decrypting myths
can identify single stage malicious
payloads. However, the modern attacks
we are continuing to see are more
sophisticated as they are multi-staged,
specifically designed to bypass this
type of static defence.
The first attack stage can contain no
malware whatsoever. Its purpose? To
penetrate a weak static system. Once
inside, it identifies the operating system
(OS), geolocation and other parameters
confirming the profile of the target. It can
simultaneously engage in VM evasion,
logging and fingerprinting techniques
before deciding if it’s appropriate to
deliver its payload. If the target is in
the wrong country, delivered to the
wrong type of client or suspects that
it’s on a VM, the attachments may never
weaponise and simply remain harmless.
However, when the right conditions
are met, the malicious second stage
is triggered, eluding an organisation’s
static defence.
It’s critical that organisations implement
a dynamic defence that detonates these
threats safely by introducing sandbox
capabilities. The sandbox is positioned
up for debate, but since these are
overwhelmingly email-based attacks,
a solution that automates sandboxing
at the mail gateway before threats can
enter the corporate network or reach
user mailboxes is far more effective.
Another reason dynamic defences like
sandboxing would be dismissed is the
higher volume of broad, commoditised
attacks. These generic attacks are more
easily picked up by reputation controls
and are by definition not targeted.
If the security vendor is simply
attempting to ‘catch a lot of attacks’,
then sandboxing is a difficult luxury
to justify. However, when working with
high risk, high-value customers, new or
unseen targeted attacks do occur and
these are generally of the multi-phase
variety. Despite being less common,
these targeted attacks do far greater
damage and are much harder to
68
detect. They are typically customised
for specific organisations and unlikely
to show up in a generic signature
database. Sandboxing is often the only
way to be shielded from these more
sophisticated attacks.
MISCONCEPTION #3. “A vendor
MISCONCEPTION
that
claims to spend #3.
the most
“A
vendor
to
revenue on that
R&D claims
may not.”
spend the most revenue on
R&D may not.”
Sandboxing is
often the only way
to be shielded
from these more
sophisticated
attacks.
R&D spending is important. It shows
investors and the broader community
the extent to which an organisation
values and is committed to innovation
and technology over other business
expenses. And while the largest security
vendors can easily outspend mid-sized
or smaller vendors in every category
when considering absolute dollars, it is
more effective to consider the amount
spent on R&D as a percentage of
revenue when comparing vendors of
different sizes, to show their degree of
focus on product enhancement and rate
of innovation.
MISCONCEPTION #4.
“Securing
the enterprise
MISCONCEPTION
#4. means
securing
the the
network.”
“Securing
enterprise
means securing the network.”
Protecting the network is still important,
but as businesses move resources,
communications and services to the
cloud and fewer assets and workloads
are managed by corporate IT, they need
to keep an eye on the most attractive
target for criminals: their employees.
IT security spending today continues
to reflect outdated priorities. According
to Gartner, network security solution
spending is predicted to surge to
US$13.3 billion by the end of 2019.
The amount organisations spend on
email security pales in comparison,
despite the fact that, according to the
Adenike Cosgrove, Cybersecurity
Strategist at Proofpoint
SANS Institute, 95% of all attacks on
enterprise networks are the result of
successful phishing attacks. The goal
of those email attacks is often to gain
Issue 11
|
www.intelligentciso.com