The five new laws of anti-malware
If the explosion in malware variants wasn't enough, sophisticated client-side attacks and advanced persistent threats (APTs) target victims in ways that completely evade traditional security measures. Recent research suggests as much as 75 percent of new malware is seen on a single endpoint and only about 40 percent of new malware even gets detected.
It's not a question of if your network will be attacked with advanced malware. It's a question of when it will happen and how you will respond. Advanced malware is changing the way security is managed. There are five new laws that you should know:
Problem 1: Security is a “big data” problem now
Since the first anti-malware technologies were introduced several decades ago, security vendors assiduously performed some degree of sample collection, sample processing, detection generation and detection publishing. In short, this approach was driven by vendors who could quickly translate back-office intelligence into customer-facing protection.
“Security experts estimate that more than 280 million viruses were released last year alone."
– Zulfikar Ramzan, chief scientist, Sourcefire
What has changed is the sheer volume of data a typical vendor must deal with today. The hundreds of threats companies dealt with on a daily basis less than a decade ago pales in comparison to the hundreds of thousands of threats they must handle on a daily basis today. Security experts estimate that more than 280 million viruses were released last year alone.
Even worse, threats today are highly ephemeral. In fact, approximately 75 percent of threats we see today have a lifetime of zero, which means that the first time we see them on an endpoint is also the last time we see them. The amount of data associated with threats is growing rapidly with no signs of abating in the foreseeable future.
Problem 2: Collaboration is key
Traditionally, new threats have been addressed with new technologies. Unfortunately, they aren't often designed to work in a collaborative manner. Consider traditional anti-malware vendors who describe their protection technologies as a “stack.” This terminology makes reference to a number of technologies where each operates independently from the others. Typically, a threat is blocked on a system as soon as one of the technologies in the stack deems it malicious. By operating alone, important contextual information is lost between the different technologies. The stack-based approach was sufficient at a time when threats were more simplistic in nature.
Today's advanced threats require a more collaborative approach. Rather than operating independently, the different technologies should form a tightly integrated system. Different protection technologies should integrate natively and work in concert to arrive at a final disposition about whether a particular file or application represents a threat.
Problem 3: Don't think endpoint, think endpoints
Traditional anti-malware vendors have had a singular focus on "the endpoint." The fight against advanced malware requires a more holistic approach. Since threats typically propagate across enterprises, knowing that a single endpoint was exposed to a threat tells you nothing about how that threat may have impacted the rest of the enterprise.
IT security professionals need a broader perspective to answer critical questions including: How many threats targeted the organization as a whole? How different departments in the organization fare against each other? How does the organization compare to the global population at large? Knowing the answers to these questions and others is important in determining how to fight advanced malware.
Problem 4: You know your threat landscape best
We often talk about the "threat landscape" as if it were a single uniform monolithic object. While it's convenient for describing overall global trends, the reality is that the threat landscape looks quite different for each organization and, in many cases, even the individuals within.
Factors that contribute to the threat landscape of an organization include its size, the value of its information assets, its profile or recognition within the industry, and the vulnerability of its systems. For example, a small business that offers a commoditized service has different information security concerns than a multinational corporation that designs sensitive technologies for government customers.
Those responsible for securing the organization are often in the best position to understand the unique nature of its threat landscape. In the fight against advanced malware, these same people should have the autonomy to leverage their domain expertise versus relying exclusively on their anti-malware vendor to develop protection for new attacks.
Problem 5: Detection is no longer enough
Unfortunately, the result of this rapidly growing problem is that security professionals often don't have visibility into the latest attacks, and struggle to maintain control after the inevitable outbreak.
Despite our best intentions, we will never reach 100 percent effectiveness against attacks. Still, we must continue to invest in new technologies that provide detection of the latest threats. It's also becoming clear that detection alone isn't enough. Today, the best solution also includes technologies that can help you quickly respond to the inevitable outbreak, technologies that can help you answer critical questions like: Where did it start? How did it spread? Can it be controlled?
In addition to answering these questions, a solution must help to ensure that enterprises can deliver on their missions with the lowest risk of asset loss, productivity loss and reputation damage.
Zulfikar Ramzan is chief scientist for Sourcefire.