Cyber attacks are growing in frequency and sophistication. Traditional security systems and protocols are no longer successfully protecting businesses against cyber-attacks. Governments, organisations and industry need to come together to formulate a new approach to ensure that future fights are not lost too.
Jayson O’Reilly, director of sales and innovation at DRS, discusses traditional security approaches, and why they are no longer enough.
Patches issued by vendors such as Microsoft, Adobe and Oracle, give us a false sense of security, he says.
“At best, patching is a catch-up game, and it is no longer doing the job. Too often, by the time a patch is issued, it is too late. Catch-up is a dangerous game, and companies who are playing it, are coming unstuck.”
We read every day about millions of records being compromised or stolen, and it would be safe to say that all of these businesses who were breached, applied patches regularly. Yet they all fell victim to known vulnerabilities. It’s clear that patches are not keeping up.
“Patching is still important, however, patches are only issued once a vulnerability has been discovered. By this time, the vulnerability has usually been in the wild for a few days, and has more than likely already been exploited. This ‘after the fact’ approach is totally ineffective.
“Another downfall to patching, is that a new patch will remove the old one, which could in and of itself, create a whole new slew of vulnerabilities.”
Today’s attacks are highly sophisticated, targeted and well thought out. “We are not dealing with proof-of-concept mischief any longer, but with vast, highly organised criminal groups, that are in the game for profit,” O’Reilly says.
“What is needed is a pro-active not a reactive one. A reactive approach only ensures that we will never stay ahead of the threat actors. Protection cannot happen in hindsight, it must be built in at development level, and be a part of all aspects of the business, and all business processes.”
O’Reilly adds that even the more recently introduced technologies such as sandboxing are no longer doing the job.
“Cyber crooks are finding increasingly clever ways to hide their malicious code. Malware is now able to evade automated analysis that security programs run in sandboxes. Malware authors are designing malware that can determine when it is running in a sandbox and alter its behaviour to avoid detection.”
A recent report from FireEye, called “Hot knives through butter,” describes how sandboxes are only as good as the analysis that surrounds them and on their own they can only monitor and report file activity, but have no ability to analyse it. The report adds that many file-based sandboxes used by vendors today, are letting malware slip through the net, as cyber crooks invent new techniques to evade them.
Another technology, says O’Reilly, that isn’t doing the job any longer is whitelisting / blacklisting.
“Technologies that detect malware as it enters the network and blacklist it are no longer effective. Tens of millions of security events are bypassing the traditional layers of defence. Malware is far cleverer than it was, and knows how to obfuscate itself to slip through the net. Malware is easily evading the security systems that companies rely on to defend themselves.”
Malware evades traditional security defences as it is designed to appear legitimate, with no recognisable malware signatures, or coming from a purportedly trustworthy source. “It’s behaviour is in no way anomalous, and rings no alarms,” he adds.
He cites the example of application whitelisting provider Bit9 being hacked in February this year.
Bit9 assists entities to develop custom lists of digitally signed, approved software that are supposed to be safe to use. However, its own products failed it, and Bit9 suffered a breach. Its customers reported that they found malware inside the networks Bit9 was protecting – malware that was signed by the company’s own encryption keys.
“Let’s face it, cyber thieves are coining it, and this is because the methods we are using to prevent malware from infecting our systems is failing. The traditional and next-generation firewalls, IPS, Web and e-mail gateways we are using are being easily circumvented,” O’Reilly says.
“Today’s ever-evolving threat landscape means that traditional security tools are no longer enough. Most IT departments have neither the time, nor the resources to address each threat vector in isolation. Integration, automation and flexibility, and most of all sharing of information are key today.
“By working together, the industry, governments and business can maximise resources to ensure that although battles are being lost today, the war will be won in future.”