Rising Tide Of Malware Alerts Proving Costly, Study Finds

Poorly implemented, configured and maintained "next-generation" security appliances designed to detect advanced threats have created security teams swept away in a tidal wave of malware alerts, according to a new study.

The alert noise level is proving costly, according to the Ponemon Institute, which estimates that the average cost of time wasted responding to inaccurate and erroneous intelligence can average $1.27 million annually. The Ponemon study, commissioned by security vendor Damballa, surveyed 630 IT and IT security practitioners in the U.S. who are familiar with their organization's practices for containing malware infections.

One in five malware alerts deemed to be reliable are investigated, survey respondents said. An organization can typically investigate fewer than one-quarter of the more than 3,000 reliable threat alerts in a typical week. Part of the problem is a lack of skilled IT staff to identify threats, but the study found organizations are also chasing down false positives and false negatives, wasting an average of 395 hours each week.

[Related: Internet Pioneer On Incident Response: Sorry, There's No 'Magic Security Pixie Dust']

Sponsored post

'This suggests that participating organizations do not have the resources or in-house expertise to detect or block serious malware," the study found.

Forty percent of survey respondents indicated that no one person or function is accountable for the containment of malware. Many organizations have ticket systems that automate the process of notifying system administrators of an infected workstation, laptop or other device. It's become commonplace for organizations to simply wipe the system clean and re-image it, said Jamie Murdock, chief information security officer at Hudson, Ohio-based managed security services provider Binary Defense Systems. The Ponemon study estimated that on a typical week an organization can receive an average of nearly 17,000 malware alerts, a figure that Murdock said seems high.

Malware flagged by a maintained security information event management (SIEM) system should push out about 50 valid alerts to a security operations center on average, Murdock said. Most threats get pushed to desktop support or another administrator to be remediated, he said.

"You need to baseline the technology to see what is normal and tune out the false positives," Murdock said. "If you are not going to put the resources to pruning and grooming your SIEM, then it is not going to do much for you."

Many of the 17,000 alerts cited in the study are likely associated with threats identified by antivirus, adware, the installation of browser toolbars and other relatively innocuous issues that don't need a lot of investigating, said Rick Doten, a former CISO who is now chief of cyber and information security at Arlington, Va.-based consultancy Crumpton Group.

"This is why it's important in your incident response process to have a triage or prioritization of things that might hurt the organization the most,’ Doten said, adding that having a skilled staff matters the most. ’There are things that computers do well and things that humans do well. Humans understand the business context and can determine what needs immediate triaging.’

Organizations that have automated tools report that an average of 60 percent of malware containment does not require human input or intervention and can be handled by automated tools, according to the Ponemon survey. On average, nearly 600 hours a week is spent on malware containment, the survey found. Sixty-seven percent of respondents indicated that the organization has a structured approach to malware containment and 33 percent said malware containment was "ad hoc," indicating manual activities and automated tools.

In addition to having a skilled staff to handle the most critical alerts, threat intelligence -- provided by security vendors or industry peers -factors highly into the seriousness of malware threats and the risks they pose. Government and law enforcement are rarely the source of intelligence, the survey found.

Binary Defense Systems’ Murdock said that while threat intelligence feeds are gaining attention, the most valuable threat intelligence information is typically tailored to an organization's unique industry. It provides insight into hacker forums and other underground criminal chatter that can be invaluable to CISOs. The threat intelligence often provides information about threats, zero-day attacks and indicators of compromise ahead of email lists associated with industry-specific information security analysis center (ISAC) groups.

"A CISO can provide an increased level of protection by addressing known attack vectors associated with a new threat in their industry vertical," Murdock said. "Threat indicators are something that is actionable if it is deemed a serious risk to the organization."