New York Times malware detection failure
Is anyone concerned about the report from NY Times regarding Symantec product? According to Antone Gonsalves, at csoonline.com/article/728083, "Over the course of the attacks on The Times, the intruders installed 45 pieces of custom malware. With the exception of one instance, Symantec antivirus software being used detected none of the malware."
Now, we all know the limitations of signature-based protection on the Endpoint. Still, this is disturbing.
I wonder what Symantec's data indicates. SEP is supposed to not only rely on signature-based protection technology, but through Insight and Sonar there is supposed to be some capability of sniffing out certain behaviors and reputation-based results. Does Symantec have confirmation that NYT had these features enabled or not?
According to Silicon Valley Business Journal, Symantec's response is a kind of "duh, you have to have more than basic antivirus protection turned on" (my paraphrase).
Seems a bit strange that, at the time the hackers were detected someone at NYT made a decision to "follow" the hackers rather than shut them down. That during this time they discovered that Symantec Endpoint Protection wasn't detecting the malware. The NYT tech's didn't install additional antivirus or anti-malware to see if it could do a better job. I mean, if I'm the technician whose job is to come in every day and see what the hackers have been up to in the last 12 hours, I'm going to be curious if one antivirus program works where another fails. This would be useful, rather than simply stating Symantec software failed to detect.
The failure to do adequate testing in this real-world environment doesn't address the question of, was the failure due to the inadequacy of Symantec's specific product, or failure of signature-based protection software in general.
Presumably the purpose of letting the hackers roam their network for a time must have been to 1. see what the hackers wanted and how they operated and 2. how to block them with a good security posture going forward. Simply stating Symantec's failure to detect does not reveal anything useful in the 2nd aspect.