Page 31 - Cyber Warnings
P. 31
Mitigating Detection Gaps
Corporate Security teams are often governed by strict business processes and controls that can
impede rapid adoption of new security solutions or changes to existing ones. The result of
stringent change controls can sometimes mean organizations are forced to put maximum
reliance on their security solutions and vendors. This is especially the case with inline security
solutions (solutions that provide the ability to block certain traffic), companies are often extra
cautious with updating these appliances in order to minimize risk of blocking business
applications or communications. This severely reduces the value of the investment in these
solutions.
Detection Gaps – An Inconvenient Truth
False Negatives can happen from time to time and they can occasionally be the precursor to an
intrusion or widespread infection. Companies that rely on signature based security solutions
should consider the risk of situations where new threats (or yet to be discovered ones) are
active in the wild without detection via existing signatures. It is therefore possible for the
environment could be exposed to malicious activity and not generate security alerts until
adequate security updates have been published perhaps days or weeks later.
When a new threat in the wild is discovered, that initial research is often proprietary information
that will be used by security companies to protect their customers before publicly sharing
analysis (usually via a blog post), this is especially the case with high profile Zero Days,
malware campaigns and web site compromises.
Once information on a new threat is made public, security vendors that have not yet discovered
the threat or lack detection will typically respond by scrambling to update their own detection
libraries, this can take anywhere from hours to days depending on the complexity and scope of
coverage needed. In cases where there is evasion of the core detection technology, the time to
an update could be even longer. During these temporary detection gaps, companies can be
exposed to threats.
Through the use of encrypted delivery techniques as well as the flourishment of underground
crypting services, it’s common for malware payloads to go initially undetected by AV products,
especially if advanced features like heuristic, behavioral and cloud analysis are not enabled.
Your next line of defense might be network based detection if the malware is beaconing out to
command & control infrastructure. If callback detections are also missed, the malware can
embed itself in your environment and communicate without causing any alerts for a sustained
period.
This has been the case with many of the POS intrusions we’ve seen in recent years.
Whether due to outdated Security Infrastructure or False Negative situations, this has had a
devastating impact on businesses
31 Cyber Warnings E-Magazine November 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
