The limits of prevention-centric security programs

In an analysis of tens of thousands of malicious files, Damballa discovered that it can take more than six months for traditional AV tools to create signatures for 100% of the files. With ‘time to breach’ a critical component in damage control in today’s threat environment, the analysis further underlines the importance of adopting a proactive stance to threat detection.

Within the first hour of submission, AV products missed nearly 70% of malware. Further, when rescanned to identify malware signatures, only two in three (66%) were identified after 24 hours and after seven days, the total was 72%. It took more than six months passed for AV products to create signatures for 100% of the malicious files. The longer an infection dwells before discovery and remediation, the greater the odds of data exfiltration.

The significance of this is the impact it has on containment and labor-intensive detection processes. This was underscored by the recent findings of a Ponemon Institute report, which revealed that an average enterprise security team receives 17,000 weekly alerts, or 2,340 daily. AV products would have missed 796 malicious files on Day One, which suggests a sizeable risk associated with that number of infections potentially dwelling inside the network.

With skilled security manpower in limited supply, the report also highlights the importance of automating manual processes and decreasing the ‘noise’ from false positives rather than trawling through uncorroborated alerts to find the true infections.

In order to reduce manual efforts, Damballa advises security teams must have:

  • High-fidelity, automatic detection of actual infections to reach a statistical threshold of confidence in a true positive infection
  • Integration between detection and response systems
  • Policies that enable automated response based on a degree of confidence.

Brian Foster Damballa CTO comments, “What’s clear from these figures is that we have to turn the table on infection ‘dwell’ time. In much that same way that a flu vaccine hinges on making ‘best-guess’ decisions about the most prevalent virus strains – AV is only effective for some of the people some of the time. Viruses morph and mutate and new ones can appear in the time it takes to address the most commonly found malware.”

“Dependence on prevention tools simply isn’t enough in this new age of advanced malware infections; attackers can morph malware code on a whim, yet organizations have a finite number of staff to deal with the barrage of noise generated from security alerts. We urge taking a fresh “breach-readiness” approach, which reduces dependence on people and legacy prevention tools.”