The Ponemon Institute published a report called The Cost of Malware Containment that reveals some interesting statistics—none of which will surprise the people in the trenches who work hard every day to protect their organizations’ networks.
Ponemon surveyed 630 IT and IT security practitioners who have responsibility for detecting, evaluating and/or containing malware infections within their organization. According to the research, organizations receive an average of nearly 17,000 malware alerts a week. Of these, fewer than 20% (3,218) are considered reliable, meaning the malware poses a genuine threat and should be investigated. And even though more than 3,200 alerts are worthy of investigation, only 4% (705) actually do get investigated.
Organizations point to resource constraints and lack of in-house expertise as the reasons why so many important alerts are simply ignored.
Ponemon also reports that the time to respond to these alerts is a severe drain on an organization’s financial resources and IT security personnel. The average cost of time wasted responding to inaccurate and erroneous intelligence can average $1.27 million annually. Of course, not responding to an alert can be even more costly. The 2013 Target breach is traced back to an alert that was ignored, and so far this single event has cost hundreds of millions of dollars.
There are plenty of cyber security tools on the market that generate alerts for anomalies, signatures or blacklisted domains. The lack of notification of suspicious events is not the problem; knowing where to focus and having accurate visibility to the artifacts that truly matter is the real challenge. Security analysts need intelligent tools that cut through the clutter and lay out the entire story behind a relevant alert so that they can respond quickly and efficiently.
This is the mission LightCyber has espoused since its founding. The company claims to deliver value through the accuracy and efficiency of its attack alerts, and the proof of this claim is in real customers’ results. In a first-of-its-kind disclosure, LightCyber publishes quarterly attack detection metrics that validate what the company’s customers experience. The results for Q1 of 2016 show that LightCyber customers received, on average, 1.1 meaningful alerts per thousand endpoints per day. Obviously this is a much more manageable volume than what the security professionals self-reported in the Ponemon study, which was approximately 172 per day.
More important than reducing the volume of alerts is receiving alerts that are really relevant. LightCyber reports that 62% of all its customers’ alerts were dispositioned in a way that the security analysts objectively identified them to be useful. That is, the alerts weren’t ignored, whitelisted, or automatically archived without any investigation. Instead they were escalated, resolved or closed as normal.
LightCyber’s solution is in the category of behavioral attack detection. The vendor assumes that prevention technologies are porous, and that attacks will successfully get passed perimeter defenses. LightCyber offers an integrated profiling solution that brings together, in a single detection domain, multiple aspects of profiling. The solution looks across the full span of network events, endpoint activities and state, and user credentials to find attacks across the attack lifecycle. The graphic