The study, released this week by Enterprise Strategy Group and commissioned by Malwarebytes, surveyed 315 security professionals at companies in North America. It found that 74 percent of respondents have increased their security budgets over the past two years in direct response to more sophisticated malware threats.
Businesses need to assess their current defenses to avoid making impulsive spending decisions, said Jon Oltsik, senior principal analyst at Enterprise Strategy Group, in his "Malware and the State of Enterprise Security" report.
[Related: Former DuPont Security Chief: Safeguarding Data Is A Daily Struggle ]
"Many organizations lack the right staff size or skills necessary to address malware threats, but given their current workload and the information security skills shortage, it is unlikely they can fill this void quickly," Oltsik said in his report. "The best technologies will address antimalware requirements with highly tuned intelligence, algorithms and automation."
The current crop of firewalls and intrusion-prevention systems are missing a greater amount of malware, according to the survey. Sixty-two percent of those surveyed believe their host-based security software is not effective for detecting zero-day attacks and other malware designed to bypass the software and remain stealthy on systems.
Malware researchers told CRN that the threat landscape continues to consist mostly of financial malware designed to steal account credentials, credit card data and drain bank accounts. Although much less frequent, advanced persistent threats (APTs) out to target intellectual property are increasingly dangerous, security experts say. Both types of attacks rely on similar tactics, using social engineering techniques to target employees at the endpoint and common Web application vulnerabilities, Oltsik said.
"APTs follow a general life cycle that includes external reconnaissance, initial compromise, gaining foothold, escalating privileges, internal reconnaissance, lateral movement and data exfiltration, Oltsik said. Security professionals should become intimately familiar with these phases so they can implement appropriate security controls for each phase and recognize anomalous behavior that may be associated with one or many phases of an attack."
In addition, the survey found that 42 percent of organizations are testing or implementing security technologies that use sandboxing technology, virtual environments where files are quickly analyzed before being passed on to the end user. More than half of survey respondents said additional layers of endpoint security software would be added to detect and contain zero-day threats.
Organizational changes also are being made at some organizations, according to the study. About 39 percent of those surveyed said a group of security analysts dedicated to malware intelligence and analysis was created at their organization. About 31 percent of businesses invested in incident detection and response services.
"Evidently when it comes to malware detection and remediation, many enterprises don't know what to look for," Oltsik said. "While security professionals understand the basic concepts about malware, the [Enterprise Strategy Group] research indicates that a large number are unfamiliar with advanced malware properties."
PUBLISHED JULY 25, 2013
related stories
Video
trending stories
sponsored resources

OutSystems
Modern Application Development 360

Symantec
Symantec Business Security Learning Center

HP Amplify™ - A Simplified Global Program for the Customer-Driven Digital Age
HP Inc.

BlackBerry
BlackBerry Learning Center

Dell Technologies
Dell Technologies Cloud Learning Center

Dell Technologies
Dell Technologies Storage Learning Center

NPD
Industry Trends 360

Products of the Year Showcase

Cysurance
Cyber Insurance 360

StorageCraft
Disaster Recovery Learning Center

APC by Schneider Electric
IoT Platforms 360

EPOS
EPOS

Smart 3rd Party
3rd Party Maintenance 360

WatchGuard
WatchGuard

Spectrum Partner Program
Spectrum Partner Program

ADT
Network Security 360

Tenable
Cyber Risk 360

Wasabi
Wasabi

Dell Technologies
Dell Technologies Server Learning Center

HubStor
Cloud Backup 360

Carbonite
Cloud Storage 360

Comcast
Comcast Business Learning Center

Trend Micro
Managed Security 360

Dell Technologies
Dell Technologies Hybrid Cloud Learning Center

Veeam
Veeam
