Real-time security information and event management (SIEM) solutions are helping organizations detect targeted attacks and advanced persistent threats (APT) within minutes, according to a survey released by McAfee on Tuesday.
McAfee worked with Evalueserve – which in August surveyed 473 IT decision makers from companies in the U.S., UK, Germany, France and Australia that have more than 50 employees – and found that 78 percent of organizations able to detect targeted attacks within minutes are using a real-time SIEM solution.
While 57 percent of companies able to detect targeted attacks within minutes – referred to in the survey as ‘agile organizations' – experienced 10 or fewer attacks last year, 12 percent of agile organizations investigated more than 50 incidents last year, the survey indicates.
“Basically, detecting within minutes seems to drop the majority of companies down to investigating fewer events, or it gives you better weaponry as you fight more events,” Barbara Kay, senior director of Security Connected solutions, told SCMagazine.com in a Tuesday email correspondence. “My take is that it isn't a panacea. If you have valuable assets, you still get targeted.”
Of those surveyed, 74 percent of respondents said they are highly concerned about their ability to handle targeted attacks and APTs, and 52 percent of those least concerned about attacks are using a real-time SIEM solution, according to the study.
Furthermore, the survey shows that organizations most effective at detecting attacks are focusing on several key indicators, including unusual alert patterns, suspicious outbound traffic, and unexpected internal traffic.
These indicators allow a higher degree of precision and confidence in risk assessment, Kay said, explaining they fall into two categories: communication traffic – coming in, within the network, or leaving – and aggregated system events.
“None is based on a simple binary test for good [or] bad,” Kay said. “Most rely on some degree of baselining or timelining. It can be a baseline against good practice (don't let your DMZ talk to your internal hosts), or against a timeline (multiple infections within a workgroup that holds sensitive data), which is a different way of defining a baseline of normal. This is an important way to differentiate determined from opportunistic attacks.”