Security Experts:

SOCs Suffer Under Volume of Data, Alerts: Report

Enterprises Challenged in Ability to Adequately Investigate Security Alerts, Survey Says

A new report from McAfee highlights three key developments in cyber security during Q3 2016: Security Operations Centers (SOCs) suffered under the sheer volume of data and alerts; ransomware incidents and samples increased in volume and improved in technique; and the growth of trojanized legitimate software continued. All three are analyzed in McAfee Labs' December Threats Report (PDF) published today.

2016 has been described as the Year of Ransomware, with 3,860,603 new samples detected by the end of Q3. This is an increase of more 80% over the year.

"Beyond the leap in volume," says McAfee Labs, "ransomware exhibited notable technical advances in 2016, including partial or full disk encryption, encryption of websites used by legitimate applications, anti-sandboxing, more sophisticated exploit kits for ransomware delivery, and more ransomware-as-a-service developments."

But it's not all bad news. "This year has not been solely one of victories for cybercriminals," notes the report; "there were some notable advances on the defensive front as well, including several takedowns, keys recovered, and the advent of an anti-ransomware alliance."

Takedowns have included Shade (July) and WildFire (September); while an alliance between security vendors and law enforcement agencies led to the development of No More Ransom! Its website provides decryption tools for Chimera, Coinvault, Marsjoke, Rakhni, Rannoh, Shade, Teslacrypt, and WildFire ransomware, with the intention to add new ones as they are developed.

Furthermore, says Vincent Weafer, vice president of Intel Security's McAfee Labs, this "greater cooperation between the security industry and law enforcement, and constructive collaboration between industry rivals truly began to deliver results in taking the fight to the criminals. As a result, we expect the growth of ransomware attacks to slow in 2017."

'Trojanizing' legitimate applications, however, is likely to increase. This is the inclusion of malicious code within commonly accepted code in order to obscure the malicious intent. "The longer attacks can go unnoticed, the larger the payout," says the report. "To this end, attackers are growing more sophisticated as they endeavor to create long lasting, fully undetectable creations."

McAfee has detected several methods already being used by attackers: patching executables on-the-fly through MITM attacks; poisoning master source code, especially in redistributed libraries; and bundling clean and dirty files together using binders and joiners.

Steve Grobman, Intel Security's CTO, described how the latter might work, and how it throws extra strain on SOCs.

"Consider ransomware," Grobman told SecurityWeek. "An organization's defenses might be configured to alert the SOC responders to an act of encryption within the organization's system. The responders might get an alert and will need to consider whether it requires action. If the encryption has come from, say WinZip, then it will appear to be legitimate action with no response required. But if WinZip has been trojanized with ransomware, it will still appear to be legitimate while actually being malicious."

The difficulty in distinguishing between benign and malign is likely to increase. Just as defenders are using machine learning to automatically detect and correlate suspicious activity, McAfee expects attackers to use machine learning to develop methods to confuse the defense. 'Raising the noise floor' will be one approach, where attackers inject so much 'noise' into the system that defenses have increasing difficulty in determining good from bad. 

The intention is to increase the level of false positive alerts to such an extent that defenders might choose to lower their own detection level to what can realistically be handled -- but simultaneously providing the option for real malware to sneak in undetected. 

In a survey commissioned in the summer of 2016 McAfee Labs looked at the current state of SOCs by questioning almost 400 security practitioners.

"One of the things we've seen," said Grobman, "is that there has been a resurgence of the role of the SOC. Organizations are finding that there is value in having a true SOC capability, even though there are different variants. Part of the challenge that we're finding is that it's not so much a lack of data but too much data and eventing. The challenge is largely around triaging it to make sure that incident responders and SOC personnel tackle the most important incidents." The difficulty is not just getting the data, but understanding what is important. 

"It is not simply a case of eliminating false positives," he continued. "There are many alerts that are genuine, but don't need an incident responder -- such as general malware that got onto the system but was detected and neutralized before it could do any harm. Contrast this with indicators of compromise that suggest you have been breached and there is an ongoing danger of data exfiltration -- that would need a responder. Here it is critical to be able to triage the two sets of events to know where to prioritize your response."

This is a problem. The survey found that on average, organizations are unable to adequately investigate 25% of their security alerts, and that most respondents feel overwhelmed by the quantity of security alerts -- with 93% unable to triage all potential threats. 

This will potentially worsen, since the majority of respondents -- 67% -- reported an increase in security incidents. More optimistically, however, 73% of these believe that the increase is at least partially down to improved detection; 57% actually perceive an increase in threats. 

"The solution we advocate," said Grobman, "is that you need to link automated detection with the proactive seeking skills of a human hunter. It's a technique we call 'human/machine teaming'. In order to find the most critical threats you need to combine the two since each element has unique advantages," he continued. "Humans have the strategic intellect that allows them to think like the adversary. They can think about scenarios they've never seen before; but they need to use technology in order to deal with the massive quantity of data that has been gathered from across the organization. A large part of our strategy is to build technology that embraces this concept of human/machine teaming where we can automate large parts of an investigation and yet pause for critical control points where the human injects his or her unique intellect. This combines AI or machine learning with the natural hunter's instincts to get the best possible result."

Related: Suffocating Volume of Security Alerts Challenge Incident Response

Related: Incident Response - Work Smarter Not Harder

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.