The car alarm syndrome and the high cost of too many security alerts
Kevin Flynn, director, Product Marketing, Blue Coat
Malware infections are increasing in volume and severity. In the past twelve months alone some of the most destructive and largest breaches of our time have occurred, earning 2014 the epithet of “year of the breach.” According to research conducted by the Ponemon Institute, 60 percent of IT professionals surveyed agreed that malware infections have become more severe in the last year.
So what's different now? One of the answers is surprisingly simple.
Sophisticated bad guys are likely to assume that high-value targets have deployed the latest security technologies – this has been the case going back over a decade. To match new technology, malware is quickly created to circumvent the latest and greatest solutions. Like someone reading your playbook and knowing which plays you'll run, hackers anticipate every possible network defense and try to work around them.
The tools themselves aren't the only problem. Placement within the network can make a tool ineffective before it's even turned on. A common misuse of sandboxing technology is to put the sandbox at the edge of the network in front of other protections. Some security vendors will recommend doing so because during the demo period, the sandbox will flag a high volume of “threats” – showcasing the astuteness of their technology. The lights will go off and alarms will be generated. What's really happening is that the threats aren't being filtered and categorized before reaching the sandbox, so everything from the most sophisticated zero-day targeted attacks to the most commonplace virus that's been known about for years, is flagged and an alarm is generated.
According to a recent survey performed by the Ponemon Institute, organizations receive an average of nearly 17,000 malware alerts in a typical week. Within this onslaught of alerts, a meager 20 percent are found to be reliable and worthy of investigation. Still worse, only about 4 percent of those 17,000 alerts are ever actually investigated. This flood of alerts is both dangerous and costly – threats with possibly catastrophic consequences slip through the cracks unnoticed. Meanwhile, the cost of time wasted responding to inaccurate and erroneous intelligence averages $1.27 million annually.
This alarmification of security – known as the “car alarm” syndrome – is dangerous to businesses, and can ultimately cause IT professionals to lose trust in their system and ignore legitimate signs of a breach. Just like we typically ignore the sound of a car alarm going off in a parking lot, we've learned to ignore security alerts.
There are means to reduce the number of alerts – first, by installing a sandbox correctly behind a series of filters. Think of it as a funnel where at each stage, known threats are filtered out. The web proxy server is the first line of defense, filtering out known malicious websites. Behind that, content analysis devices utilize whitelisting technology to deliver trusted files and anti-malware signature databases to block known malicious files. It's only after all that filtering that a file is delivered to the sandbox for analysis. And even once it reaches the sandbox, a feedback mechanism is needed so that information about newly discovered malware can sent to back upstream to the proxy and future attacks blocked. This filtering reduces the number of false positives, fosters greater trust in the security system, and allows IT professionals the bandwidth and information they need to investigate legitimate threats.
Instead of hearing car alarms going off in a sea of parked cars, with no way of knowing if it's your car that's being stolen, ideally you'd want to receive targeted alerts sent right to your smartphone with the ability to remotely kill the ignition switch.
Ponemon's study shows a clear quantification of the car alarm syndrome – unfortunately now a common occurrence and a frequent cause of data breaches being ignored.
To limit your number of alerts and reduce false positives, here are some tips on deploying a sandbox solution:
- Don't put the sandbox at the network edge.
Place filters in front of it. Your goal should be to reduce the number of alerts and score those alerts, ensuring that only relevant threats are flagged, and the most dangerous threats to your environment receive the attention they deserve.
- Replicate your environment.
Sophisticated attacks against high-value targets aren't just designed to corrupt an operating system. They're attacking custom applications and searching for specific files. Your sandbox needs to replicate your gold images and allow for frequent updating of those images.
- Deal with encrypted traffic.
You have to be able to inspect the traffic while maintaining adherence to privacy laws, regulations and policies. Encrypted employee communications with their doctor can be protected while encrypted command and control tunnels to malicious botnets can be decrypted and identified.