Most infosec teams overwhelmed by security alerts, says report

There’s no slowing down of the number of threats CISOs face, so it should be no surprise that the number of alerts infosec team members have to deal with are soaring as well. However, according to a new McAfee Labs survey, they’re having trouble keeping control.

“Most organizations are overwhelmed by alerts,” says the report released Tuesday, with 93 per cent of respondents saying they are unable to triage all relevant threats.

On average, respondents said they were unable to sufficiently investigate 25 per cent of their alerts, with no significant variation by country or company size. Almost one quarter (22 per cent) feel that they were lucky to escape with no business impact as a result of not investigating these alerts. The majority (53 per cent) reported only minor impact, but 25 per cent said they have suffered moderate or severe business impact as a result of uninvestigated alerts.

The largest organizations surveyed, perhaps because of their better monitoring capabilities and stable incident levels, were more likely to report no business impact (33 per cent).

The survey interviewed almost 400 security practitioners across several industries company sizes and geographies, including Canada.

Of the respondents reporting an increase in incidents, 57 per cent said they are being attacked more often, while 73 per cent the increase is because they are able to spot attacks better.

Almost 70 per cent used a SIEM (security information and event management suite. Those organizations using external managed security service providers (MSSPs) were highly likely (93 per cent) to have those services involved with the SIEM in some way.  Most (71 per cent) ask the MSSP to run day-to-day SIEM operations. Almost half (45 per cent) of companies without a SIEM intend to deploy the functionality within the next 12 to 18 months.

The majority of organizations (55 per cent) said firewall logs are the primary source used for advanced threat detection and investigation, followed by endpoint logs (34 per cent) and system logs (32 per cent).

Organizations have to improve their ability to detect signals of potential attacks — perhaps through analytics — concludes the report, as well as improve the ability to investigate potential attacks, including scoping the full extent and impact of an attac

The survey was part of McAfee’s quarterly threat report.

To back up the probability that 2016 will be remembered as the year of ransomware, the report notes that through the end of Q3 the number of new ransomware samples this year totaled over 3,8 million, an increase of 80 per cent since the beginning of the year.

The report also notes that Trojanized legitimate software is on the rise. These Trojans hunt for  backdoor access to systems which infect legitimate code and hide, hoping to go unnoticed as long as possible to maximize payouts. Inserted code can be streamlined toward the desired payload, “which can be an Achilles heel for defenses that are ill equipped to cope with such attacks,” says the report.

This largely accounts the rapid growth of Android malware in copycat apps, says the report. McAfee notes that one security vendor reported Trojanized adware masquerading as 20,000 popular apps. McAfee’s data shows this number has ballooned to nearly 700,000 in less than a year. Binary patching programs have emerged in the last couple of years to simplify the process of adding payloads to already compiled applications., the report adds. with kits such as AndroRat and Dendroid are responsible for tens of thousands of copycat Android apps concealing malicious payloads.

It is still commonplace for update servers to deliver binaries over insecure HTTP connections, McAfee notes.

End users should use a virtual private network (VPN) — some of which are free —  when connecting to an untrusted network, says McAfee. Meanwhile administrators should keep security software up to date and rely on strong indicators of trust rather than those potentially forged in an attack. Behavioral monitoring, web and IP reputation, memory scanning, and application containment should also be considered.

“The problem of Trojanized legitimate applications is likely to get worse before it gets better,” it concludes

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Article

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows that as the demand for skilled workers...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now