As an enterprise, it is always important to constantly reevaluate information security solutions. When doing so, take a good look at the perimeter solutions in place and their associated detection mechanisms. What’s interesting is that many vendors that offer detection offerings use more than one solution as their engines. Some of these detection mechanisms are developed in-house, others combine with external solutions and some collaborate with other vendors to provide a solution with improved security.
Many enterprises follow the collaboration bread crumbs and there is a tendency to think that the more vendors involved in contributing technology to a security solution, the better and more robust that solution will be.
At first glance, it does seem that there would be an advantage to working with a security solution that was taking advantage of several different vendors’ tech. But is there really an advantage to onboarding a security strategy that is representative of several detection engines in one solution? The enterprise now has several engines with differing levels of expertise in how they respond to threats and potential intrusions, all integrated into one complete solution.
Complexity rises with the number of vendors contributing to one solution
Issues can arise in this circumstance. For instance, end-users should receive an decisive call on detection notification having information either “passed” or “blocked”. When employing a solution that has more than one engine integrated into it, a vendor will receive a set of indicators from different engines and then combine them into a single verdict of passed or blocked, for which the vendor builds logic specifically for the solution. That could be a proprietary algorithm, a machine learning algorithm, or a rule-based decisioning engine. This is a complex task, especially when a vendor only has superficial knowledge about the solutions with which they integrate.
What we see happening here, is moving the problem, outside of the engines, and instead processing a set of indicators that might or might not indicate malicious behavior. One scenario is – what would the IT team do if “engine A” provided a set of indicators that said to it that a malicious act was occuring, but “engine B” usually assesses as benign?
And finally, employing an additional detection engine does not increase the detection rate. In fact, the possibility of worsening the detection rate increases when a vendor does not have its own engine. There is a gap in understanding and determining the true meaning of the indicators and the ultimate confusion that can arise in assessing too many sources of sometimes conflicting information.
The cost factor
Budget is always a concern in any company. In this instance, having all of the enterprise’s security solutions all of the time can be expensive. Additionally, in some instances, the license does not permit the use of the engine in alternative way. Instead, financial or license restrictions must be inserted into the decision mechanism to determine which solutions to use for each sample. The easiest way to do it is to characterize the sample using static-analysis methods. For example, if a file contains a macro, it will act differently than a file that does not contain one. For advanced attacks, static evasion techniques can be used. In conclusion, this level of decision algorithm is complex and usually results in many false-negatives.
Updates can be delayed
Updating a solution that contains integrated detection engines in one solution, can be complex. Due to their reactive nature, each detection mechanism, is continually evolving and creating more indicators.
Using a stand-alone deployment, the user may receive the updates in a timely fashion, but having numeruos engines inside your product increases the urgency to know which new indicators were added, and how they impact the character and responsiveness of the overall decision algorithm. This period is followed by a period of time to develop, integrate and test, the risk of breach is even increasing, especially if an enterprise waits for the updates for too long a period of time.
So what’s the solution?
These issues – complexity, cost, and delayed updates – are the central issues as to why we see malware and bad actors be able to bypass all of the integrated detection solutions available today. It is easier than ever to deploy new solutions, so there is no reason not to choose the best solution for your security needs.