By Micah Graf, Security Researcher at CounterTack
Much like the paperless office, which we talked about for years but then just seemed to happen one fine day, our recent chant that malware security program is dead will also just seem to happen one fine day. But we are not quite there yet. Reason: we are looking for the next generation endpoint malware security technology to replace the once trusty AV but comprehensive protection is a long, long ways away.
In last week’s blog, we discussed why critical malware security infrastructure is a prime target. To recap, targeted malware attack to critical infrastructure will continue to occur solely based on the political and economic ramifications that ensue following the incident. Political, economic and financial drivers are all motivating factors behind attacks of this nature.
Gartner has been the most vocal about the need for a process shift, advocating what it calls an “adaptive malware security architecture.” The idea is to balance efforts among attempting to predict when a breach will occur, preventing the ones you can, detecting what a successful attacker has done on the endpoint, and ultimately responding to the attack in some way. You need to be doing all of these, all the time, with a variety of technologies, so you can respond appropriately.
“How you protect yourself from a shotgun blast is very different than how you protect yourself from a sniper’s bullet,” says Neal MacDonald, VP distinguished analyst at Gartner.
Let’s look at a real-world example of why you need change now, before you get stuck in the quicksand of a disastrous endpoint breach your prevention tools missed.
Given the endless game of whack-a-mole that is IT malware security, it makes sense that, as anti-virus effectiveness waned, malware analysis software vendors moved to network-level prevention. The idea: We won’t need to scramble to keep malware attack off endpoints if we can block the exploit or malware security at the email server or web gateway.
From network-based anomaly detection to advanced sandboxing, these tools flooded the market and worked great — for a while. As they always do, attackers adjusted, adding new techniques, such as encryption and fast-flux DNS. It is an arms race, after all. Some malware attackers started to obscure their exploits, hiding in plain sight by blending with innocuous network traffic. Others simply stopped aiming at the network. No network traffic means no results from network detection tools.effectiveness waned, malware security software vendors moved to network-level prevention. The idea: We won’t need to scramble to keep malware off endpoints if we can block the exploit or malware security at the email server or web gateway.