AV has a role to play in protecting businesses against the generic threat; the Internet vandal or hacker intent on causing maximum damage and gaining global attention. But such threats are now being pushed down the list of things that keep the IT professional awake at night, principally by the targeted attack; the stealth approach that can take months, even years, to slowly gain access to the most critical area of the business and remove data, leaving virtually no trace. Factor in polymorphous and mutating malware, delivered via phishing or social engineered vectors and AV is, quite frankly, useless against the contemporary Advanced Persistent Threat (APT).
As Mark Kedgley, CTO, NNT, insists, AV is not just fallible – it is fighting the wrong battle; it is time to wake up to the new reality and implement a truly effective line of defence.
Slow and Stealthy
Whether due to complacency or naivety, the vast majority of organisations have failed to adapt security processes and procedures to reflect the changing threat landscape. From the Chinese hackers gaining access to valuable Intellectual Property to the Russian gangs recently exposed for a $500m fraud, the attack model today is a world away from the loud mouthed internet vandal that used to dominate the headlines.
Today’s attacks are carried out by groups, rather than individuals; are designed to steal valuable data – and leave no trace. And these organisations are patient. A recent analysis of Advanced Persistent Threat (APT) incidents by Mandiant revealed the average period over which the attackers controlled the victim's network was one year, with the longest almost five years. And these breaches are not just bypassing the AV software: growing numbers of APTs are actually inside jobs, with authorised users introducing key logger software or malware directly to systems via USB. Throw in social engineering and irresistibly tempting phishing emails and there are simply too many ways to side-step traditional defences and infiltrate the business.
Given the growing awareness of the trend towards the APT, why are so many organisations persisting on relying upon securing the perimeter solely via AV and firewall – with many even acknowledging that the approach is probably ‘secure enough’? It’s not.
To be frank, AV was never enough, even in the days when the threat landscape was dominated by the attention seeking big virus or malware creator. AV has to be updated daily in response to the new threats that have emerged – by default, during that time the business is at risk of infection. AV cannot address the zero day, or zero hour, threat until it has been identified, quarantined and an antidote created.
This model was flawed when the majority of viruses were noisy and high profile. In today’s threat landscape, viruses and malware are the opposite: silent, stealthy and targeted. That means fewer organisations or individuals are affected – and hence there are fewer opportunities for the virus to be identified and neutralised. That zero day threat might go undetected for some time because it is attacking a specific vulnerability within the business – or targeting a specific individual to gain access.
If AV doesn’t work – what is the option? Firstly, organisations need to address the complacency that exists and start implementing some of the standard security processes and procedures that are key to defending the infrastructure and reducing the risk of compromise. Getting the basic principles of security right is a good place to start. Perceived by some as a black art, security hardening checklists can now be delivered in a best practice template that reflects the specific operating system and network environment. With access to a list of recommendations within a matter of minutes – is there really an excuse for continuing to ignore the essentials of IT security?
However, organisations also need a completely infallible way of detecting the presence of malware if and when it does manage to bypass security defences. The back stop to traditional defences ideally needs to be a real time alert triggered by any change to file structure that might indicate compromise or the beginning of the slow move towards the central core of the business.
File Integrity Monitoring (FIM) is proven to radically reduce the risk of security breaches; indeed it is a core recommendation of the PCI DSS and other security standards. It raises an alert related to any change in underlying, core file systems – whether that has been achieved by an inside man or an unwittingly phished employee introducing malware, or some other zero day threat blasting unrecognised through the AV. Flagging up changes in this way ensures there is no chance of an APT gaining hold; no risk of the stealth attack that gets in and out leaving no trace – there is a trace and the business is immediately notified.
To date too many organisations have failed to implement FIM for fear of the additional work load created by a system that flags every single unauthorised change – a fact that says rather too much about the anarchic attitudes towards change management endemic within most organisations. FIM raises an alert for every unauthorised change that occurs within the infrastructure. For organisations with robust change management processes, with clearly defined patch windows and no changes made without request and authorisation, implementing and running FIM is a breeze: the only time alerts are flagged are when actual security concerns arise.
Combining FIM with effective change management and a consistent build standard not only fundamentally reduces the security risk but it also minimises the risk of downtime created by unauthorised or misguided system changes. It supports a raft of compliance requirements, most notably PCI DSS, and provides organisations with infrastructure visibility to support effective planning and investment. And, critically, unlike AV, FIM creates a secure environment that truly reflects the current threat model.
The temptation to rely on AV is understandable: in an over –worked IT department any set-up-and-go system has appeal. But in an era that is increasingly dominated by the APT, relying on AV is not just complacent it is ill-judged. Organisations need to safeguard data – from customer records to intellectual property – against organisations with phenomenal reach and expertise, as well as a willingness to play the waiting game. The risks have changed. The threat is stealthy and targeted. It is time not just to pick the right battle – but to arm the business with the right defences.