Will the Real Threat Please Stand Up? Chasing False Positives in the IT Environment.

According to the 2014 Cost of Data Breach Study by the Ponemon Institute¹, sponsored by IBM, the number of malware alerts has increased considerably all over the world, and the cost is rising for companies to take preventative measures as well as handle the costs associated with a breach (Ponemon Institute Releases 2014 Cost of Data Breach, Ponemon.org).

We are all familiar with the recent new stories of data breaches. Target, Home Depot, JPMorgan Chase, and Sony Pictures, just to name a few, have publically suffered from the hacking. Even Apple, a leading digital force, is not immune to hacking. In September 2014, various celebrities’ iCloud accounts were hacked leaving many of us wondering – if the iCloud isn’t safe, what is?

We can all agree that malware alerts are a good thing as they alert a single user or an entire department to suspicious emails, links, and potential risks to servers. Malware alerts encompass a range of security threats about an organization’s network, email system, analytics, and endpoints. For example, notifications can range from security firms like FireEye alerting an IT specialist about a potential cyberattack or phishing scam; or a software company like Drupal contacting their customers about installing a security patch.

Malware alerts are arguably our best defense against the unseen highway robber of our data. Right?

New research tells a different story.

In January 2015, the Ponemon Institute and Damballa published a report about how much money was being spent by organizations to investigate false positive alerts (New Ponemom Report Reveals High Cost of Dealing with ‘False Positve’ Cyber Security Alerts, Damballa.com). According to the report, organizations receive “an average of nearly 17,000 malware alerts” weekly. 17,000!

What may be even more troubling is that “only 19% are deemed reliable.” Meaning, only 19% of the emails and notifications are worthwhile to investigate and do something about. The rest are false positives.

According to Ponemon, organizations spent $1.27 million dollars on average² (or approximately $25,000 per week) investigating malware threats that were actually “erroneous.”

A lesson from Target.

In 2013, Target’s security professionals based in Bangalore received an alert about a cyberattack. The team did what they were supposed to do – contact the security operations center at Target’s headquarters in Minneapolis.

But this alert was not successfully interpreted or handled (Missed Alarms, Bloomberg,com). Target, the second largest retailer in the U.S., became infected with malware on its servers. The personal and financial information of 70 million customers was stolen.

You may have been one of the unlucky customers who received a notification letter in the mail from Target apologizing for this breach. You may have had to cancel your debit card and get a new one. Inconvenient? Yes! Consumer confidence killer for Target? Yes! Target’s identity theft experience has been very, very expensive, too.

A District Court judge in Minnesota gave the go ahead to a group of banks to sue Target for negligence. In total, Target received more than 90 lawsuits against them by both customers and banks. Target “spent $61 million” responding to the breach. After all, they received a malware alert.

How in the world can any company, let alone the single IT professional, handle a huge volume of alerts and sort through the mountain of false positives to reach the golden 19% – the worthy malware alerts?

Media Genesis, we tell our clients to:

• Schedule Updates. We recommend server administrators to regularly schedule updates – for the operating system, any server software that is in use, and any anti-virus/anti-malware software – as an essential measure to minimize the risk of sensitive information, such as passwords, banking details, and other types of private data, being leaked. One needs only to look at the Heartbleed exploit that was discovered in the OpenSSL suite in 2014 to understand the importance of updating software on a regular basis.
• Stay updated with new releases. We tell our clients that it is important to install updates for their Content Management System (CMS) whenever they become available in order to add features and functionality, but more importantly, to increase security and strengthen the website against being hacked or compromised. Research shows that over 80% of WordPress sites that had been hacked had not been updated. For this reason, WordPress is targeted more than other CMS’ on today’s Internet. However, even if the client does not use WordPress (and instead uses Drupal or another open source CMS), we still urge them to update often.
• Invest in a reputable security software system. Security systems can not only detect and block threats and viruses, but also should allow you to inspect the traffic that is labeled malware and set rules that block similar suspicious or corrupted files, including files that cannot be scanned, encrypted, or are larger than a particular size. These systems include spam and content filters for incoming email, and scale all the way up to enterprise-level hardware security appliances.

Key Findings from The Cost of Malware Containment (Ponemon Institute, January 2015)

• An average of 17,000 malware alerts are sent to organizations in a typical week
• Only 4% of malware alerts are investigated
• 19% of malware alerts are deemed reliable
• An average of $1.27 million annually is wasted responding to “erroneous or inaccurate malware alerts”
• 60% of respondents stated the severity of malware infections have increased

To protect your work computer, organization’s server, or just your personal laptop, take a look at the best security software systems according to Top Ten Reviews.

Top 10 Security Software by Endpoint Protection Software Review

1. Symantec
2. Kaspersky
3. Sophos
4. Bitdefender
5. McAfee
6. ESET
7. Microsoft
8. F-Secure
9. Panda
10. Avast

• Ponemon’s research involved over 18,000 IT and IT security practitioners from U.S-based companies.
• Over 600 respondents completed the survey, working mostly in financial services (18%), public sector (12%) and health and pharmaceuticals (11%).
• More than half of the respondents (65%) were from organizations that had a global headcount less than 5,000 employees.

¹ Ponemon Institute was founded in 2002 by Dr. Larry Ponemon. Headquartered in Michigan, Ponemon Institute is considered the pre-eminent research center dedicated to privacy, data protection and information security policy.

² IT professionals’ wage information was derived from the Ponemon Institute’s 2014 IT Security Spending Tracking Study.