Incident Response, TDR

Survey: real-time SIEM solutions help orgs detect attacks within minutes

Real-time security information and event management (SIEM) solutions are helping organizations detect targeted attacks and advanced persistent threats (APT) within minutes, according to a survey released by McAfee on Tuesday.

McAfee worked with Evalueserve – which in August surveyed 473 IT decision makers from companies in the U.S., UK, Germany, France and Australia that have more than 50 employees – and found that 78 percent of organizations able to detect targeted attacks within minutes are using a real-time SIEM solution.

While 57 percent of companies able to detect targeted attacks within minutes – referred to in the survey as ‘agile organizations' – experienced 10 or fewer attacks last year, 12 percent of agile organizations investigated more than 50 incidents last year, the survey indicates.

“Basically, detecting within minutes seems to drop the majority of companies down to investigating fewer events, or it gives you better weaponry as you fight more events,” Barbara Kay, senior director of Security Connected solutions, told SCMagazine.com in a Tuesday email correspondence. “My take is that it isn't a panacea. If you have valuable assets, you still get targeted.”

Of those surveyed, 74 percent of respondents said they are highly concerned about their ability to handle targeted attacks and APTs, and 52 percent of those least concerned about attacks are using a real-time SIEM solution, according to the study.

Furthermore, the survey shows that organizations most effective at detecting attacks are focusing on several key indicators, including unusual alert patterns, suspicious outbound traffic, and unexpected internal traffic.

These indicators allow a higher degree of precision and confidence in risk assessment, Kay said, explaining they fall into two categories: communication traffic – coming in, within the network, or leaving – and aggregated system events.

“None is based on a simple binary test for good [or] bad,” Kay said. “Most rely on some degree of baselining or timelining. It can be a baseline against good practice (don't let your DMZ talk to your internal hosts), or against a timeline (multiple infections within a workgroup that holds sensitive data), which is a different way of defining a baseline of normal. This is an important way to differentiate determined from opportunistic attacks.”

There are factors holding back response efforts. Many companies have not activated the full potential of their existing countermeasures, Kay said, explaining that the most common risky behaviors are systems being kept at default settings or threat intelligence services not being activated.

Companies also may not capture, retain, or share relevant data, Kay said, explaining organizational silos and point product silos perpetuate data islands. Additionally, data correlations and complex rules are often required to elevate the importance of key indicators, and companies with outdated SIEM, firewall and endpoint protection may lack real-time correlation and fine-grained rules, she said.

“Successful companies are integrating data they have, adding intelligence and context (particularly time), and doing more to extract protective value from the controls they already have in house,” Kay said. “While some areas will inevitably need some performance or capability boost, the primary likely area of incremental investment is in connective tissue: infrastructure for clarity, confidence, and control across countermeasures.”

A proactive real-time SIEM can be used to “knit these components and data streams into a coherent and actionable picture,” Kay added.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.