Since the explosion of the internet, organizations have been faced with a constant struggle to avoid the associated flood of security threats. Attacks have become more advanced, and organized crime rings have shifted focus from low-value individuals to more lucrative targets, such as large enterprises.
To put this into context, the Ponemon Institute states that 90% of businesses in the UK, France and Germany have suffered at least one security breach in the last year, with 59% citing they have been victims of two or more incidents. And if further proof was needed, the recent spate of high profile breaches, such as those at Sony, Citi Group and RSA, again emphasize the vulnerabilities in existing security practices.
One of the reasons that security practices have become so ineffective is that they continue to be based on the same old technologies, which are often ill-equipped to protect against emerging threats. A prime example is blacklisting technologies. Whereas many enterprises invest heavily in these solutions because they are proven to keep out known malware, the increasingly sophisticated cyber-threats are now able to bypass these defenses, leaving corporate networks dangerously vulnerable to attack.
Take – for example – spear phishing, one of the biggest threats to have emerged in recent years. As these attacks become more sophisticated, these spoofed emails have grown increasingly convincing and often appear to be sent from a trustworthy source. It is relatively easy for these tailored – almost unique – emails to evade detection by blacklisting tools.
Complex cyber-attacks are often conducted by perpetrators for significant financial gain. A prime example of just how financially rewarding these can be is the recent spear phishing attack on international publisher Condé Nast. Receiving what on the face of it appeared to be a legitimate email from its printer requesting future payments to be sent to an alternative account, Condé Nast ended up forwarding almost $8 million in just 44 days to a scammer.
This example may be extreme, but it serves to demonstrate just how costly cyber-attacks can be. Organizations are consequently paying the true price, with figures showing that the average cost of a cyber-attack is $7.2 million, not to mention increasingly heavy fines being issued for lax security. By failing to sufficiently protect private information from cybercriminals, organizations do not just face significant financial penalties, but they can jeopardize their bottom line. With the European Commission expected to soon beef up legislation around the disclosure of data breaches, these costs look to escalate.
Blacklist Shortcomings
Though popular, the problem with traditional blacklisting solutions is that companies need to know what threats they are facing if they are to adequately protect against them. Known as a zero-day attack, if the piece of malware is brand new, then there is a good chance it will be allowed to run and cause damage before it makes the AV publisher’s blacklist. With anti-virus vendors estimating that around 73,000 new pieces of malware are created daily, it is not hard to see why it is so difficult for traditional defense methods – such as anti-virus – to keep up.
Organizations also need to take into consideration that malware often evolves, infecting just a few machines before mutating, allowing it to continually evade AV blacklisting technologies. Indeed, a recent report from NSS Labs stated that anti-virus products missed between 10–60% of the threats created by cybercriminals, often due to the fact that malware caught via one entry point is not always detected when introduced from another vector.
The Whitelist Assurance
The concept of a layered protection strategy, or ‘defense in depth’, is fairly well known; however, many IT managers overlook what can be one of the strongest layers of defense available – application whitelisting. Working in the opposite way to blacklists, whitelists enable IT managers to identify exactly which programs should be permitted to run, thus providing greater reassurance that unknown malware and viruses will not infiltrate the network.
Unlike blacklisting, the malicious files do not need to be caught first and so application whitelisting does not rely on updates from the AV publisher’s database of known threats. This is important to endpoint security because, unlike anti-virus solutions, it doesn’t depend on definition updates. Crucially, this means that mutating viruses and new threats that are not yet known to anti-virus firms can still be blocked by application whitelisting.
That’s not to say that anti-virus solutions do not have a role to play – it is still good baseline security. Although it may have limitations, anti-virus is a valuable tool against known threats. Nonetheless, with sophisticated threats becoming more and more prevalent, it is essential that organizations take action to bolster their layers of defense.
Traditional technologies based on blacklists are no longer a suitable sole defense against cyber-attacks. Instead, organizations need to take a layered approach to endpoint security. A crucial part of this armory is whitelist applications, which act as the ultimate safety net by ensuring that any executable malware that might bypass the blacklisting solution is blocked.
With more advanced, targeted cyber-attacks constantly being created, there has never been a more appropriate time for organizations to conduct a serious risk assessment of their infrastructure and ensure that they are prepared for the evolved threats of today. Applying a layered security strategy combining blacklisting and whitelisting solutions brings added value by helping to keep employees focused and productive, ensuring workstation availability, minimizing compliance risks and, ultimately, reducing the financial costs and reputational damage of failed security.
Bimal Parmar is the director of product management at Faronics and is responsible for Faronics’ emerging product portfolio and go-to-market strategy. With over 18 years of industry experience, he oversees the design, creation and improvement of all of Faronics Core Console-based products. Before joining Faronics, Parmar was part of the team at McAfee Security’s Global Partner Program that marketed online security solutions through partners such as Microsoft, AOL, Telefonica and Orange.