[BreachExchange] Less Than Half of Cyberattacks Detected via Antivirus: SANS

Mon Jul 16 21:23:30 EDT 2018

https://www.darkreading.com/endpoint/less-than-half-of-
cyberattacks-detected-via-antivirus-sans/d/d-id/1332309

Businesses are investing in more advanced endpoint security tools but don't
have the means to properly implement and use them, according to a new
report from the SANS Institute.

The SANS 2018 Survey on Endpoint Protection and Response polled 277 IT
professionals on endpoint security concerns and practices. In this year's
survey, 42% of respondents reported endpoint exploits, down from 53% in
2017. However, the number of those who didn't know they had been breached
jumped from 10% in 2017 to 20% in 2018.

Traditional tools are no longer sufficient to detect cyberattacks, the data
shows: Antivirus systems only detected endpoint compromise 47% of the time;
other attacks were caught through automated SIEM alerts (32%) and endpoint
detection and response platforms (26%).

Most endpoint attacks are intended to exploit users. More than 50% of
respondents reported Web drive-by incidents, 53% pointed to social
engineering and phishing attacks, and half cited ransomware. Credential
theft was used in 40% of compromises reported, researchers state.

The majority (84%) of endpoint breaches involve more than one device,
experts report. Desktops and laptops are still the top devices of concern,
but attackers are also compromising server endpoints, cloud-based
endpoints, SCADA, and other industrial IoT devices. Cloud-based endpoints
are increasingly popular, going from just over 40% in 2017 to 60% in 2018.

Given the commonality and effectiveness of user-targeted attacks, it's
worth noting that detection technologies designed to look at user and
system behavior, or provide context awareness, were less involved in
detecting breaches. Only 23% of breaches were found with attack
behavior-modeling and only 11% were detected with behavior analytics.

Businesses aren't using these technologies as often because they lack the
means, SANS reports. Many IT and security pros report investing in next-gen
capabilities but not installing them. For example, half have acquired
next-gen AV tools but 37% have not implemented them. Forty-nine percent
have fileless attack detection tools but 38% haven't implemented the tech.

When breaches do occur it seems many businesses can trace them to the
source. Nearly 80% of respondents report they can tie a user to endpoints
and servers at least half the time (34% always, 45% at least half), which
adds an identity when making decisions about user behavior.

Data collection makes a major difference in data breach remediation, but
 organizations don't always have access to the data they needed. Most (84%)
respondents want more network access and user data, 74% want more network
security data from firewall/IPS/unified threat management systems, and 69%
want better network traffic analysis.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180716/80e30f60/attachment.html>