In the wake of highly publicized cyber exploits, such as the Anthem data breach, there are always security experts weighing in. And regardless of the nature of the breach, they all seem to echo the same message, “current signatureless malware detection is not good enough”. Clearly, this is true – in fact, our preventive technologies may never be good enough to stop 100% of malware. This seems to beg the question, “How can we stop these targeted attacks and evasive malware”? But a more relevant question may be – “How did all that data leave the network without anyone noticing?”
The Giant Security Gap
It may be hard to accept, but even in the largest organizations, with the deepest pockets, data breaches often aren’t discovered until well after the initial infection occurred. This protracted period between infection and detection, called dwell time, represents the window where your data leaves the network. This vulnerability exists in most networks, even those that claim to have solutions in place to detect C&C callbacks. That’s because, even if a solution can detect callbacks signifying an infection, it doesn’t have the ability to stop the criminal data transfer as the infection unfolds. Infection dwell time varies, but the average is 209 days. Imagine how much data you could lose in 209 minutes, let alone days? Even worse, when the breach is finally discovered, it’s usually a third party that informs the organization – sometimes a partner, often the FBI.
Closing the Security Gap
Closing this security gap, involves delving more deeply into the question of how so much data can leave unnoticed. In the case of Anthem, 80 million records were uploaded to a “popular” cloud storage app. For Sony, it was even worse, with multiple terabytes of data lost. But what does closing the security gap require? Here are a few points to consider as you assess your organization’s security posture in the wake of these huge data losses and the vulnerabilities they reveal:
- A balanced approach should be the norm – Organizations have typically focused on pre-infection prevention technology, including best-of-breed AV and behavioral Sandboxing. But combatting today’s threats means balancing preventive security, which is still imperative, with post-infection detection and containment technology.
- Reducing infection dwell time is key to reducing loss – The fact that the average time between infection and detection is seven months, should strike terror into the hearts of IT professionals everywhere. Yet, organizations continue to put all their eggs into the basket market “prevention”, as data flies out the network unseen.
- Network Anomaly Detection will be a must-have going forward – Technology that can continuously monitor the full outbound Web stream and analyze it against your network baseline to find anomalies will be a major factor in post-infection defense.
- Automatic Data Containment is the only way to reduce exfiltration – Detecting active infections on your network is critical but it’s only half the solution. Unless you can automatically freeze the transfer of data the malware is trying to steal, you’re still losing data while you investigate.
Download a new white paper, The Impact of the Anthem Data Breach on Your Security Approach, to learn how a new approach, with lean forward technology, can close the security gap in your network and increase your organization’s security posture.