Newly released from Intel Security is the McAfee Labs Threats Report: December 2016. It looks into how enterprises are using security operations centers (SOCs), details 2016 developments in ransomware, and suggests how attackers are creating difficult-to-detect malware by infecting legitimate code with Trojans and using that legitimacy to remain hidden as long as possible.
Vincent Weafer, Vice President of Intel Security’s McAfee Labs, said: “One of the harder problems in the security industry is identifying the malicious actions of code that was designed to behave like legitimate software, with low false positives. The more authentic a piece of code appears, the more likely it is to be overlooked. Just as 2016 saw more ransomware become sandbox aware, the need to conceal malicious activity is driving a trend toward ‘Trojanizing’ legitimate applications. Such developments place an ever greater workload on an organisation’s SOC—where success requires an ability to quickly detect, hunt down, and eradicate attacks in progress.”
State of the SOC in 2016
In mid-2016, Intel Security commissioned a primary research study to gain a deeper understanding of the ways in which enterprises use SOCs, how they have changed, and what they will look like. Interviews with nearly 400 security practitioners across several geographies, industries, and company sizes yielded valuable information on the state of the SOC in 2016:
· Alert overload. On average, organisations are unable to sufficiently investigate 25 per cent of their security alerts, with no significant variation by country or company size.
· Triage trouble. While most respondents acknowledged being overwhelmed by security alerts, as many as 93 per cent are unable to triage all potential threats.
· Incidents on the rise. Whether from an increase in attacks or better monitoring capabilities, 67 per cent of respondents reported an increase in security incidents.
· Cause of the rise. Of the respondents reporting an increase in incidents, 57 per cent report they are being attacked more often, while 73 per cent believe they are able to spot attacks better.
· Threat signals. The most common threat detection signals for a majority of organisations (64 per cent) come from traditional security control points, such as antimalware, firewall, and intrusion prevention systems.
· Proactive vs. reactive. The majority of respondents claim to be progressing toward the goal of a proactive and optimised security operation, but 26 per cent still operate in reactive mode, with ad-hoc approaches to security operations, threat hunting, and incident response.
· Adversaries. More than two-thirds (68 per cent) of investigations in 2015 involved a specific entity, either as a targeted external attack or an insider threat.
· Causes for investigation. The respondents reported that generic malware led the list of incidents (30 per cent) leading to security investigations, followed by targeted malware-based attacks (17 per cent), targeted network-based attacks (15 per cent), accidental insider incidents resulting in potential threats or data loss (12 per cent), malicious insider threats (10 per cent), direct nation-state attacks (7 per cent), and indirect or hacktivist nation-state attacks (7 per cent).
Survey respondents said that the highest priority for SOCs growth and investment is to improve the ability to respond to confirmed attacks, which includes the ability to coordinate, remediate, eradicate, learn, and prevent reoccurrences.
