4 Critical Mistakes IT Security Professionals Must Avoid is a two part series that examines four common mistakes made by security professionals and the solutions to avoid making them in the future.
Part 1 is published below. Part 2 can be viewed here.
Today’s organizations face seemingly limitless IT security threats including advanced malware, targeted attacks, advanced persistent threats (APTs) and insider threats. These security threats can be extremely complex, making them particularly difficult to detect, evaluate, and eliminate.
One way to help detect and identify today’s threats makes use of context-based endpoint and user IT analytics. Context-based analytics sift through vast amounts of end-user, device, application and connectivity data from across the enterprise, raising attention to anomalies and things out of the norm. This allows IT to proactively protect the organization and make smarter, more timely, data driven security decisions.
A recent targeted attack on Swiss banks initially went undetected by antivirus programs. Fortunately, one of the targeted banks had an endpoint and user IT analytics solution in place. This solution was used to identify meaningful patterns in activity and behavior.
By looking for patterns in activity on each endpoint, a baseline of “normal” activity and behavior can be established. When the targeted attack on the bank began, the analytics solution was able to detect the creation of a new process with administrator privileges in the %userprofile path. The process and its unusual DNS traffic represented a behavior anomaly which alerted IT to the potential risk.
Within a single machine and lacking wider context, it’s impossible to spot these types of anomalies. By applying analytics to all end-user endpoints, it’s possible to see when something abnormal is occurring across a range of similar endpoints.
Are antivirus (AV) tools dead? Some IT security experts say the sheer number of advanced and zero-day threats, often shrouded as encrypted/polymorphic payloads, make traditional endpoint detection nearly useless.
Rather than “dead”, it’s perhaps more accurate to call antivirus solutions “insufficient”. According to a recent study by the Threat Center, an industry standardized testing organization, even the highest-performing AV tool, Malwarebytes, only caught 84% of all threats. The average endpoint AV tool comes closer to 50%, with only 51% able to discover zero-day threats. And it gets worse – according to GCN, antivirus tools can actually impair endpoints by creating a host of false positives.
The bottom line? You need something to supplement existing AV tools. With endpoint and user IT analytics you can identify sophisticated attacks very early on without having specific foreknowledge. Since attack vectors are different in every case, the effects on an endpoint are not. By comparing current behavior to previous healthy activity on the subject and other healthy endpoints, malicious threats can actually be discovered quite easily.
With enterprise-wide, real-time analytics covering all endpoints, end-users, applications, services and network connections, it’s possible to fill the security gap on endpoints and discover the 50% of threats being missed by traditional endpoint protection.
Part 2 of 4 Critical Mistakes IT Security Professionals Must Avoid can be viewed here.