Shifting the security focus to prevention and response

by

13 June 2016
Tony Jarvis of Check Point

With every detection of a new threat, the security landscape evolves. Attackers are no longer just looking at inventive ways to infiltrate a network but also at innovative evasion techniques. What really matters is how vendors respond to the ever-evolving landscape and not just make incremental enhancements to existing solutions that still predominantly focus on detection, rather than prevention.

The first and most critical pillar of an effective security strategy is to stop threats before the initial compromise. The only way to do this is with prevention. Many vendors simply cannot do it, which is why they talk about detection. The majority of solutions being deployed today rely on a detection capability, with some requiring users to choose whether infected files should be quarantined or allowed to pass through. Not only is this intrusive to the user experience, it is also prone to human error. Inflexible deployment models calling for an all-or-nothing use of cloud or private malware analysis, fail to meet many customers' requirements. To make matters worse, the process often takes too long, giving malware plenty of time to get to work before its presence becomes known.

Traditional sandboxes have also been around for years and work at the operating system level. This has given modern malware authors time to understand how they work and develop new evasion techniques with high degrees of success. CryptXXX Ransomware was identified in April 2016 and uses a virtual machine evasion technique involving a time delay, specifically, the dll waits 62 minutes before executing the launch this makes it harder to connect the incident to the source.

An advancement in sandbox technology would be the integration of CPU-level threat prevention by taking advantage of advanced features in Intel's more recent processors and detect exploits employed by a malware. There are only a small number of such exploits available, and even though there are millions of types of malware in use, they all share those same few exploits. This makes it possible to detect unknown malware - something that signatures and generic heuristics aren't capable of. This can even be triggered by an alert found by an existing antivirus, anti-bot, or threat emulation agent on the endpoint. When a malicious file is found, it can be quarantined either at the process level or the host itself. Doing so prevents the threat from moving laterally and spreading to other machines on the network.

Sound security strategies also stress on the importance of understanding and responding to a given incident. All too often, machines are re-imaged, without an understanding of how they were compromised in the first place or what damage was done. Without this knowledge, there is nothing stopping an attacker from coming back, as no additional security measures have been implemented. This means that the organization has not made the step forward, remaining in the position prior to the attack.

The best practice would be an automated incident analysis report tracking the attack from its origin, pinpointing exactly what happened and when. Full visibility of infected hosts, how the threat arrived, and where it spread take the guesswork out of incident response. And just as the same as sandboxing, this needs to be done within minutes in order to make informed decisions in response to a security incident, without needing to triage events and decide which ones warrant further time and expense. As a finale to the incident, a script should be deployed to the endpoint to clean the infected host.

The job of the CIOs today are increasingly challenging, balancing the financial investment with the level of security while maintaining a smooth business operation. Security vendors need to go beyond just providing a service but also partner with their customers to consult and assist in setting long-term security strategies.

Tony Jarvis is chief strategist, Asia, Middle East and Africa, Check Point Software Technologies