Security Experts:

What Good is a Snapshot in a Continuously Changing Malware Landscape?

When Dealing With Advanced Malware and Targeted Attacks, Enterprises Must Expand Their Approach To Address the Entire Lifecycle of Modern Threats

In my previous column, I wrote that advanced malware and targeted attacks are profoundly changing how we need to protect our systems. It’s no longer enough to focus on visibility and blocking at the point of entry in order to protect systems.

Malware Detection and Remediation ProcessAttacks today have reached a new level of sophistication and outbreaks are inevitable. Like the infamous bank robber, Willie Sutton, who disguised himself as a mailman, a maintenance man, even a police officer to gain entry to targeted financial institutions and eluded captors for decades, modern malware can disguise itself as a legitimate application to evade defenses. Later, when a breach occurs, you don’t know what you’re looking for. To contain and stop the damage, you need a broader approach to IT security that enables continuous visibility and control. Because once you “see it,” then you can “control it” and “protect it.”

Think for a moment about how today’s air transportation safety procedures have evolved as we’ve become savvier to potential threats. Airport security checkpoints are essential to the process of keeping threats off of our airplanes. However, the addition of federal air marshals and ongoing training of in-flight personnel to spot suspicious behavior in the air are also critical to maintaining security. An individual may appear perfectly ‘normal’ and escape notice when passing through initial checkpoints. But behaviors change (i.e., he or she may become increasingly anxious, agitated or angry) as the time approaches to execute an attack.

Now consider today’s malware defenses. Technologies like sandboxing share a similar ‘snapshot’ approach to security as airport security gates. It provides a baseline level of protection, but it cannot identify sophisticated malware that appears ‘normal’ in a sandboxed environment – failing to execute or recognizing it’s running in a sandbox and modifying its behavior. Yet unlike our air transportation safety program that continues to monitor individuals beyond the checkpoint, once a file is deemed ‘clean’ and leaves the sandbox it is no longer visible. At that point, malware has infiltrated the network and the problem shifts from threat prevention to threat removal; without ongoing visibility, an outbreak is inevitable.

To deal with advanced malware and targeted attacks, organizations must expand their approach to the malware problem to address the entire lifecycle of modern threats—from point of entry, through propagation, to post-infection remediation. Obviously, you still need a first line of defense that includes malware detection; the ability to identify files as malware at the point of entry and remediate accordingly is a fundamental first step. But you also must identify technologies that extend visibility and control through to propagation and post-infection remediation. Let’s take a closer look at these phases of the malware lifecycle and technologies that can help increase protection.

Propagation

Malware that gets through the first checkpoint will change its behavior, perhaps immediately but perhaps not for days, weeks or even months. You need solutions that will continuously monitor files and identify and analyze suspicious changes in behavior, automatically cross-checking against other pieces of contextual information such as bandwidth usage, time of day and file movement for greater intelligence. Continuous file visibility and analysis is critical to understand how to contain outbreaks and block future attacks.

Post-infection Remediation

Once you’ve identified suspicious behavior, you need solutions that can automatically evaluate the file against the latest threat intelligence and retrospectively alert you to malware. You can’t afford system performance delays so technologies that can leverage the cloud to analyze individual files without a full system scan will save computational cost. Next you need to understand the scope of the breach—what was the file’s trajectory? Gaining visibility into which systems the file has touched and if it has been executed gives you actionable intelligence to contain the outbreak. Armed with this insight you can quickly take steps to remediate—quarantining files previously thought to be safe but now deemed to be malware and performing clean-up.

Malware detection is a critical component to any defense strategy, but it isn’t fail-safe. Without continuous file analysis and retrospective alerting you’ll remain in the dark until your systems begin to significantly falter. When an attack does become evident you’ll be challenged to know how to contain and stop the damage.

Subscribe to the SecurityWeek Email Briefing
view counter
Marc Solomon, Cisco's VP of Security Marketing, has over 15 years of experience defining and managing software and software-as-a-service platforms for IT Operations and Security. He was previously responsible for the product strategy, roadmap, and leadership of Fiberlink’s MaaS360 on-demand IT Operations software and managed security services. Prior to Fiberlink, Marc was Director of Product Management at McAfee, responsible for leading a $650M product portfolio. Before McAfee, Marc held various senior roles at Everdream (acquired by Dell), Deloitte Consulting and HP. Marc has a Bachelor's degree from the University of Maryland, and an MBA from Stanford University.
view counter