When computer malware first appeared in the late 1980s—most notably the infamous Morris Worm—the damage inflicted led to the birth of the cyber security industry. In those early days, cyber security pretty much meant antivirus (AV) software.
Since its debut, AV has primarily relied on detecting the signatures of already-identified malware to stop those known-bad files from executing.
In the last 25 years, antivirus software was the first and sometimes only defence used by many businesses in an effort to protect their computers and the critical information on them from the increasingly devastating effects of malware.
AV works by performing periodic point-in-time scans on specific endpoints or system components. The best that most of these solutions can offer is a partial, and usually ex post facto, view into what has already happened.
However, time is a critical factor in detecting and preventing advanced threats. With a scan-based system, there is a significant "dwell time" during which the malware is resident and active. Even if a scan happens to pick it up, the question is how long has it been on the system and what has it been doing since it arrived?
Even if the dwell time isn't long, it's often long enough for an advanced cyber attack to have dangerous consequences. All the attacker needs is enough time to dial out and get instructions on how to get somewhere else within your system, while putting in place strategies that prevent you from detecting the malware.
So the issue with the scan-based method of antivirus software is that the makers of advanced malware don't actually use existing software with known signatures to unleash their mayhem.
Sophisticated threat actors
These sophisticated threat actors employ some of the most talented software developers on the planet to carry out cyber attacks and their mission is to hit their targets with unique software that has never been seen before—zero-day attacks—to disrupt businesses and governments by stealing money, data and other proprietary information and generally wreaking havoc.
To effectively combat today's advanced attacks businesses need real-time visibility into every endpoint and server that is "always on" with continuous monitoring that lets you see every event as it is happening. Point-in-time scans and snapshots create gaps in visibility that leave you vulnerable.
You need to see suspicious events in the context of what's happening on all of your endpoints, rather than as isolated instances on individual endpoints. To do that, you need a solution that can monitor:
- The arrival and execution of every file with executable code (programmes, scripts, etc.)
- Every critical system resource (memory, processes, etc.)
- System registry changes
- USB devices
- Critical files
And to be effective, the visibility must be real-time and continuous because most malware does its damage within a quarter of an hour and then morphs or deletes itself. You need to know what's resident and running right now.
For example, if Adobe Acrobat or Microsoft Excel spawns an unknown executable on your computer, it's probably malicious. Executables shouldn't have JPEG or PDF extensions, and processes should never run out of your recycle bin.
Real-time Visibility & Continuous Monitoring
One of the biggest shortcomings of traditional security approaches is that most victims only know they have been breached and that valuable data has been damaged or stolen after the perpetrator has left the virtual building.
So rather than working to prevent attacks by employing real-time visibility and continuous monitoring to prevent attacks, businesses that rely on traditional antivirus as their primary method of security spend most of their time trying to determine the extent of the damage caused by an attack and figure out how to remediate it.
The bottom line is that attacks happen in real time. So security has to happen in real time, as well. Security needs to be flipped on its head and become proactive rather than reactive.
If it doesn't, businesses will be forever be trapped in their own version of the movie Groundhog Day, reliving the pain caused by zero-day and targeted attacks that easily bypass traditional security solutions again and again. And again.
- Harry Sverdlove, Bit9′s Chief Technology Officer, draws from nearly two decades of application design and analysis with industry-leading IT enterprises to add a new layer of technical expertise and strategic vision to Bit9′s Trust-based Security Platform.