McAfee Labs Finds 93% of Security Ops Managers Overwhelmed by Alerts

Security Operations Managers are finding it difficult to triage cyber threats due increasing volume of activity and growing complexity, according to a primary research study commissioned by Intel Security. The newly released McAfee Labs Threats Report details key 2016 developments in ransomware, and illustrates how attackers are creating difficult-to-detect malware by infecting legitimate code with Trojans and leveraging that legitimacy to remain hidden as long as possible.

“One of the harder problems in the security industry is identifying the malicious actions of code that was designed to behave like legitimate software, with low false positives,” said Vincent Weafer, vice president of Intel Security’s McAfee Labs. “The more authentic a piece of code appears, the more likely it is to be overlooked. Just as 2016 saw more ransomware become sandbox-aware, the need to conceal malicious activity is driving a trend toward ‘Trojanizing’ legitimate applications. Such developments place an ever greater workload on an organization’s SOC – where success requires an ability to quickly detect, hunt down, and eradicate attacks in progress.”

Some highlights:

Alert overload. On average, organizations are unable to sufficiently investigate 25 percent of their security alerts, with no significant variation by country or company size.
Triage trouble. While most respondents acknowledged being overwhelmed by security alerts, as many as 93 percent are unable to triage all potential threats.
Incidents on the rise. Whether from an increase in attacks or better monitoring capabilities, 67 percent of respondents reported an increase in security incidents.
Cause of the rise. Of the respondents reporting an increase in incidents, 57 percent report they are being attacked more often, while 73 percent believe they are able to better spot attacks.
Threat signals. The most common threat detection signals for a majority of organizations (64 percent) come from traditional security control points, such as antimalware, firewall and intrusion prevention systems.
Proactive vs. reactive. The majority of respondents claim to be progressing toward the goal of a proactive and optimized security operation, but 26 percent still operate in reactive mode, with ad hoc approaches to security operations, threat hunting and incident response.
Adversaries. More than two-thirds (68 percent) of investigations in 2015 involved a specific entity, either as a targeted external attack or an insider threat.
Causes for investigation. The respondents reported that generic malware led the list of incidents (30 percent) leading to security investigations, followed by targeted malware-based attacks (17 percent), targeted network-based attacks (15 percent), accidental insider incidents resulting in potential threats or data loss (12 percent), malicious insider threats (10 percent), direct nation-state attacks (7 percent), and indirect or hacktivist nation-state attacks (7 percent).

In the third quarter of 2016, McAfee Labs’ Global Threat Intelligence network registered notable surges in ransomware, mobile malware and macro malware:

Ransomware. The count of total ransomware grew by 18 percent in Q3 2016 and 80 percent since the beginning of the year.
Mac OS malware. New Mac OS malware skyrocketed by 637 percent in Q3, but the increase was due primarily to a single adware family, Bundlore. Total Mac OS malware remains quite low in comparison to other platforms.
New Malware. The growth of new unique malware dropped 21 percent in Q3.
Mobile malware. We cataloged more than 2 million new mobile malware threats in Q3. Infection rates in Africa and Asia each dropped by 1.5 percent, while Australia increased by 2 percent in Q3.
Macro malware. New Microsoft Office (primarily Word) macro malware continued the increase first seen in Q2.
Spam botnets. The Necurs botnet multiplied its Q2 volume by nearly seven times, becoming the highest-volume spam botnet of Q3. We also measured a sharp drop in spamming by Kelihos, which resulted in the first decline in quarterly volume we have observed in 2016.
Worldwide botnet prevalence. Wapomi, which delivers worms and downloaders, remained No. 1 in Q3, declining from 45 percent in Q2. CryptXXX ransomware served by botnets jumped into second place; it was responsible for only 2 percent of traffic last quarter.