The limits of prevention-centric information security programs highlighted
- Published: Friday, 03 April 2015 13:54
Damballa has released its Q4 2014 State of Infections Report, highlighting the limitations of a prevention-centric approach to security.
Based on a comparison study where thousands of enterprise files were reviewed, Damballa discovered that, within the first hour of submission, AV products missed nearly 70 percent of malware. Further, when rescanned to identify malware signatures, only two in three (66 percent) were identified after 24 hours and after seven days, the total was 72 percent. It took more than six months passed for AV products to create signatures for 100 percent of the malicious files. The longer an infection dwells before discovery and remediation, the greater the odds of data exfiltration.
The significance of this is the impact it has on containment and labor-intensive detection processes. With skilled security manpower in limited supply, the report highlights the importance of automating manual processes and decreasing the 'noise' from false positives, rather than trawling through uncorroborated alerts to find the true infections.
In order to reduce manual efforts, Damballa advises security teams must have:
- High-fidelity, automatic detection of actual infections to reach a statistical threshold of confidence in a true positive infection;
- Integration between detection and response systems;
- Policies that enable automated response based on a degree of confidence.
Brian Foster Damballa CTO commented: “What's clear from these figures is that we have to turn the table on infection 'dwell' time. In much that same way that a flu vaccine hinges on making 'best-guess' decisions about the most prevalent virus strains - AV is only effective for some of the people some of the time. Viruses morph and mutate and new ones can appear in the time it takes to address the most commonly found malware."
"Dependence on prevention tools simply isn't enough in this new age of advanced malware infections; attackers can morph malware code on a whim, yet organizations have a finite number of staff to deal with the barrage of noise generated from security alerts. We urge taking a fresh ‘breach-readiness’ approach, which reduces dependence on people and legacy prevention tools.”
The Full State of Infections Report can be downloaded at http://www.damballa.com/state-infections-report-q4-2014/