In almost every enterprise IT environment today, the discovery of an instance of advanced malware necessarily means you are too late to stop it.
Everyday malware can be stopped at the firewall because its signature is known. It’s sort of like having a TSA agent check your ID at the airport. Let’s carry that analogy out for a minute.
Advanced malware is different. It may try to get in through a different door with no agent, or use a legitimate ID in front of a new agent at an especially busy gate when he’s too pressured to spot the difference in height or facial features.
If the airport is sufficiently staffed, a TSA agent inside may have noticed something suspicious. She grabs a frame of video and runs some analysis – and finds, as any good sandbox should, that the airport has been infiltrated by a zero-day malware that is intent on creating mayhem as soon as possible.
The problem, of course, is that the malware is already in the airport, somewhere, and someone has to make a decision about whether it’s important enough to find this guy, or just let him go.
Significantly, the sandbox can’t make that decision. It can only tell you that the system has been infiltrated.
This is the difference between finding advanced malware and freezing or stopping it.
If you’ve been able to isolate a copy of a suspicious file and taken the time to analyze it across multiple stacks, correctly identifying it as a zero-day malware, then you’re like the security agent in the control room: you know you have a problem, but you can’t stop it. The malware has already coursed its way into your IT system, reached its objective and very likely deployed its exploit.
The only way to truly stop an advanced malware attack is to immediately propagate information about the malware throughout the system so the file and its exploit can be isolated and fixed before it spreads to other points.
This requires a system that is capable of intelligently communicating information about security threats to any point within the system, including servers, endpoints and remote operations. Further, that communication needs to be two-way, since an exploit can gain entry through an endpoint just as easily as it can penetrate a firewall. The communication must be capable of prioritizing threats and determining appropriate responses, including isolating the malware wherever it is found. In other words, the entire system must be capable of fully comprehending the urgency and complexity of the threat.
Even in environments with a security information and event management (SIEM) system, most lack this dynamic, system-wide security integration. Because they were patched together using a combination of proprietary and open systems over many years, they often lack the necessary situational awareness. It’s as if the control room security is speaking English and the guards on the floor are all speaking different languages backed by varying levels of threat awareness.
It’s often said that a system is only as good as its weakest link. The inability to isolate an instance of advanced malware and ensure that it doesn’t spread is that weak link. But it doesn’t have to be that way.
A truly secure IT environment requires an architecture that uses innovative technologies strategically and cost-effectively integrated to quickly find, isolate and remediate advanced malware anywhere in the system, from servers to endpoints, through real-time information sharing about the threat environment.