Damballa released a new report highlighting the extent to which malware infections, such as Backoff malware, are able to bypass network prevention controls. The report reveals the ongoing challenges faced by security teams in managing a mountain of security events and the positive impact of taking measures which can identify the true positives within these alerts.
The report addresses one of the biggest challenges facing IT Security teams, that of identifying the genuine attacks – the ‘true positives’ – in amongst the mountain of security alerts. During Q3 2014, Damballa observed that the ‘noisiest’ enterprises experienced some 138,000 events in a day; a 32% increase from Q2 2014, with customers experiencing an average of 37 infected devices a day.
Encouragingly, however, researchers observed a 40% reduction in daily infections, compared with the previous quarter, amongst customers who proactively remediated assets presented as true positives – with automatic incident detection through evidence correlation, true positive confirmation and risk ranking.
During Q3 2014, in environments where POS traffic is inspected, Damballa detected a massive 57% increase in infections of Backoff from August to September and a 27% increase from September to the end of the month. Backoff, a new breed of extremely targeted POS malware, is reported to have infected 1,000 businesses including Kmart and Dairy Queen.
The increase is notable as it highlights that the malware had bypassed network prevention controls and was active, yet hidden, in the network.
This spike in POS malware activity also underscores the need for enterprises to ensure that POS traffic is visible either through a centralized network or site-to-site VPN so that advanced threat detection systems can quickly detect hidden network infections.
Brian Foster Damballa CTO comments: “Fundamentally, these figures show that prevention controls cannot stop malware infections. POS malware and other advanced threats can, and will, get through so we can’t simply build the walls around the network higher. And for security teams, faced with the trawling through a tsunami of events every day, manually correlating these to find the ‘true positives’ is simply not feasible.
He continues: “Instead, organizations need to focus on building better intelligence to know where the real threats are. The encouraging news is that automatically correlating evidence, can have a significant impact in reducing the number of infected devices within the network. We’d advise enterprises to be prepared, to get ahead by assuming that they will be compromised, and take proactive measures to be ready to remediate.”