Search This Blog

Wednesday, April 10, 2013

(I) We are all doing it wrong, well you are according to the stats

At this years BSides Austin, Ian and discussed a new method for malware analysis and detection. In the presentation was a slide that indicated from the Verizon 2012 DBIR report and Trustwave's 2012 report that the industry is STOOPID slow at detecting a compromise, as the following images show.
Verizon 2012 DBIR report

Trustwave's 2013 Global Security Report

HP sent me an email with the following tag line.

I don't know where HP got 416 days, as Verizon and Trustwave both indicate around 200+ days. Nevertheless these numbers are proof InfoSec and the security vendors selling us defenses are failing us all. Or is it us using the tools?

In the presentation Ian and showed red boxes around the two images above indicating we can detect a compromise within hours or less, not weeks, months or longer. A 180 degree change from the report findings. Why? Because we tweak our security tools to do more. We do not rely on default installations of security tools and expect them to work. We heavily use the analysis feature of BigFix (Fracking AWESOME BTW) to watch areas on the systems that have been and are regularly used for malware. We also have a methodology known as the "Malware Analysis Framework" that we use to keep up and defend our networks, and analyze what we find.

For 2013 I give you the following challenge, be honest about it to, where do you sit on the Verizon and Trustwave Detection of a Compromise timeline? Here is the challenge - Do a 180 turnaround as we have done and place your origination in the minutes to hours detection and containment area that is currently at 0%-5% according to the two reports, or worse HP's number of 416 days.

It can be done! If you need help, I guess we are available to do some simple consulting to help you figure it out, but you CAN do it !!!