A few thoughts on how to wade through the maze of today's security software
Before the emergence of the CryptoLocker ransomware attacks in 2013, the cybersecurity element of IT administration was a relatively minor concern for CIOs. Most organizations felt reasonably safe with implementing a firewall for perimeter security and an antivirus solution to protect servers, endpoints and their Exchange server and mailboxes. As we all know now, with the success of CryptoLocker and the countless breaches and ransomware attacks that followed this, their numbers and sophistication has reached unprecedented levels.
The cybercriminal organization of today is highly organized, well-funded and widespread with vast resources of technical capability to develop new and innovative methods every single day to uncover the means to breach any organization and/or deliver crippling ransomware to under protected businesses all around the world.
Over the last few years, it has been my role at DSolution to work with organizations who have been affected by these often unfortunate and sometimes catastrophic events. I have seen firsthand the distress, panic and helplessness that the IT people I speak with as they describe the event that has occurred within their organization. Believe me, it’s not pleasant.
There are a myriad of reasons why this continues to happen in businesses everywhere, but in most cases it is clear to me that the layers of security protection they have in place are simply not sufficient enough to adequately protect an organization’s IT infrastructure and data against today’s sophisticated cyber threats.
From speaking with IT & senior management people, they often express their difficulty in trying to understand how they can best equip themselves to defend their organizations against these cyber threats, but feel overwhelmed by the overflow of information and vendor propaganda that is currently circulating on cybersecurity. Trying to separate the market hype from the solutions that would best serve their security needs is fast becoming the number one problem.
Although the perception of how to secure an organization can be quite different between IT personnel and their senior management team, I would like to throw out a few simple ideas to think about when considering your security needs and what to look for in the security solution(s) you might be considering:
Since email is still the number entry point for phishing attacks, consider using an external email provider to filter out most of the spam and malicious emails that most organizations would normally receive. Today’s bad actors can easily determine a way to overwhelm your firewall and/or spam box, so it’s a whole lot easier to have their domain take the hit should an malicious attack occur. Consider your users, particularly ones that open all types of emails and click on potentially malicious links. Most IT personnel know that the kink in your security armour is often the entity between the screen and the keyboard.
As for a firewall, every organization should have one. Depending on the size/industry and security requirements in play, this could be discussed in great detail.
Endpoints are without question the most vulnerable and most challenging in protecting an organization’s IT infrastructure. To combat today’s cyber threats, protection on endpoint devices should employ independent components that are lightweight and multi-layered. This will provide maximum protection while utilizing minimum endpoint and network resources. Effective multi-layered protection should include:
real-time blocking/quarantine of malicious files/links/websites
protection for applications and browsers which employs generic techniques (that do not rely on blacklisting signature updates, whitelisting, or sandboxing) for reliable detection of known and unknown zero-day vulnerability exploit attacks.
signature-less detection against new and unknown threats by modeling known trusted files rather than attempting to model historical malware samples.
protection at the process/thread layer to block/quarantine suspicious/malicious behaviors (particularly ransomware activity)
In the last couple of years there has been much debate over the emergence of new advanced threat detection and machine learning technologies that are utilized in many of the latest security products. The discussion over which technology and whose product is superior continues to drive an endless debate. Many of these “new” vendor entries refer to the "old" incumbent products as outdated technology that can no longer effectively protect an organization from today’s cyber threats. What is interesting to note however, is that these “old” vendor solutions have built their behavior analysis around what is “good” which are typically stable and trusted objects – which is why they have an excellent track record in detection with very few false positives.
Some other key factors that should be considered when evaluating the viability of any security solution:
Many organizations do not have a specialized IT security resource so it often falls on system administrators to manage the organization’s security function along with an array of other applications and systems. They simply do not have the time to learn a product that requires a detailed understanding and/or needs their constant attention. Security solutions that are easy to use/implement and protect their IT infrastructure with minimal intervention are most effective for them.
As a final note, product support has become even more important as CIOs & their IT staff are looking to the software vendors & more importantly their Value Added Partners to provide the expertise & help they need to meet this challenge. Since security software vendors largely depend on their partners to provide the frontline for interfacing with their customers and prospects, selecting a partner who has the expertise, a proven track record of supporting customers is an important criteria in the evaluation process.