While we must continue to invest in new technologies that provide detection of the latest threats, detection alone isn’t enough.
Traditional security solutions are falling short of providing needed protection because they’re typically blind to changing conditions and new attacks. Simply put: you can’t protect what you can’t see.
Perhaps no aspect of IT security demonstrates this more clearly than advanced malware. It’s not a question of if your network will be attacked by advanced malware, but when and how you’ll respond. You need to be able to discover threats and understand their behavior in order to effectively block them.
Research suggests as much as 75% of new viruses have a lifetime of zero, which means the first time we see them on an endpoint is also the last time we see them. And, according to Gartner’s Neil MacDonald, vice president and fellow, and Peter Firstbrook, research director, “Gartner currently estimates that 4% to 7% of enterprise endpoints are infected at any given time, and that the next scheduled scan will catch only 1% of threats.”*
One reason why scheduled scans are missing threats is because malware is becoming increasingly stealthy – using “droppers,” applications that download malicious files, or disguising themselves as legitimate programs. Recent analysis of user-submitted data provides a sampling of the types of threats we’re missing. For example, in the United States winlogon.exe (part of the Windows login subsystem) is the most popular dropper and the most popular browsers that drop malware (in order of frequency) are Internet Explorer, Chrome and Firefox. Results vary by country.
In China, Chrome is the most popular browser to drop malware while in the United Arab Emirates (AE) Firefox holds that position. In the United Kingdom regsvc.exe, a name associated with a service that allows you to access the Windows registry from a remote location, is the most popular malware dropper while in Japan it is explorer.exe, the ‘file explorer’ that comes with the Windows operating system. In Brazil among the common droppers is reader_sl.exe which is associated with Adobe Reader, suggesting that infections are occurring via PDF-related threat vectors. In Australia the praetorians.exe file is pretending to be part of a very popular online strategy game called Praetorians, but in fact is infecting systems. The list goes on and on.
It’s clear – advanced malware is changing the way security must be managed. In the same Gartner report, McDonald and Firstbrook also state, “Test results consistently show that the endpoint protection platforms (EPPs) currently available still do not protect endpoints against mass-propagated consumer threats — and their performance is even more dismal when faced with handcrafted targeted attacks.”
Despite best intentions, it is always challenging for security to be 100% effective in blocking attacks. While we must continue to invest in new technologies that provide detection of the latest threats, detection alone isn’t enough. Advanced malware protection technologies must be able to answer critical questions like: Where did the outbreak start? How did it spread? How can it be controlled?
To answer these questions data visibility and analysis capabilities are key.
Today’s malware protection suites need to be capable of tapping into big data analytics to support more informed security decisions. Network and computer security technologies are gathering tremendous volumes of data about events related to IT assets. The amount of data associated with threats alone is growing rapidly with no signs of abating in the foreseeable future – less than a decade ago companies dealt with hundreds of threats a day, now the numbers are in the hundreds of thousands. The ability to access and analyze data about these threats is the foundation for developing effective security strategies.
Furthermore, it’s not enough to gather data just at the point of entry. Since threats typically evolve and propagate across enterprises, malware protection solutions must be able to provide a broader perspective to include data about the propagation path.
Increasingly sophisticated threats are driving many organizations to pursue defense-in-depth strategies resulting in a number of protection technologies deployed in any one organization. Rather than operating independently, technologies that can form a tightly integrated system to collaborate and share data increase the level of understanding about whether a particular file or application represents a threat.
Finally, analyzing all of this data within the context of your individual threat landscape is essential. Information concerns will vary greatly depending on your organization’s risk profile – its size, value of information assets, recognition within the industry, and vulnerability of systems. Solutions that can intelligently correlate and analyze extensive amounts of data so that you can focus on real threats to more effectively protect your digital assets and network are a must.
As malware continues to evolve, as IT environments become more complex, and as the volume of data continues to expand, IT security professionals need to update their approach to security. Traditional security tools weren’t built for today’s dynamic and rapidly expanding computing environments. Advanced malware protection solutions must be able to continuously draw from volumes of data to identify suspicious activity and analyze and correlate that data to home in on real threats. Only then can organizations contain advanced malware outbreaks and block future attacks.
[*] Gartner, “Predicts 2012: Sophisticated Attacks, Complex IT Environments and Increased Risks Demand New Approaches to Infrastructure Protection” November 29, 2011