Malicious actors that resemble approved users pose serious threats because they do not set off security alerts, according to the findings of Rapid7's 2015 Incident Detection and Response survey. Additionally, security information and event management (SIEM) tools were insufficient to detect compromised credentials, according to the study, which garnered feedback from 271 security professionals from around the world.
Nine in 10 respondents (90 percent) are concerned about the risks of compromised credentials, with 60 percent admitting that they have difficulty catching credential attacks today, according to the study.
Why is it so difficult for most organizations to detect credential-related attacks? A lot has to do with how most security technologies are engineered.
"For over a decade, most detection solutions have focused on malware that's known—they're not built to look for a malicious actor that looks like an approved user," Matthew Hathaway, senior manager, platform development, at security specialist Rapid7, told eWEEK. "From phishing to maliciously accessing a database, attackers take a great deal of actions that fail to trigger alerts because, in isolation, they appear legitimate."
Another surprising finding concerned the use of SIEM technology, which security professionals often recommend as a tool to help track what is happening in an enterprise.
"The survey respondents made it clear that simply deploying a SIEM is not enough to detect compromised credentials," Hathaway said.
According to the survey, 52 percent of respondents have a SIEM deployed, though only 40 percent indicated that they had the ability to detect credential attacks. Hathaway added that the survey results have led Rapid7 to infer that SIEM tools aren't necessarily alleviating security professionals' fears about compromised credentials.
One reason SIEM technology might not be finding credential attacks properly is tied to the finding that not all organizations are monitoring user directory technologies, including Microsoft Active Directory and LDAP (Lightweight Directory Access Protocol). The survey found that only 52 percent of respondents are using their SIEM deployments to monitor Active Directory.
One reason more organizations aren't using a SIEM to monitor Active Directory is that collecting logs from it isn't always a simple task, Hathaway said.
Credential attacks aren't the only visibility gap reported by the Rapid7 survey—the cloud also is an area of concern: 59 percent of respondents indicated that their organizations don't have visibility into cloud services. A common way that organizations gain visibility into the use of cloud services is through the use of cloud access security broker (CASB) technologies. The CASB market was a hot one in 2015, with Blue Coat acquiring CASB vendor Elastica for $280 million and IBM launching its Cloud Security Enforcer CASB technology. The Rapid7 survey did not ask respondents if they are using a CASB technology, and Hathaway doesn't see it as the answer to credential misuse in the cloud either.
"While CASB does provide cloud services visibility, it does not solve the issue of compromised credentials," Hathaway said. "If someone is on your network with valid credentials for one of your employees, they would still be able to access your organization's data over a CASB."
Hathaway expects that, over the course of 2016, organizations will look to user behavior-based solutions for incident detection and response. "We also anticipate that more organizations will think about how they use their SIEMs strategically and will call into question whether or not they're really meeting the needs of their modern environments," Hathaway said.
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.