For each complex, sophisticated breach like Sony dominating the headlines, there are thousands more simple breaches that never make the press. The sad fact is that an attacker doesn’t need to be highly sophisticated or backed by a government to breach the average organization. Of the 1,367 data breaches studied in the 2014 DBIR report, only 22% of breaches can be attributed to espionage activity. Only 8% of breaches involve insiders. Even unsophisticated web application attacks and commodity crimeware regularly breach organizations. It’s tragically easy for an attacker to obtain malware and exploits that aren’t detected by most antivirus or IDS software, and can communicate through most firewall products. Expensive malware sandbox products are marginally better, but even they regularly fail to catch malicious files. Despite companies buying ever more complex and expensive security products, the majority of breaches are still detected by third parties, not the victim company. The 2014 DBIR report points out that even in the case of commodity crimeware infections, 84% of companies were notified of their breach by a third party, not their expensive security products.
All of this has been well known for years and forms the beginning of almost every security sales webinar. Despite this, those sales webinars continue to pitch marginally improved versions of the same signature-based products that fail to detect modern malware and heuristic-based products that generate too many alerts, which take too long to validate. Understaffed incident response teams are overwhelmed trying to keep up with the constant flood of alerts and have no time to devote to hunting for strange activity that could indicate compromise.
The sad truth is that there is no magic box for sale that will solve all of a company’s security problems. It’s not possible to reach security nirvana by buying the right combination of products. The number of attacks being constantly launched guarantees that every organization will be breached; it’s only a matter of when. Hardening an environment and properly deploying security products can help mitigate risk if there is a good team able to respond. Beyond that, more organizations are beginning to realize the value of making sure their incident response team has the time and ability to investigate anomalies through their network. Although every network will have odd activity from misconfigurations or unusual behavior, hidden among these anomalies will be traces of attacker behavior. Finding them faster could make the difference between a quietly resolved incident and an expensive data loss.