Every now and then we have a thought that we'd like to share.
This is the page where we share those thoughts.
Anti-virus - every one of our incident response customers has AV. In every case it did not work.
In dynamic threat environment occasional security testing is no longer enough.
Here are our thoughts on how to move from a position of occasional assurance to one of continuous assurance.
Penetration testing is a carry forward from last century.
We question why this technique is still regarded as an essential security assessment tool...
Anti Virus (AV) was designed last century to deal with last century malware.
It is fair to say times have changed. Significantly.
Malware used to be released slowly and with a reasonably consistent signature. This was perfect for signature based detection and led to the success of anti-virus as we know it. However, malware is now released rapidly - many, many new variants are released daily and each with a totally unique signature.
The bad guys have toolkits that allow them to develop a virus that is unique to each victim - for example you and I can each be attacked with a unique virus (by signature) that has identical malicious capabilities, such as stealing banking passwords or to hold our files to ransom.
In addition to the easy development of unique viruses, the bad guys now make extensive use of legitimate tools on your computer. Depending on the commentator, it is estimated that 40%-60% of all attacks are malware free - i.e. they do not use a virus or malware of any kind. A signature based technology has no ability to defend against this type of attack.
To further compound this issue is the ubiquitous use of the Internet. There are not many people, organisations or places in the world that are not now interconnected by the Internet. And at very high speed. This provides the perfect breeding ground for quickly developed and deployed disposable malware. It is trivial for a criminal to launch a campaign against a victim that uses many variations of their malware and because of the interconnectivity, the criminal can launch a many attacks at the same time. It then becomes a numbers game. Simple statistical analysis will demonstrate that some attacks are going to be successful, in part due to many people steadfastly holding onto outdated and inadequate security tools.
WannaCry is the poster child for security tool failure. Some may applaud the AV vendors for developing a signature 48 hours after the outbreak. However, the tens of thousands who were affected are unlikely to be among those applauding.
There is a piece of the story that seems to have gone largely untold. A small group of innovative companies utilising a new type of technology successfully defended against WannaCry and continue to successfully defend against subsequent ransom and other attacks. These technologies are not based on signature detection. They assess behaviours. To use a ransom example, the idea that an unknown piece of software goes about systematically encrypting files is never good. Therefore, it is prevented. A signature is not needed to assess this activity is undesirable. The behaviour gives all of the indicators that are needed.
Our technology partner, CrowdStrike, is an acknowledged leader in this space. CrowdStrike has built a tremendous sensor network and developed a clear baseline of normalised behaviour. Therefore, its detection and prevention capabilities offer extremely high fidelity. To describe this technology as an anti-virus replacement is to undersell its capabilities. But, if nothing else, you will see a security uplift by just using it in this way.
If your Anti-Virus subscription is coming for renewal, please contact us for a no obligation quote and potentially trial of a technology that will help defend you and your organisation against this century's threats.
Security testing is a common security assurance tool that has been used for many years. Yet, despite countless expensive tests, systems continue to be compromised.
This is hardly security assurance, which is indirectly acknowledged in the disclaimers that preface a typical testing report.
Of course the testing will be claimed a success because it will invariably identify a misconfiguration, missing patch, or exploit that has caught the tester's particular interest. However, the overwhelming evidence points to a real-world systemic failing provided by this type of testing.
While these findings are valid, at best they offer occasional assurance that is only valid at that point in time and against the testing criteria. A vulnerability or exploit unknown to the tester may remain, or is discovered immediately after the test.
On April 14 2017 a large number of previously unknown exploits were released to the public. These exploits went on to be used in the large ransomware attacks of 2017. Imagine if you had paid for security testing on April 13...
It is highly likely that many, if not all of the organisations affected by these exploits had undertaken security testing, to then be compromised.
Our preferred testing model, is Continuous Assurance. This is a process of ongoing real-world security testing. It combines the best threat hunting, detection and prevention with in-depth system hygiene monitoring, and where possible real-time vulnerability assessment.
Let's identify how the criminals are really attacking you rather than the theoretical or contrived findings of a security tester.
Our clients are updated on their security assurance each month, or more urgently if required.
We highly recommend a separation of duties between the security administration provided by a security provider and security assurance management. Our Continuous Assurance programme provides our clients ongoing comfort about the security of their environment. A important side effect, is we provide visibility into the security administration provided by their service provider.
Please contact us for a no obligation discussion about how you can reduce your security testing expenditure and achieve a higher level of security assurance.