Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Most Attacks Don’t Generate Security Alerts: Mandiant

An analysis conducted by FireEye’s Mandiant Security Validation team revealed that only a small percentage of attacks generate alerts and many intrusions are not detected by security solutions.

An analysis conducted by FireEye’s Mandiant Security Validation team revealed that only a small percentage of attacks generate alerts and many intrusions are not detected by security solutions.

The 2020 Mandiant Security Effectiveness Report is based on attack simulations targeting enterprise production environments across 11 sectors. The tests covered 123 security technologies and the targeted environments support more than 900 million consumers.

During the tests conducted by Mandiant, only 9% of attacks generated security alerts, and 53% of successful intrusions remained undetected. Just over a quarter of attacks were detected after the infiltration was successful, and only 33% of breaches were prevented by existing security tools.

The cybersecurity firm’s experts determined that in many cases security tools are not optimized, which can be a result of unchanged default configurations, security events not making it to the security information and event management (SIEM) solution, unexpected infrastructure changes, the lack of tuning and tweaking after deployment, and the inability to force controls testing.

Mandiant researchers found that only 4% of reconnaissance activity generated an alert, and testing against ransomware and infiltration attempts showed that in over two-thirds of cases security controls did not prevent or detect detonation of the threat, with alerts being generated only in 7% of cases.

Moreover, 65% of the time security tools were unable to detect or prevent attempts to bypass policies, with alerts generated only 15% of the time. In the case of malicious file transfers, they were only detected 29% of the time and prevented 37% of the time, but nearly half of attempts were missed and less than a quarter generated an alert.

No alert was generated in 97% of the tests focusing on command and control activities, and 39% of these attempts were missed by security solutions. The situation is similar when it comes to lateral movement.

In one example shared in the report, a Fortune 500 company discovered that while events were detected by its security solutions, data about these events did not make it to the SIEM due to the fact that UDP was used instead of TCP to send the data and a misconfigured load balancer dropped all UDP traffic. In another example, an insurance firm’s security tools were misconfigured and allowed over one-third of malicious file transfer attempts, and the attempts that were blocked did not trigger any alerts in the SIEM.

Advertisement. Scroll to continue reading.

“Every organization wants reliable data that tells them if their security investments are delivering real value and protecting them from becoming the next major cyber-attack headline,” said Chris Key, senior VP at Mandiant Security Validation. “Our research shows that while the majority of companies assume they’re protected, the truth is that more often than not, they are exposed.”

The Mandiant Security Effectiveness Report 2020 also provides guidance on how organizations can continuously validate the effectiveness of their cybersecurity solutions.

Related: Ransomware Is Mostly Deployed After Hours

Related: FireEye Spotted Over 500 New Malware Families in 2019

Related: Better Security Not Sole Factor for Improved Breach Detection Times

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.