Keeping malware off your network is like a never-ending game of space invaders, except that you need more than one weapon to ward off criminals from cyberspace. But deploying the right security solutions in the right places is crucial if your lines of resistance are to be effective.
A report published in November 2012 by NSS Labs, Cybercrime Kill Chain vs. Defense Effectiveness – subversion of layered security, analyses the effectiveness of security systems, concluding that many attacks successfully penetrate layered security defenses. Network edge firewalls, intrusion protection systems (IPS), endpoint protection suites/antivirus and browser protection, as commonly deployed by large organizations, all fail to live up to expectations.
A best-of-breed network edge firewall protecting your corporate intranet is all very well, but it is designed to prevent certain types of external attack and can’t block malware that has already found its way onto your endpoints. Furthermore, the value of endpoint security suites varies significantly between products - as this and many other reports confirm, antivirus on its own can’t be relied on for comprehensive protection.
Endpoint protection suites sometimes include application allow listing to block programs not approved by IT, but it is less certain how many organizations actually use this technology, considering it takes some administrative effort to deploy and maintain. A case-in-point is Windows AppLocker, while packaged free with the operating system, is rarely deployed in practice. There is also a fear of the unknown in application allow listing, preventing it from being widely used; in contrast to antivirus, which is a pervasive and well understood defense.
Most of the malware samples used by NSS Labs in the study would have been blocked had application allow listing and least privilege security been used on endpoints, alongside antivirus and other network-layer defenses. With the help of Avecto, deploying least privilege security and blocking unsanctioned applications on servers and desktops becomes as easy as rolling out traditional signature-based AV protection.
Click here to download the NSS Labs report: https://www.nsslabs.com/reports/cybercrime-kill-chain-vs-defense-effectiveness
NSS Labs report key findings:
- Antivirus does not prevent a dedicated attacker from compromising a target.
- Antivirus products differ up to 58% in effectiveness at stopping exploits, with protection levels varying between 34% and 92%. Several products failed detection of exploits when switching from HTTP to HTTPS.
- Low risk targets should assume they will be subject to opportunistic attacks at some point.
- The availability of sophisticated malware tools results in a high degree of attack automation. This ranges from systematic identification of vulnerable targets to successive fully automated exploitation.
- By the time of attack, the malware used by a dedicated attacker is known to be undetectable by common antivirus programs. Services exist that allow cybercriminals to have all their samples continuously tested and be alerted by mail or text if a sample is subsequently detected by a new signature.
- Despite being reachable only through indirect attacks, client desktops are increasingly the main focus of attack for threat actors.
- Prior to tuning, IPS blocked considerably fewer attacks – some less than 50%.
Russell Smith, IT Consultant & Security MVP
Russell Smith specializes in the management and security of Microsoft-based IT systems. In addition to blogging about Windows and Active Directory for the Petri IT Knowledgebase, Russell is a Contributing Editor at CDW’s Biztech Magazine.
Russell has more than 15 years of experience in IT, has written a book on Windows security, co-authored one for Microsoft’s Official Academic Course (MOAC) series and has delivered several courses for Pluralsight.