Damballa report highlights the limitations of prevention-centric security
Anti-virus (AV) suppliers can take more than six months to create signatures for malware, according to a report from security firm Damballa
Traditional anti-virus (AV) suppliers can take more than six months to create signatures for some malware, according to the Damballa 2014 fourth quarter State of Infections report.
Highlighting the limitations of prevention-centric security, Damballa based its report on an analysis of tens of thousands of malicious files.
“With the time to breach a critical component of damage control in today's threat environment, the study further underlines the importance of adopting a proactive stance to threat detection," the report said.
The study revealed that, in the first hour of submission, AV products missed nearly 70% of malware; and only 66% were identified after 24 hours, rising to 72% after a full week.
It took more than six months for AV products to create signatures for 100% of the malicious files selected for the study.
“The longer an infection dwells before discovery and remediation, the greater the odds of data exfiltration,” the report said.
Damballa said the finding was underscored by a recent Ponemon Institute report, which revealed an average enterprise security team receives 17,000 weekly alerts, or 2,340 daily.
Applying this finding to the Damballa study means that traditional AV products would have missed 796 malicious files on the first day.
Damballa said this suggests a sizeable risk associated with that number of infections dwelling inside the network.
Automation key to detection
With skilled security professionals in short supply, the report highlights the importance of automating manual processes and decreasing the "noise" from false positives, rather than trawling through uncorroborated alerts to find the true infections.
To reduce manual efforts, Damballa advises security teams must have:
- High-fidelity, automatic detection of actual infections to reach a statistical threshold of confidence in a true positive infection;
- Integration between detection and response systems;
- Policies that enable automated response based on a degree of confidence.
“What is clear from these figures is that we have to turn the table on infection 'dwell' time,” said Brian Foster, chief technology officer at Damballa.
“In much the same way a flu vaccine hinges on making 'best-guess' decisions about the most prevalent virus strains, AV is only effective for some of the people some of the time. Viruses morph and mutate and new ones can appear in the time it takes to address the most commonly found malware," he said.
Foster said prevention tools on their own offer inadequate protection for businesses in the face of advanced malware infections.
“Attackers can morph malware code on a whim, yet organisations have a finite number of staff to deal with the barrage of noise generated from security alerts. We urge taking a fresh breach-readiness approach, which reduces dependence on people and legacy prevention tools,” he said.