A wave of network-based security products from vendors such as FireEye Inc., Damballa Inc. and Palo Alto Networks Inc. have raised the bar when it comes to detecting sophisticated attacks, but circumstances surrounding the massive Target data breach suggest that without a sizable incident response team or a complex mix of additional security products, network-based threat detection products may not do much good.
One of the biggest concerns still in the market is trust in the technologies and what they can do.
practice manager, Accuvant Inc.
Minneapolis, Minn.-based Target Corp. was the victim of one of the largest data breaches in retail history during the 2013 holiday shopping period when attackers made off with data from approximately 40 million payment cards, and personal information belonging to 70 million customers.
Apart from warnings regarding RAM-scraping malware targeted at retailers, little detail had been released about the circumstances of the breach until a recent report by Bloomberg Businessweek, which detailed Target's use of technology from FireEye, a leading advanced malware detection vendor.
According to the report, Target installed a FireEye product -- valued at $1.6 million -- a full six months prior to its data breach. The unnamed product reportedly detected the attack on multiple occasions, though the malware, named "malware.binary", was hardly the most sophisticated; even Symantec Corp.'s oft-maligned endpoint protection software, which Target also used, reportedly spotted suspicious behavior.
Advanced attack detection: Can manual monitoring work?
Target relied on around-the-clock monitoring of its FireEye system from a security operations center (SOC) in Bangalore, India. According to the Businessweek report, the India-based team notified their Minneapolis-based colleagues of the alerts corresponding to the breach incident. The SOC, however, did not take action, allowing attackers to make off with a staggering data haul.
"With the benefit of hindsight, we are investigating whether if different judgments had been made the outcome may have been different," Target spokeswoman Molly Snyder said in a statement responding to the Businessweek report.
Intriguingly, the Fortune 500 retailer had also decided to turn off the FireEye product's automated response capabilities, which would have acted to remove the malware infection once it was detected.
In his experience, both as an analyst and previously as a solution provider selling FireEye products, Rick Holland, principal analyst for security and risk management at Cambridge, Mass.-based Forrester Research Inc., said most of the vendor's customers are actually using its products for threat detection, and not as the centerpiece of an automated threat prevention platform, as FireEye intends.
According to Holland, most FireEye customers are afraid to deploy the products inline as the company advises, and don't turn on the automated threat blocking capabilities included in the platform because of the well-founded fear that false positives will block legitimate traffic. Though as the Target incident proved, manually following up on every alert generated by a variety of security products across an enterprise isn't a workable long-term strategy.
"We've had the capability for a long time across many different technologies to do automated blocking," Holland said. "We're never going to reduce the number of attacks that occur or speed the time to containment and remediation unless we have automation in the picture. So we need to move more in that direction, but most companies struggle with that."
Andrew J., a network security professional at a mid-Atlantic materials company, said his organization has utilized FireEye's NX Series product, which provides detection and prevention capabilities for Web-based threats since 2011, but like Target has not enabled the product's automated response capabilities. As a result, a member of his company's security team follows up on each FireEye alert manually, with each typically requiring two to three hours of remediation and often resulting in wiping a machine clean.
As of now, Andrew J. said he doesn't mind the manual incident response that process requires, mainly because the product generates so few alerts. He said that's because the FireEye product is deployed out of band, and traffic is first filtered through a Web proxy from McAfee Inc., meaning many rudimentary threats are mitigated before they ever reach the FireEye product.
Despite having between 15,000 and 20,000 endpoints at his company, Andrew J. said the FireEye product generated only a dozen alerts in the previous 30 days, with basically all of those being rated "critical" or "major" on the Milipitas, Calif.-based vendor's threat prioritization scale, a manageable number of events for even a modest enterprise information security team to handle manually.
Despite his general satisfaction with FireEye, Andrew J. admitted his company's manual event-handling process may not scale to an environment like Target's, in which experts estimate that on a daily basis, the company may see hundreds or even thousands of alerts.
