BY Matt Atkins
The average US firm faces 10,000 potential cyber-security alerts daily, more than any IT team can possibly process, according to an analysis of web traffic by threat protection and containment firm, Damballa. The Damballa State of Infections Report Q1 2014 culled information from ISP and mobile traffic, as well as its own customers, finding that the busiest networks generated up to 150,000 alerts.
While the report makes clear that a large number of these alerts are innocent, the problem lies in the sheer volume of alerts that firms face. The scale of the problem leaves most IT teams with little hope of keeping on top of the daily alerts, allowing infected systems to hide more easily. “Bystanders may think it’s outrageous that a breach could go undetected for months,” says Damballa. “Main-stream media has certainly stirred the pot with stories about security teams ignoring alerts. But the people engaged in daily hand-to-hand combat know that an alert doesn’t equal an infection – and that’s part of the problem.”
Large multinational firms with a global reach face up to 97 active infected devices per day, according to the report, a relatively small amount. However, the manual work required to actually find infections is the number one security challenge. An overload of security alerts aids cybercriminals such as those who attacked firms in the US retail sector during 2013. During the time of its three-month security breach, Neiman Marcus experienced 30,000 security alerts. Sifting the alerts that indicated criminal activity from false positives and innocent but anomalous behaviour, extending the period in which the firm was under attack.
Traditional IT security controls can't stop today's threats, says the report. Organisations need to automate labour-intensive processes like alert chasing and focus on discovering successful infections and triage the devices at most risk. “There aren't enough trained security professionals in the world to solve the problem,” says Damballa.