Malware Containment Continues to Weigh Heavily on Organizations

By Sean Michael Kerner  |  Posted 2015-01-16 Print this article Print
malware containment

A new Ponemon Institute study sponsored by Damballa reports that there is an average of 16,937 malware alerts per week that enterprises receive and many ignore.

Malware is an issue that is costing enterprises approximately 395 hours a week chasing down alerts that aren't always accurate, according to a new Ponemon Institute study, sponsored by Damballa.

The study included responses from 630 surveys completed by IT and IT security professionals in the United States. The purpose of the study was to better understand the economics of malware and specifically how much time and money it takes to contain threats.

According to the report, organizations have an average of 16,937 malware alerts per week.

"Of those alerts, only 19 percent are considered to be reliable alerts, and only 4 percent are actually investigated," Larry Ponemon, head of the Ponemon Institute, told eWEEK. "That basically means that there are alerts that are not investigated."

Additionally, Ponemon noted that the respondents consider two-thirds of the time spent investigating malware security alerts to be wasted, often due to alerts that turn out to be false positives.

The study also revealed challenges in how organizations actually respond to malware and what forms of containment strategies are in place. A third of respondents indicated that their organization have an informal unstructured approach to malware containment, while only 41 percent of organizations have automated tools for dealing with malware.

Looking into the amount of resources spent, the study found that organizations spend an average of 587 hours a week containing advanced malware. Of that time, organizations spend an average of 230 hours a week cleaning and fixing, while spending 199 hours investigating malware. They also spend approximately 73 hours a week capturing intelligence and 55 hours a week evaluating intelligence. Planning accounted for 17 hours a week, and documenting represented approximately 13 hours a week.

The Ponemon analysis determined that organizations waste an average of 395 hours a week on erroneous malware alerts. If they were able to better utilize time spent on malware containment, there could be significant cost savings.

"We applied the average wage of an IT professional and multiplied that by the number or hours wasted by malware, and that results in cost savings of $1.3 million by not having people chasing things they shouldn't chase," Ponemon said.

The challenge of getting better control of malware alerts is one that Damballa's software aims to help solve. The malware containment challenge cannot be solved with humans alone—software automation is the key, Damballa CTO Brian Foster said.

"The data in the report tells me that organizations need ways to figure out how to deal with malware efficiently," Foster told eWEEK. "You need to find the issues that are the most important to deal with first and optimize your humans' time."

When it comes to malware containment, zero-day flaws need to be addressed. Foster explained that a zero-day is an attack on a vulnerability that has not yet been publicly reported or patched. Sometimes a zero-day attack will get picked up by a malware containment system, since the attack behavior can be similar to another known attack, he added.

"It all comes down to how good the rules are at finding which of the 17,000 alerts an organization sees are actually reliable," Foster said.

In many cases, breaches at organizations are the result of some kind privilege escalation flaw, where an attacker is able to get credentials of a low-level user and then elevate them for broader system access. Many attacks occur in stages, according to Foster. Attackers might use a simple malware attack that will allow for access, escalate privileges by way of a vulnerability and then deploy more malware to perform additional malicious actions.

The fact that most organizations in the Ponemon study do not have proper procedures for malware containment was not seen as a surprise.

"I'm not surprised. We do a lot of studies, and we see problems that repeat themselves," Ponemon said. "The idea that an organization can create a streamlined process sounds like good common sense, but it's probably not that easy for a lot of companies."

Moving forward, Foster said that things have to change for security to improve.

"I'm expecting … the market [to] shift more toward structure and automation," Foster said.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel