SANS Institute – Less Than 50% of Cyberattacks Detected by Antivirus Software
by Robert Bond
SANS Suggests Less Than 50% of Cyberattacks Are Detected by Antivirus Software
An analysis of cyber-attacks over the past year suggests that there is good news and bad news.
The bad news is that the growing problem with antivirus software is that it is losing its effectiveness to prevent organizations from attacks. The good news is that cyber threats in 2018 will come from known vulnerabilities, which means that organizations that manage and patch these vulnerabilities effectively lowering their risk of a breach.
According to a this year’s survey on Endpoint Protection and Response, conducted by the SANS Institute, less than half of cyberattacks today are detected by antivirus software. Upon surveying 277 IT professionals, the SANS survey uncovered that while the number of endpoint exploits fell from 53% to 42% over the last year, the number of those who didn’t realize that they had been breached doubled from 10 to 20%. Thus, in the wake of the increased number of successful phishing and ransomware attacks last year perimeter security, in particular antivirus systems, were not effective in slowing down the number of breaches or even discovering the malware as it dwelled on the network.
Are Antivirus Systems Dead?
More than four years ago, Symantec, the company that dominated the antivirus market suggested that “antivirus is dead.” Zero-day threats, social engineering, attackers changing malware signatures more frequently, and other more advanced tactics have replaced many of the attacks antivirus systems used to detect and quarantine. The SANS survey suggested that antivirus software ultimately prevented less than 50% of cyberattacks including next-gen fileless attacks, the most frequently deployed malware. While IT security professionals have watched the arms race between the makers of endpoint security solutions like antivirus and the criminals generating malicious code rachet up their tactics, it has been clear to most that antivirus systems were losing the war.
To be clear, antivirus is still a critical part of a defense-in-depth strategy, however, those that rely are the technology are certain to be disappointed.
Perimeter Security Struggles to Detect and Prevent Attacks
In addition, according to the survey, SIEM solutions detected 32% of attacks and endpoint detection technology prevented 25% of the attacks. Perimeter defense has become increasingly ineffective at alerting SOC analysts to a potential attack because analysts are overwhelmed with the amount of management and manual review that the solution requires. In addition, endpoint security, even while incorporating threat intelligence, machine learning, and deploying agents for endpoint visibility, fail to be the silver bullet that they were thought to be just two years ago.
Further, with IoT and the increase in connected devices, organizations experienced a 50% increase in attacks on cloud-based endpoints over last year; the majority of these attacks were directed at multiple devices per user increase the probability of a successful attack even if endpoint solutions blocked the malware at multiple points
Antivirus Solutions Can’t Stop Phishing Attacks
Perhaps the most significant reason for the growing failure of antivirus software to provide better protection is because most attacks focused on exploiting the users themselves employing social engineering tactics and leveraging phishing and ransomware.
Both ransomware and malware attacks have seen a dramatic increase from the record highs they had already set in 2017. SonicWall Capture released a study that announced a record number of malware and ransomware attacks since last year, with the 275% increase in encrypted attacks contributing to a 229% increase in the overall number of ransomware attacks. This trend is predicted to increase in volume and sophistication until such attacks become the standard for malware delivery; which experts fear could happen sooner than we think. The infamous ransomware-worm attack WannaCry, which spread around the world in just hours last year, infecting hundreds of thousands of computers, is just one example of what many in the IT security industry fear is coming.
Can Technology Solve the Problem?
Detection technologies, which provide context awareness and user and system behavioral monitoring, have largely been utilized ineffectively to protect devices against advanced threats. When companies have invested in these technologies, they often have underinvested to create a viable solution, failed to implement the solution correctly or it failed to work effectively with other defense technology in their environment. In fact, nearly 80% of those surveyed reported that while they could trace the source of a breach to a user or to endpoints and servers at least 50% of the time the technology was not adequate to stop attack damage in a timely manner.
What may be even more worrisome to IT security specialists is that most of these cyber-attacks are not the result of software engineering, but social engineering. Although most defenses against cyberattacks protect against external threats by focusing on firewalls, SIEM’s, and anti-virus, the increasingly sophisticated attacks leveraging social engineering sidestep such security measures by obtaining access to sensitive data through deception. This growing threat means that cyber defense specialists can no longer rely on traditional tools alone.
Technology Can’t Stop All Cyber-Attacks
As we all know and the SANS findings along with the Verizon Data Breach and Ponemon studies verify, it is not a matter of if, but when a data breach will occur. In addition, the damage from each breach is increasing. For example, a data breach in Europe, resulted in the “unauthorized access” of the credit card information of as many as 5.9 million Dixon Carphone customers. The infamous data breach of Equifax last October, affected around 700,000 UK customers and millions more in the US, resulting in the theft of email addresses, passwords, usernames, credit card details, and even driving licenses, phone numbers, and other personal information.
Technology not only failed to stop these attacks, but also, failed to uncover them even as they dwelled on the network for months. In fact, it can take six months or more before such breaches are even detected and two or more months on average to contain it according to industry experts.
In last year’s 2017 Cost of Data Breach Study by Ponemon the average number of days it took to identify a data breach was 168 and 67 more to contain it. The study further showed that reducing these numbers to even fewer than just 100 days can save companies millions of dollars.
To protect against these threats, most respondents wanted more network access and user data, including network security data from firewalls and threat management systems, and better network traffic analysis. However, the ineffectiveness of antivirus software and other defense technology against a rising tide of increasingly sophisticated threats provides IT security organizations a chance to become more secure by becoming more effective managing their threat and vulnerability management programs.
Better Threat and Vulnerability Management Can Solve the Problem
Inventorying and applying greater access restrictions to both data assets and data to identify and classify it all from highest importance and sensitivity to the lowest, provides your own IT security team a smaller attack surface from which to defend. The whack-a-mole strategy of applying patches to systems as the patches are released leaves a backlog that attacks like WannaCry can leverage.
Further, scheduling patching every 30, 60, or 90 days has left time gaps for attackers to scan systems for critical vulnerabilities and attack prior to a patch being deployed. By scoring systems by criticality and taking a risk-based approach to applying patches, systems with critical data will be prioritized limiting the window in which attackers can exploit systems.
Finally, implementing a compliance framework whether its HIPAA, PCI DSS who mandate a vulnerability management program or NIST, ISO, or CSC that provide the best practice industry frameworks for improving overall security posture, provide a structure and guide to create a risk-based approach to vulnerability management.
Taking the First Step to Better Threat and Vulnerability Management
We don’t mean to diminish the importance of perimeter security technology, in particular antivirus systems, however, it is clear that without scanning and patching systems quickly and effectively organizations will become victims of a breach.
There are too many assets in organizations holding sensitive data and too many vulnerabilities in an ever-growing list of applications to continue the process to manual, time-based patching. Start with a sensitive data and asset inventory, scan your systems for vulnerabilities, implement a compliance framework and start your program.
SecureOps has helped many of the largest, most complex organizations put their arms around the so-called marbles on the table to create a threat and vulnerability program that is proven to reduce your business risk while protecting your customers, employees, and sensitive data.
July 18, 2018