Anti-Virus (AV) has a role to play in protecting businesses against the generic threat; the Internet vandal or hacker intent on causing maximum damage and gaining global attention. But such threats are now being pushed down the list of things that keep the IT professional awake at night. Factor in polymorphous and mutating malware, delivered via phishing or social engineered vectors and AV is useless against the contemporary Advanced Persistent Threat (APT).
AV is not just fallible, it is fighting the wrong battle. Time to wake up to new reality and implement a truly effective line of defence!Slow and Stealthy
Whether due to complacency or naivety, the vast majority of organisations have failed to adapt security processes and procedures to reflect the changing threat landscape. From the Chinese hackers gaining access to valuable Intellectual Property to the Russian gangs recently exposed for a $500m fraud, the attack model today is a world away from the loud mouthed internet vandal that used to dominate the headlines. Today’s attacks are carried out by groups, rather than individuals; are designed to steal valuable data – and leave no trace. And these organisations are patient. A recent analysis of Advanced Persistent Threat (APT) incidents by Mandiant revealed the average period over which the attackers controlled the victim’s network was one year, with the longest almost five years. And these breaches are not just bypassing the AV software: growing numbers of APTs are actually inside jobs, with authorised users introducing key logger software or malware directly to systems via USB. Throw in social engineering and irresistibly tempting phishing emails and there are simply too many ways to side-step traditional defences and infiltrate the business. Given the growing awareness of the trend towards the APT, why are so many organisations persisting on relying upon securing the perimeter solely via AV and firewall – with many even acknowledging that the approach is probably ‘secure enough’? It’s not.New reality
Mature model
If AV doesn’t work – what is the option? Firstly, organisations need to address the complacency that exists and start implementing some of the standard security processes and procedures that are key to defending the infrastructure and reducing the risk of compromise. Getting the basic principles of security right is a good place to start. Perceived by some as a black art, security hardening checklists can now be delivered in a best practice template that reflects the specific operating system and network environment. With access to a list of recommendations within a matter of minutes – is there really an excuse for continuing to ignore the essentials of IT security? However, organisations also need a completely infallible way of detecting the presence of malware if and when it does manage to bypass security defences. The back stop to traditional defences ideally needs to be a real time alert triggered by any change to file structure that might indicate compromise or the beginning of the slow move towards the central core of the business. File Integrity Monitoring (FIM) is proven to radically reduce the risk of security breaches; indeed it is a core recommendation of the PCI DSS and other security standards. It raises an alert related to any change in underlying, core file systems – whether that has been achieved by an inside man or an unwittingly phished employee introducing malware, or some other zero day threat blasting unrecognised through the AV. Flagging up changes in this way ensures there is no chance of an APT gaining hold; no risk of the stealth attack that gets in and out leaving no trace – there is a trace and the business is immediately notified.Gold standard
Share this story