"I'm guessing that Target just didn't have a security team to match the scale of their infrastructure," Andrew J. said.
Automating advanced attack incident response
Craig Treubig, practice manager for the technology solutions group at Denver-based IT security consulting firm Accuvant Inc., said he hasn't seen a big push from clients to utilize automated incident response technologies such as FireEye's, mainly because enterprises don't trust the products to successfully remediate incidents without creating further issues.
"One of the biggest concerns still in the market is trust in the technologies and what they can do," Treubig said. "There's always going to be, in my opinion, a human element. When you take it out of their control, customers are always concerned about what that product is doing."
SearchSecurity contacted FireEye, but the vendor declined comment for this story.
Noting that the Businessweek report doesn't detail how Target had deployed FireEye prior to the breach, Holland said the incident typifies how many enterprises struggle to deal with information security events. Even when using SIEM products, which are designed to correlate data from a variety of security products and highlight high-priority security events, many organizations find themselves flooded with a barrage of alerts, ultimately unable to devote enough resources toward incident response.
"Depending on where FireEye is deployed within an environment, it can be extremely noisy, overwhelmed with malware," Holland said. "It could have been that there were so many FireEye alerts, Target didn't know how to respond to it. And there could have been so many alerts from the SIEM that they couldn't respond to it either."
Andrew J. said his organization had previously considered employing the services of Mandiant, the incident response vendor behind the famed APT1 report, before the company was acquired by FireEye. He said he is still unclear how the combination of the two companies will play out, though he is hopeful it will improve FireEye's response capabilities.
"That seems to be one of the biggest hurdles in the market right now, namely deploying different endpoint technologies or different protection technologies and what their failings are,"Accuvant's Treubig said. "But it's not necessarily the products that are failing; it's the complete process that may be failing."
Advanced network, endpoint security products evolving
Its Mandiant acquisition notwithstanding, FireEye to date has largely supplemented its automated endpoint incident response capabilities by relying on integration with other endpoint security products, like those from Waltham, Mass.-based Verdasys, whose its Digital Guardian Connector promises the ability to enable customized, automated response actions based on FireEye alerts. Endpoint security vendor Bit9 offers similar integration capabilities with both FireEye and alerts from Palo Alto Networks' WildFire platform, though Holland said those relationships may be strained once FireEye integrates the technology from Mandiant.
More on advanced threat detection
Expert Robert Shapland outlines the benefits and challenges of advanced threat detection products.
ComputerWeekly’s Warwick Ashford details how enterprises can combat advanced persistent threats.
Expert Michael Cobb reviews the evolution of threat detection and management.
Much like FireEye, Damballa's products offer automated response capabilities, according to Brian Foster, chief technology officer for Atlanta-based Damballa, though it is unclear how many of the vendor's customers take advantage of them. Interestingly, Damballa last week announced integration between its Failsafe product and the technology of Campbell, Calif.-based network security vendor ForeScout, perhaps best known for its network access control product, a move that Foster said will reduce the resources needed to manually handle alerts.
Until network and endpoint security technologies are more tightly aligned, Holland said customers of FireEye, Damballa and Palo Alto Networks will likely continue handling alerts from those companies just as many other Forrester clients are now: Security products will feed their data into a SIEM, and manual action will only be taken after an alert has been validated by two or three different products.
In the interim, Holland said companies can look to third-party vendors like NetCitadel Inc. that serve as a middleman between network and endpoint security products by applying security controls and blocking and monitoring based on data from SIEMs and other security products. Such a service promises to help organizations take a step toward quicker incident response, said Holland, while minimizing some of the other risks associated with automation by correlating information across a number of technologies, rather than allowing a single product to potentially block legitimate traffic.
"I would say the next-gen endpoint solutions are not as mature as FireEye, and a lot of times, customers are just trying to build a budget for a FireEye-type of solution. But they'll quickly find they need a network and endpoint solution working together in tandem," Holland said. "So I think if you look at the capabilities, you absolutely need to have some coordination between your network security controls and your endpoint security controls."