Manual detection of malware activity is ‘impossible’

Security

by CBR Staff Writer| 14 May 2014

An average company’s network generates about 10,000 security events per day, while the active ones generate around 150,000 events, which could mask a targeted attack.

It could be impossible to deal with It threats, with companies' networks generating an avalanche of security events that could be associated with malware behaviour, a new report has warned.

According to the report from threat detection solution provider Damballa, an average company's network generates 10,000 security events per day, while the active ones generate 150,000 events per day, which could mask a targeted attack.

A large, globally-dispersed company will report 97 active infected devices each day and leak an aggregate average of more than 10GB of data.

As hackers unleash an avalanche of anomalous traffic to mask targeted attacks, it could be impossible for security staff to go through the huge number of incidents or alerts to find out which is the real threat.

Damballa CTO Brian Foster said there is already a shortage of skilled security professionals, which the latest Frost & Sullivan figures estimate will equate to a 47% shortfall by 2017.

Foster said: "If we compound this fact with the increase in data breaches and the scope of work required to identify a genuine infection from the deluge of security events hitting businesses every day, we can see why security staff are struggling to cope.

"Automated incident detection is an important part of the solution to free valuable security staff from the labor-intensive task of sifting through false-positives, to focus on the more important issues of speedy remediation and threat mitigation."

Malicious threat actors often use advanced techniques such as Domain Generation Algorithms (DGA) to generate vast quantities of random domain names to avoid prevention controls and delay identification of actual infections.

In order to remediate them, the security staff required to go through thousands of anomalous IP domains, to locate the IP address that carries the real payload, which could be impossible to do manually.

In a test conducted by Damballa Labs, where 'dirty' network traffic was replayed past more than 1,200 simulated endpoints, 538 pieces of evidence was collected and correlated for each actual infection - nearly impossible to do manually.

Comments
Post a comment

Comments may be moderated for spam, obscenities or defamation.

Join our network

738 people like this.
0 people follow this.

Security Intelligence

Privcy Policy

We have updated our privacy policy. In the latest update it explains what cookies are and how we use them on our site. To learn more about cookies and their benefits, please view our privacy policy. Please be aware that parts of this site will not function correctly if you disable cookies. By continuing to use this site, you consent to our use of cookies in accordance with our privacy policy unless you have disabled them.