Find, freeze and fix fast: What your team needs at the advanced threat gunfight

Share this article:
Michael Fey, worldwide CTO, McAfee, Inc.
Michael Fey, worldwide CTO, McAfee, Inc.

Enterprise IT security systems were traditionally set up around the concept of a firewall that kept adversaries out of the enterprise. Recently, under the assumption that bad things get in, sandboxing features have been bolted on to enterprise environments to isolate copies of suspicious files, analyze their packets, and even activate and analyze malicious payloads to understand their intent and functionality.

The issue is that today's targeted attacks use advanced malware designed to defeat IT security controls through a variety of approaches that either confuse or avoid them altogether. Malware can get through firewalls even if they are deployed at multiple protocol levels and it can beat sandboxing by delaying execution until it detects the required native operating environment.

Advanced malware payloads can be encrypted, split up or encoded, or they can hide amid torrents of calls on systems, slipping into a flood of legitimate protocol transmissions that overwhelm both the firewall and the sandbox.  To make things worse, organizations attempt to manage risk but cut costs by commonly deploying firewalls and sandboxes at predictable entry points, rather than protecting themselves system-wide.

And, while critical in a security environment, the firewall and the sandbox lack the command and control capacity to orchestrate a security environment's response to an attack – they can do nothing to stop it.

Simply put, organizations require security environments that are able to find, freeze and fix advanced malware fast:

  • Find.  While many firewalls and sandboxes can be bypassed or eluded, organizations can improve their ability to find threats by connecting firewalls and sandboxes with advanced management software and threat intelligence – informing, learning from, and collaborating with the entire IT environment.
  • Freeze. If and when attacks happens, defenses and countermeasures must be aware and informed so attacks can be recognized, infected hosts quarantined, and malware frozen before it can propagate elsewhere in the system. While neither a firewall nor an isolated sandbox can stop an attack inside the network, the threat information they share can be used to update gateway protections, endpoint protections and cloud intelligence services.
  • Fix. If a sandbox can comprehend and communicate the purpose and functionality of malware, enterprises can more effectively scope the attack, remediate the damage and avoid further disruption. Beyond the fix, forensic analysis of this threat intelligence can even help determine the actors behind the attacks.
  • Fast. Each step of “find, freeze, fix”—can be expedited, and the entire threat lifecycle can be condensed when automation replaces the decisions and delays of manual analysis and tasks. Rules and policies replace phone calls and emails to take action, while humans oversee the big picture of managing risk.

Finding, freezing and fixing advanced exploits fast requires a fully integrated, well managed approach to IT security that analyzes, evaluates, communicates and decisively responds to each new threat. Such an approach will enable organizations to quickly and efficiently respond to threats comprehensively, removing coverage gaps and blind spots lurking between firewalls and endpoints, or from data center to mobile device.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in Opinions

Me and my job: Chris Sullivan, vice president of advanced solutions, Courion

Me and my job: Chris Sullivan, vice president ...

This month we get to know Chris Sullivan, vice president of advanced solutions at Courion.

Threat of the month: SVPENG

Threat of the month: SVPENG

We take a closer look at SVPENG, malware that's capable of launching two different types of attacks.

Security assessment stability

Security assessment stability

We should be asking if it is worth the cost of constantly switching security assessment companies, says Ken Stasiak CEO, SecureState.