As every security professional (or sales rep) will tell you, the threat landscape changes quickly.
By the time a vulnerability is discovered, it will certainly have been exploited. Historically, security vendors have helped to prevent attacks by quickly updating their virus definitions (AKA signatures) to specifically detect malware using that exploit, but, by that time, the real attackers have already moved on to another as-yet un disclosed vulnerability.
Advanced security vendors have moved from a signature only detection method (for the sake of clarity let's call that, “classic AV”) to introduce new techniques and methods to catch suspicious and malware activity.
One key point that illustrates the need for more advanced methods is that the number of threats that require a signature is growing so fast that the definition set is quickly becoming too large for system memory to efficiently manage, especially with more and more work being done on thin clients and small form-factor devices where performance and productivity is king.
Products that offer proactive protection, correlating big intelligence data about the files being executed on the host and closely analyzing the activity of each file, provide intelligent security against the most dangerous of the next-generation threats: Targeted Attacks, i.e., malware and exploits that have never been seen before (and may never be seen again).
If a threat has never been seen before, then it is impossible for classic AV alone to protect a system. The cat-and-mouse game of creating signatures to detect malware on its own is obsolete.
Classic AV alone is not enough
At Symantec, we've seen a gradual shift over the past two to three years where the classic AV engine in our flagship Symantec Endpoint Protection 12.1 offering catches roughly 49% of threats, while the remaining 51% of threads are thwarted by proactive protection technology; file reputation analysis with Symantec Insight, behavioral analysis with SONAR and intrusion protection with Network Threat Detection.
Another important security trend to be aware of is that, while the goal of cyber criminals is still financial gain, the target is changing.
Same goal, different targets
For instance, an attacker may wish to extract data from a large corporation but they know that the larger the organization or the more confidential the data, the bigger the security budget, making it more difficult to penetrate.
Instead, the attacker might focus on an easier, smaller target as the first hop toward the ultimate target, such as an external agency.
With a little social engineering, such as a well-crafted email with a link to a drive-by download to exploit a vulnerability in Flash on a Mac, (after all, Macs don't need malware protection, right? Wrong!) an attacker can gain access to the agency network.
Once on the network, the attacker could insert malicious code into the large corporation’s website and wait for it to be uploaded to the production environment, or they could steal the access credentials to the web server hosting the site. With malware now hosted on the company website, the attacker can sit and wait for someone at the large corporation to be compromised. Just as predators lie in wait near scarce sources of water for their prey to come to them, this type of attack is known as a Watering Hole attack.1
There are several very high profile cases where this type of attack has been successful and resulted in loss of Intellectual Property and company revenue. However, as more and more companies invest in their security infrastructure, and security vendors provide better proactive protection, these attackers will continue find different routes in.
Targeted Attacks are no longer just the concern of large organizations. Cyber-attacks are generally driven by financial gain so the data you store, manage and maintain becomes more important than the size of your business.
Increasingly complex, multi-dimensional threats are more prevalent than ever, and, unlike point security products, Symantec offers the comprehensive security expertise, global intelligence and portfolio to give organizations of all sizes proactive, targeted attack protection at the endpoint, gateway and data center.
To learn more about protecting your organization, your business partners and your company’s reputation from targeted attacks and other cyber threats, visit our installation at the 2014 RSA Conference, February 24th-27th in San Francisco, CA.
@ianmcshane
1. If you're thinking "that still sounds like a lot of work", you're right. What is far more likely to happen is that the attacker can easily bypass security somewhere in the chain because of weak passwords. Media sensationalism and misuse of words like 'hack' and 'crack' means that a lot of the time a data breach is blamed on advanced threats or targeted attacks when the reality is someone got lucky and brute forced an admin account somewhere. Find out more at our User Authentication stand at RSA 2014 :)