The soaring cost of malware containment

“Organizations are dealing with nearly 10,000 malware alerts per week, however, only 22% of these are considered reliable, according to a new report from The Ponemon Institute, which surveyed 551 IT and IT security practitioners across EMEA.


More worryingly, only a small fraction 3.5% of all alerts, are deemed worthy of further investigation. This suggests that IT teams are struggling with the resources, or expertise, to block or detect serious malware.

“While it is true that most organizations do not have the technical expertise or the resources to manually analyse every single malware alert, most rely on a layered security approach by integrating security solutions, firewall filtering technologies, or intrusion prevention systems for malware detection and containment,” according to Catalin Cosoi, Chief Security Strategist at Bitdefender. “The 3.5 percent of malware alerts that are being analyzed could also suggest that these are actually critical alerts that have been filtered by these various security technologies and have been deemed of serious risk.”

Teams spend, on average, 272 hours each week responding to false positive cyber alerts due to erroneous or inaccurate malware alerts. This equates to an average cost of £515,964 annually, for each organization, in lost time.

Fifty-seven percent of respondents say the severity of malware infections have significantly increased (14%) or increased (43 %) in the past year. Nearly half (47 %) of respondents report that volume has significantly increased or increased in the past 12 months.

Whilst the severity of infections is rising, 23% of respondents report that they have an ad hoc approach to containment, with 38% responding that there is no one person accountable for the containment of malware.

“The cost of malware containment is not only money, but time wasted chasing after incidents and working out who, what, when, where and why,” Christopher Boyd, Malware Intelligence Analyst at Malwarebytes told Help Net Security. “Ultimately it makes no difference who did it, and companies shouldn’t waste hours sifting through Intel to discover who breached their network; the only real question is “How can we stop this happening again”. Organizations would be better served devoting time to setting up a rigorous response plan, knowing who is responsible for every aspect of a security investigation and being proactive in educating their workforce. Just one PC taken offline in an SME can result in hours of downtime; a network wide clean-up can be catastrophic when vulnerable systems and services are attacked,” Boyd concluded.


Only 37% of EMEA respondents to the Damballa-commissioned report said that their organization has automated tools that capture intelligence and evaluate the true threat driven by malware. Organizations that do have automated tools report that an average of 44% of malware containment does not require human input or intervention and can be handled by these automated tools.

Marco Cova, Lastline Labs senior researcher believes that alert fatigue is an insidious factor weakening IT security defenses and leading to costly breaches. “Without automated threat assessment, security operations drown in alerts. With the dramatic rise in the volume and severity of malware, manual, ad hoc threat prioritization has become ineffective, expensive and dangerous. In this environment, companies must deploy automated malware analysis to help IT security teams correlate and prioritize the most dangerous threats quickly and accurately.””