According to industry figures, in 75 percent of malware attacks it takes more than two weeks to discover that a breach has even occurred. Additionally, 70 percent of those attacks were discovered by someone outside the IT department – often by an employee who notices his or her computer is running slowly. This is of particular concern for government agencies since they are under almost constant attack and probing from hacktivists, cybercriminals, and state sponsored attacks.
Tom Stitt, director of product marketing at Sourcefire, knows there is no silver bullet that will entirely eliminate malware, but he does know that there are specific strategies that will help government agencies gain a better understanding of an attack and be better prepared to handle subsequent attacks. The key is to take time to focus on post-event analysis – to scope and understand the root cause of the malware’s entry into the network beyond the tactical attack and define a strategic remediation plan.
Noting an example in which one agency simply chose to destroy computers infected with malware, Stitt explains this approach is faulty as it doesn’t help an organization to understand why a breach occurred. Ignoring the cause of a breach leaves the door open for similar events to occur in the future. Government agencies, he adds, must shift from tools that are mere gateways, to a network security approach that enables better protection against a broader range of threats and vulnerabilities over time.
Faced with an overwhelming volume of network activity, a mountain of data and a traditional focus on detection, government agencies are saddled with a number of challenges which make fighting malware a seemingly insurmountable challenge. One of the key reasons that malware attacks are seemingly unstoppable even against the most sophisticated networks is that attackers invest heavily in creating and distributing new attacks and leveraging malware’s polymorphic abilities.
Stitt acknowledges agencies are quickly embracing advanced malware detection tools that enable better visibility into a network’s endpoints. Examining the entire attack continuum – that is understanding and protecting the network before, during, and after an attack — provides valuable insight and allows agencies to better tackle their network security challenges.
“There’s so much focus on prevention, detection and firewalls,” says Stitt. He stresses the “need to focus on what happens afterward.” While that might sound counterintuitive it is the after phase during which immediate remediation occurs and the postmortem that enables the IT team to understand how events are tied together so that additional points of vulnerability, or even infected nodes on the network can be remediated and future attacks derived from similar malware or other attack vectors can be detected
Rather than looking for a needle in a haystack, Stitt sees IT managers as having to look for a needle in a haystack of needles. In other words, the IT team needs to have a system/network-level view of events so that data can be correlated and malicious events aggregated. Such an approach creates forensic fingerprints of files to identify known malware, tracks file movement and identifies attack targets for focused remediation. Taking advantage of big data analytics, for instance, delivers continuous file analysis and retrospective alerting so users can be notified of malicious files that have entered their environment, and have them immediately remediated wherever they may be, even if they were previously classified as safe.
Stitt says better integration of responses across federal agencies along with evaluating malware issues more holistically enable a more effective approach to solving associated problems and furnish agencies with the continuous visibility, analysis and control needed to better protect their networks.