirc, research vice president NSS Labs. "However, BDS is far more advanced in the ability to identify malware that is unknown and known. The big key is the ability to detect the breach based on the initial dropped file or the command and control communication outbound from your network," he says. In addition, beyond detection, which traditional host and network-based IDS do, the BSD should be able to notify if an attack was also successful.
The IT security incident response market is set to boom. According to market research firm ABI research, the market is expected to grow from just over six billion last year to an estimated $14.79 billion by 2017. For instance, startup Carbon Black recently released Carbon Black 3.0 which attempts to provide much needed insight into potential breach situations. "We started looking at all of the technical indicators of compromise and we honed in on the five most critical pieces of information that we could use to do a better incident response," Viscuso says.
That ability to detect changes in the environment is crucial, says Roesch, if organizations are going to get better at combating advanced threats. "Being able to do so comprehensively is important. Once you get persistent embedded malware in your environment, you are going to need a comprehensive way for eliminating it or you are going to be hurt," he says.
Sign up for CIO Asia eNewsletters.