Co-founder and CEO
In response to the increasing sophistication of modern malware, frequency of targeted attacks and costs of resulting security breaches, today’s enterprises are making major investments in a wide variety of threat detection technologies. While these Advanced Malware Detection (AMD) products do an excellent job of finding next-generation malware IT, security teams are struggling to effectively respond once a threat has been detected.
According to a Ponemon Institute report from earlier this year, the cost of a security breach averages $840,000 per occurrence. It is not surprising then that organizations are investing in all types of threat detection and early warning solutions. They are routinely supplementing their traditional anti-virus (AV), intrusion detection/prevention (IDS/IPS), and security information and event management (SIEM) solutions with Advanced Malware Detection (AMD) platforms, threat intelligence feeds, and even big-data-for-security solutions.
However, the job of IT security does not end with simply deploying Advanced Malware Detection. Many of these AMD solutions leave the all-important next steps of verifying, prioritizing, and containing the detected threats for the manual efforts of the organization’s IT security team. These challenging tasks are costly, time consuming, and leave organizations and their data exposed.
The limitations of AMD revolve around what these solutions can do to actually prevent what they find from having an adverse impact on the organization. For example, while many solutions are capable of identifying potential threats and establishing a relative severity, they are limited to a single source of knowledge – relying on the deconstruction of an individual event, policy violation, or suspicious activity. In such cases, there often isn’t enough contextual information for AMD solutions to analyze to verify necessary details that can elevate the potential threat to a higher sense of urgency.
The gap in protection left by AMD also exists because many threat detection solutions are either passive by design, or are frequently deployed that way to minimize network architecture changes or the impact on network performance. The challenge created by this occurs when threats are detected, but the resulting alert requires a manual response by IT teams, during which time significant damage can be done by the attack. In addition, any follow-on events or recurrences of the same threat may require the same manual response process having to be repeated all over again.
But even if an AMD solution has sufficient context and the means to enact an appropriate response, a third limitation involves the scope of a potential response. Does the threat apply only to one or a handful of devices deployed at a few locations in the network? Is enterprise-wide protection needed, requiring the security team to re-configure hundreds of security devices throughout the network, including firewalls, routers and web proxies? Either way, the answer is that despite knowing about threats in a timely manner, enterprises are still suffering from materially significant security incidents, as compromised systems continue to wreak havoc until a separate, manual incident response process is executed.
The impact of these manual processes is that organizations are unable to leverage available threat information from being put to use in a meaningful manner by the entire security infrastructure. The gap between initial detection and pervasive protection caused by inefficient response processes diminishes the value of these AMD investments, since today’s enterprises are left exposed to detected threats far longer than they should be. More to the point, the longer the window of vulnerability is open, the more incidents and greater financial impact may result as data is compromised and infections are allowed to spread. These manual processes brought about by AMD also tie up an organization’s security staff from addressing other business objectives and priorities.
Today’s dynamic organizations require a new paradigm for responding to advanced malware and sophisticated cyber-attacks that results in real-time response capabilities, and they need it to work with existing AMD and protection solutions they’ve invested in and are already in place. Organizations need to bridge this gap to substantially reduce the time and effort required to contextualize detected threats, and slam the door on modern malware and targeted attacks, preventing data loss and protecting against future infections of other users. With the ability to capture business-specific logic and threat-specific workflows, organizations can be ensured of a graduated response proportional to the fidelity and severity of identified threats.
Help is on the horizon with a new approach to security intelligence that integrates with both AMD solutions and existing security infrastructure devices. With the ability to receive threat events from multiple sources, and validate these threats with additional security context data, this new approach enables IT security teams to review and validate incidents beyond the originating threat detection systems. This information is then intelligently processed and applied in real-time to dynamically adjust defensive countermeasures to automatically mitigate against verified threats, and any follow on attempts from that same threat – all by leveraging existing security infrastructure devices.
By bridging this gap, as well as automating related processes, enterprises will be able to quickly, intelligently and thoroughly respond to threats of all types as they are detected. Benefits organizations will derive from this new approach include:
- A substantial reduction in the duration, impact and potentially even frequency of security incidents, and the resultant loss of sensitive data or spread of malware;
- A substantial reduction in the time and effort required of security staff to implement an appropriate and thorough response from detected threats and other forms of security intelligence; and
- A substantial increase in the value of their security investments, as the effectiveness of both threat detection resources and policy enforcement infrastructure are significantly enhanced, if not maximized.
As discussed, today there is a significant gap created by more complex and persistent attacks on our infrastructure, creating a strain and security holes. New approaches are needed, and are on the horizon, which connect AMD and policy enforcement with threat intelligence, context and automation to help organizations best leverage their security investments, and protect their networks.