Endpoint Protection is Barely Keeping Pace With Endpoint Attacks
The difference between anti-malware test results and real-life experience is highlighted in a new survey. While independent test results continue to suggest endpoint protection can detect and/or block close on 100% of malware, one-third of security professionals in the field believe their own endpoint protection controls will stop no more than 50% of malware infections.
Less than one-quarter of 600 security professional respondents to a new survey (PDF) conducted by Minerva Labs believe their current defenses provide a 70-100% prevention rate. The implication is clear: despite the new technology of artificial intelligence enhanced behavioral detection, defenders are not yet winning the battle against malware attacks.
This is confirmed with 75% of the professionals believing the rate of infection has been constant — or has worsened — over the last year. Furthermore, two-thirds of the respondents do not have confidence that their current defenses will be able to prevent ‘a significant’ malware attack in the future.
The most interesting response here, however, is that about 6% of respondents are ‘not at all concerned’ about a significant attack — and the unanswered question is, why not? Are 6% of security professionals totally apathetic — or do they all use a particular endpoint protection system that instills almost total confidence? If all 6% use one particular, or a small subset of, so-called next-gen machine learning endpoint detection systems, then any conclusions drawn from this response would be very different. This is the problem and danger in all broad-brush surveys — detailed and accurate analysis of the results is impossible.
Nevertheless, it remains clear that, overall, industry’s use of malware detection is not currently making any serious inroads against malware infections. In fact, 30% of the respondents have experienced a higher number of infections over the last 12 months than in previous years. Only one-in-five security professionals have seen fewer infections — but again, the unasked and unanswered question is: what have you done differently in the last 12 months?
One of the most confusing questions in this survey is: “Of the following malware evasion techniques, which concern you the most?” The options are fileless, sandbox evasion, malicious documents, and ransomware. The first two are valid. In fact, there has been a dramatic rise in the use of fileless attacks capable of avoiding basic detection over the last year.
The inclusion of ‘malicious documents’ as an evasion technique is difficult to understand: do those documents contain scripts that become a fileless attack; just contain malicious links that automatically detonate; seek to invoke a watering hole attack; include steganographic images; or something else. The document itself is not an evasion technique, although what it contains might seek to evade detection. And ransomware as an evasion technique is just plain wrong.
The lack of detail in the survey shows itself repeatedly. Asked how long it takes to restore a compromised endpoint to its normal state, 17% of the respondents replied ‘within minutes’, while 14% replied ‘within weeks’. Once again, the valuable information would be, what are the 17% doing differently to the 14% that the latter could learn from? Are those who can recover within minutes using a modern endpoint detection and response (EDR) system, not used by the other respondents — or do they have a particularly effective back-up and recovery regime, or perhaps a virtual desktop, or one of the emerging isolation technologies?
One question and response that is unequivocally useful — to product marketers, if not product users — concerns how security professionals would improve their defenses if not currently happy with them. Less than 30% of the respondents indicated a willingness to entirely replace the existing controls. As many as 17% would carry on regardless, “and would not consider replacing or augmenting it”.
More than 50%, however, replied, “I would prefer to add additional layers to cover the protection gap to avoid the risks and costs associated with replacing the exiting solution.” Security professionals are quite simply more interested in improving than replacing their existing defenses. Minerva Labs suggests this is likely “due to their desire to avoid the risks and costs associated with replacing the existing solution. After all, the ‘rip and replace’ project is likely to involve a lengthy rollout, intense regression testing, and require reengineering of many IT processes.”
Despite the lack of detail in this survey, the overall picture is clear: endpoint defense is barely keeping pace with endpoint attacks. “The results from our survey,” said Eddy Bobritsky, co-founder & CEO of Minerva Labs, “indicate that while malware threats are still growing, endpoints remain highly vulnerable to a cyber-attack,”
He continued, “We continue to see more complex and sophisticated threats, where traditional blocking and prevention mechanisms, such as antivirus, are no longer enough to keep endpoints safe. Beyond merely relying on baseline anti-malware solutions to protect endpoints, companies should strengthen their endpoint security architecture to get ahead of adversaries, such as blocking off attempts to get around existing security tools.”
Minerva Labs’ own solution is an anti-evasion and deception platform that deceives malware into misfiring. It is not a replacement for existing endpoint defenses — with which it happily coexists — but a supplement designed to detect and neutralize malware that would get through existing anti-malware systems.