“An ounce of prevention is worth a pound of cure.” Coined by Benjamin Franklin back in 1736, and applicable to so many aspects of life and business, the phrase even served the IT security industry well for the first quarter of a century. But today this phrase no longer rings true.
As our protection methods get better and better and security effectiveness levels reach new heights, the bad guys are digging deep and using advanced malware, targeted attacks and new attack vectors to try to circumvent existing protection methods. These attacks are so stealthy that many security professionals struggle to determine if they even have an advanced malware problem. These malicious threats hone in on their victims, disguise themselves to evade defences, can hide for extensive periods and then launch their attacks at any time. Given this new level of sophistication, malware outbreaks are inevitable.
Once you do identify malware on your network, there remain a lot of unknowns, for example: How did the malware get in? How extensive is the outbreak? How does the malware behave? What is needed to recover? How can the outbreak be stopped?
To answer these questions and mitigate the impact of a breach, you need defences that address the full attack continuum – before it begins, during the time it is in progress and even after it begins to damage systems. Let’s take a closer look at some of the best practices in each of these phases and how layers of security infrastructure at each phase must work together for better protection.
Before an attack: It’s pretty simple. You can’t protect what you can’t see. Or, put another way, you need to know what’s on your network in order to defend it – devices, operating systems, services, applications, users, content and potential vulnerabilities. Being able to establish a baseline of information is a critical first step in defending your organisation from attack. Implementing access control over applications and users is also important in this phase. Minimising the attack surface through intelligent and granular controls reduces your organisation’s vulnerability to attackers taking advantage of today’s many attack vectors to glean information and penetrate networks. But this alone is no longer enough.
During an attack: To combat today’s increasingly sophisticated malware, you need the best threat detection possible. To help assess security effectiveness and performance levels, third-party tests of IT security solutions in real-world environments can help you separate hype from reality. Once you can detect a file as malware you can block it. And because malware changes so quickly, having the ability to learn and update detection information based on evolving threat intelligence is critical to maintaining security effectiveness. Still, given the nature of malware today, the best threat detection alone isn’t sufficient to protect your environment.
After an attack: Once advanced malware enters your network it’s safe to assume it will attempt to infect other systems. At this point, marginalising the impact of an attack becomes the end game. You need to take a proactive stance to understand the scope of the damage, contain the event, remediate it and bring operations back to normal. Technologies that provide continuous analysis so that you can take informed protection measures, and even retroactively quarantine files that may have passed through unnoticed but are now identified as malicious, can help you stem the damage and remediate.
Franklin’s words of wisdom put us on the right path. But when it comes to the challenge of defending our networks today, “security – before, during and after the threat” are more suitable watchwords.