An analysis conducted by FireEye’s Mandiant Security Validation team revealed that only a small percentage of attacks generate alerts and many intrusions are not detected by security solutions.
The 2020 Mandiant Security Effectiveness Report is based on attack simulations targeting enterprise production environments across 11 sectors. The tests covered 123 security technologies and the targeted environments support more than 900 million consumers.
During the tests conducted by Mandiant, only 9% of attacks generated security alerts, and 53% of successful intrusions remained undetected. Just over a quarter of attacks were detected after the infiltration was successful, and only 33% of breaches were prevented by existing security tools.
The cybersecurity firm’s experts determined that in many cases security tools are not optimized, which can be a result of unchanged default configurations, security events not making it to the security information and event management (SIEM) solution, unexpected infrastructure changes, the lack of tuning and tweaking after deployment, and the inability to force controls testing.
Mandiant researchers found that only 4% of reconnaissance activity generated an alert, and testing against ransomware and infiltration attempts showed that in over two-thirds of cases security controls did not prevent or detect detonation of the threat, with alerts being generated only in 7% of cases.
Moreover, 65% of the time security tools were unable to detect or prevent attempts to bypass policies, with alerts generated only 15% of the time. In the case of malicious file transfers, they were only detected 29% of the time and prevented 37% of the time, but nearly half of attempts were missed and less than a quarter generated an alert.
No alert was generated in 97% of the tests focusing on command and control activities, and 39% of these attempts were missed by security solutions. The situation is similar when it comes to lateral movement.
In one example shared in the report, a Fortune 500 company discovered that while events were detected by its security solutions, data about these events did not make it to the SIEM due to the fact that UDP was used instead of TCP to send the data and a misconfigured load balancer dropped all UDP traffic. In another example, an insurance firm’s security tools were misconfigured and allowed over one-third of malicious file transfer attempts, and the attempts that were blocked did not trigger any alerts in the SIEM.
“Every organization wants reliable data that tells them if their security investments are delivering real value and protecting them from becoming the next major cyber-attack headline,” said Chris Key, senior VP at Mandiant Security Validation. “Our research shows that while the majority of companies assume they’re protected, the truth is that more often than not, they are exposed.”
The Mandiant Security Effectiveness Report 2020 also provides guidance on how organizations can continuously validate the effectiveness of their cybersecurity solutions.