Even as average enterprise security spending has risen over the years from 2% of the total IT budget to 10%, the percentage of compromised corporate machines has also climbed, now up to 7% to 9% by some estimates.
As good as we have gotten at fighting the well-known stuff -- say the Zeus/ZDbot and Koobface botnets -- the targeted, more stealthy attacks typically go undetected. The point is, your network is likely infected.
Data breach costs top $200 per customer record
Damballa, a company that makes tools to detect the command and control communications used to run botnets, says every company it has done proof of concept demos for has been infected. All of them.
Andreas Antonopoulos, a senior vice president of Nemertes Research, says the bad guys control more than 5 million machines in what he calls dark cloud computing. The more targeted attacks are hard to pick up because the perpetrators take their time, using bots to subvert a little at a time, then using that knowledge to subvert some more, Antonopoulos says.
Long duration is now even the norm with old-style attacks, says Jim Maloney, President and CEO of consultancy Cyber Risk Strategies, and formerly head of security for Barclays and Amazon.com. In a Webcast sponsored by Bit9, Maloney pointed out that Operation Aurora originally directed at Google spanned nine months.
Maloney says forensics after one bank breach revealed the crooks would wait two to three weeks between each step in their attack. It started with a low-level, quiet scan, which was followed by a noisier scan, then the attackers lobbed a text file on the bank's Web site, then eventually put a tool on the site that allowed them to pull down one customer record, then 10 and so on.
Regardless of the style of attack, we always seem to be a step behind, Maloney says. He argues that we need to make the systems security model more information-centric, more proactive, and he uses this maturity model to help clients figure out where they are today:
* In terms of how their security program is run, he asks clients where they stand on the continuum between being proactive vs. reactive, being strategic vs. tactical, and between viewing security as a people/process/technology challenge vs. simply a tech problem.
* Then he asks if the business views the security program as an investment or a cost, and an enabler or a business inhibitor.
The trick, he says, is to tip these scales to the left. The technologies he likes that will help do that include techs that: use general behavior and rules vs. specific signatures (although you still need those too); prevent compromise vs. detect it; and provides actionable intelligence not just data.
The bad guys are patient. We can't afford to be.