APTs and advanced malware are having a profound effect on cybersecurity technologies. One notable change is the rise of new Advanced Malware Detection/Prevention (AMD/P) technologies from vendors such as Bit9, Bromium, CounterTack, Invincea, Malwarebytes, and Sourcefire that detect and block advanced malware on servers and endpoints.
Aside from acting as another layer of defense, CISOs tell me that these tools provide another valuable security function—they capture host activities (i.e., file downloads, processes, registry settings, network activity, etc.). Some tools also provide analytics while others hand the data to SIEM platforms, cloud analytics, etc. Host behavior data is then used as part of advanced malware detection and also provides basic forensic information for incident response.
Let me step back and bit and provide some context here. Advanced malware circumvents traditional security controls and ends up compromising host computers (mostly endpoints). In spite of the fact that enterprises typically have thousands of Windows PCs, they are virtually blind to what happens on the actual devices. This issue was illustrated in a recent ESG Research survey where security professionals working at enterprise organizations (i.e., more than 1,000 employees) were asked to identify their weakest areas of endpoint security monitoring. Here are some of the results:
• 41% of organizations say, "monitoring applications installed on each and every device"
• 36% of organizations say, "monitoring suspicious/malicious network activity coming from endpoints"
• 36% of organizations say, "monitoring downloads and/or execution of suspicious/malicious code"
In the past, very few companies monitored this kind of stuff on a regular basis. Rather they installed antivirus software on PCs, updated signatures and system patches, and checked a box on some compliance or governance to-do list. This strategy is not just ineffective but it leaves organizations blind to one of their biggest problem areas. Many security-conscious companies recognize these weaknesses and are actively addressing it with new tools and technologies.
A few parting thoughts about this trend:
1. When companies collect and analyze forensic data from thousands of PCs, you can bet that it will bring traditional security tools to their knees. This is yet another driver for big data security analytics from companies such as IBM, McAfee, RSA, and Symantec.
2. On the flip side, this will drive even more pressure on endpoint security software vendors. CISOs are already asking the question: “Why am I buying new security controls if I already buy and run endpoint security software on every host?” Look for M&A activity in this area next year.
3. This may impact companies like Guidance, HB Gary, and Mandiant who play in the space. On the plus side, new visibility for endpoint forensics could drive further sales but some potential customers may opt for “forensics light” capabilities from AMD/P vendors.