FireEye: SMBs Caught In Crosshairs As Attackers Get More Sophisticated
Cybercriminal organizations behind many high-profile credit card breaches are becoming increasingly sophisticated and beginning to use advanced countermeasures to foil forensics investigators, according to Kevin Mandia, senior vice president and chief operating officer of FireEye and founder and CEO of Mandiant. FireEye acquired Mandiant for about $1 billion last December and has been integrating its services capabilities while maintaining a channel go-to-market strategy.
"Attackers are elevating their game," said Mandia, speaking to hundreds of attendees of the company’s annual MIRCon 2014 user conference in Washington, D.C. "They're more consistent in counter-forensics, in covering their tracks."
The attacks have lofted information security to a boardroom issue at most organizations, said Mandia, telling attendees that boards are increasingly planning to withstand third-party inspection from investors, business partners and the public. The two-day conference explores threat detection, malware analysis and incident response.
Small and midsize businesses, many of them interconnected with other business partners and service providers, are being increasingly targeted and breached. Mandia and other executives say organizations need to be in position to investigate and contain threats quickly and have enough context to identify the scope of an incident. Far too many organizations don't have a clear picture of the assets that were exposed and the full extent of the breach before they disclose it to the public, Mandia said.
In addition to detection, FireEye executives see growth in incident response, malware analysis and threat intelligence services. A recent FireEye analysis of 1,217 companies found 97 percent of them showing evidence of a data breach. Three-quarters of the organizations were targeted by attackers using customized exploits. Many of the breaches lasted 229 days on average, they were uncovered by law enforcement, a business partner or another third party, and it took 30 days or more to fully remediate a threat once it is detected.
FireEye partners say interest continues to be high for the company's appliances, virtualized platforms designed to be deployed in-line within the organization and examine suspicious files to identify advanced threats. Next-generation firewalls, breach detection platforms and other network security gear has created a significant need for skilled solution providers to maintain them and provide security services, said Terry Kurzynski, a senior partner at Chicago-based solution provider and FireEye partner Halock Security Labs. Halock focuses on conducting forensics investigations and recently started a service arm to monitor and maintain FIreEye appliances. Organizations of all sizes are having trouble combing through alerts and identifying the most significant ones that need immediate attention, Kurzynski said.
"It's still a very big problem and not something that is going to be immediately solved," said Kurzynski of the lack of mature incident response processes at organizations. Businesses lack the funds to attract and retain skilled IT talent that can spot threats from within the "noise," he said.
Organizations have many layers in place but they have created complex environments with multiple manufacturers and myriad technologies that are not fully integrated and capable of detecting advanced threats, said Dave DeWalt, CEO of FireEye, speaking to attendees to kick off the two-day conference.
"When you look at some of the biggest banks, governments and companies, the money they spend is not directly proportional to how secure they are," DeWalt said.
DeWalt highlighted the company's new partnership with Singapore Telecommunications, enabling FireEye to establish security operations centers in Australia and Singapore. SingTel will sell FireEye gear and provide managed defense services, including incident response, in the region.
Most organizations maintain a tools-based program in which they have a firewall, an intrusion prevention and detection system and antivirus running, according to Mandia. Organizations in regulated industries add an integrated framework, a list of security controls and personnel assigned to ensure they are in place to validate compliance to auditors, he said.
Organizations that have gone beyond documenting mandatory compliance controls are building a dynamic defense, Mandia said. At this stage, the company is aware of its weaknesses and is actively monitoring the gaps in place and are using threat intelligence to address potential threats as they are identified.
"You are actively hunting for compromise," Mandia said. "You have people that can really do that and recognize compromise when they see it."
PUBLISHED OCT. 7, 2014