Find, freeze and fix fast: What your team needs at the advanced threat gunfight
Michael Fey, worldwide CTO, McAfee, Inc.
Enterprise IT security systems were traditionally set up around the concept of a firewall that kept adversaries out of the enterprise. Recently, under the assumption that bad things get in, sandboxing features have been bolted on to enterprise environments to isolate copies of suspicious files, analyze their packets, and even activate and analyze malicious payloads to understand their intent and functionality.
The issue is that today's targeted attacks use advanced malware designed to defeat IT security controls through a variety of approaches that either confuse or avoid them altogether. Malware can get through firewalls even if they are deployed at multiple protocol levels and it can beat sandboxing by delaying execution until it detects the required native operating environment.
Advanced malware payloads can be encrypted, split up or encoded, or they can hide amid torrents of calls on systems, slipping into a flood of legitimate protocol transmissions that overwhelm both the firewall and the sandbox. To make things worse, organizations attempt to manage risk but cut costs by commonly deploying firewalls and sandboxes at predictable entry points, rather than protecting themselves system-wide.
And, while critical in a security environment, the firewall and the sandbox lack the command and control capacity to orchestrate a security environment's response to an attack – they can do nothing to stop it.
Simply put, organizations require security environments that are able to find, freeze and fix advanced malware fast:
- Find. While many firewalls and sandboxes can be bypassed or eluded, organizations can improve their ability to find threats by connecting firewalls and sandboxes with advanced management software and threat intelligence – informing, learning from, and collaborating with the entire IT environment.
- Freeze. If and when attacks happens, defenses and countermeasures must be aware and informed so attacks can be recognized, infected hosts quarantined, and malware frozen before it can propagate elsewhere in the system. While neither a firewall nor an isolated sandbox can stop an attack inside the network, the threat information they share can be used to update gateway protections, endpoint protections and cloud intelligence services.
- Fix. If a sandbox can comprehend and communicate the purpose and functionality of malware, enterprises can more effectively scope the attack, remediate the damage and avoid further disruption. Beyond the fix, forensic analysis of this threat intelligence can even help determine the actors behind the attacks.
- Fast. Each step of “find, freeze, fix”—can be expedited, and the entire threat lifecycle can be condensed when automation replaces the decisions and delays of manual analysis and tasks. Rules and policies replace phone calls and emails to take action, while humans oversee the big picture of managing risk.
Finding, freezing and fixing advanced exploits fast requires a fully integrated, well managed approach to IT security that analyzes, evaluates, communicates and decisively responds to each new threat. Such an approach will enable organizations to quickly and efficiently respond to threats comprehensively, removing coverage gaps and blind spots lurking between firewalls and endpoints, or from data center to mobile device.