We can't stop every attack, so we need a new mantra: Detect and respond. Here are the essential tools, skills, and processes.

Michael A. Davis, CTO of CounterTack

December 3, 2014

5 Min Read

Download the new issue of InformationWeek Tech Digest. (Free registration required.).

Rest in peace, antivirus. You had a good run for a security technology -- 1987 to 2014.

In case you missed it, in May, Symantec called time of death for antivirus software. It did so not because AV technologies suddenly became less effective. Rather, the company finally acknowledged that it's not a matter of if, but when, an organization will be targeted and that antivirus products will stop only some attacks. Plenty of security bloggers and pundits reacted with glee, given that antivirus software reportedly represents 40% of Symantec's revenue.

But it's not quite that simple. Eugene Kaspersky at the Kaspersky CyberSecurity Summit summed up the reality, likening antivirus software to a seatbelt -- you need it, but it's not the most important part of your protection efforts.

So when it comes to endpoint security in 2014 and beyond, what is most important? A willingness to aggressively shake up your strategy.

The endpoint is where the security war is now being waged; it has topped our list of breach vectors in the last two InformationWeek Strategic Security Surveys. Among the 2014 Strategic Security Survey respondents whose orgs were successfully attacked within the past year, 76% had at least one malware-driven breach, up from 69% in 2013, and 59% had at least one phishing-based breach.

A new approach is required. To extend Kaspersky's analogy, this is IT security's "airbag" moment. Airbags significantly reduce the risk of death in serious crashes, but while they were invented in 1952, they weren't operationally feasible in automobiles until the 1970s and not widely deployed until much later. The catalyst? The invention of the electronic data recorder, which tracks activity to determine when to deploy an airbag. Airbag technology allowed us to shift from building cars to withstand impact (big and lots of steel) to building cars to reduce the effects of an impact on occupants -- a significant change that has led to massive increases in both safety and efficiency.

Call to action
To cope with the changing threat landscape, you need a rich mix of tools and processes, a big dose of vigilance -- and to avoid getting discouraged. So many Fortune 500 companies, government agencies, and healthcare orgs have been in the news that we're seeing "breach fatigue," leading to some level of disheartenment. We asked the 536 2014 Security Survey respondents, all from organizations with 100 or more employees, what security technologies they would retain if they could pick only three. Our goal was to find out which products earn their keep. The results weren't encouraging. While 89% have endpoint protection deployed, only 44% would hang on to these products. Most would jettison other widely used technologies, too, including patch and identity management.

As we discuss in the Strategic Security report, it's apparent that companies are buying products they know won't entirely solve their problems.

It's an issue, because no one has unlimited money for security. Just 37% of respondents saw increases in spending, even as the number of attacks skyrockets; 59% make do with 10% or less of the overall IT budget. Most -- 75% of more than 400 respondents to our 2015 Consumerization of IT Survey -- say the No. 1 barrier to allowing end users to connect their personal equipment to the organization's network is fear that the devices are infected with malware.

Guess what? IT's inability to afford new security products isn't going to stop the consumerization wave. So we'd better start thinking creatively. (Note: The author is CTO of CounterTack, which is in the endpoint threat detection and response market.)

Up the stack
Given the endless game of whack-a-mole that is IT security, it makes sense that, as antivirus effectiveness waned, security software vendors moved to network-level prevention. The idea: We won't need to scramble to keep malware off endpoints if we can block the exploit or malware at the email server or web gateway.

From network-based anomaly detection to advanced sandboxing, these tools flooded the market and worked great -- for a while. As they always do, attackers adjusted, adding new techniques, such as encryption and fast-flux DNS. It is an arms race, after all. Some attackers started to obscure their exploits, hiding in plain sight by blending with innocuous network traffic. Others simply stopped aiming at the network. No network traffic means no results from network detection tools.

Where did attackers shift their efforts, if not the network? The endpoint, where security technologies haven't evolved in years and corporate data is usually ripe for the picking.

What do we mean by endpoint? Any device sitting at the "end of the network," that any user interacts with, that is of interest to an attacker, and that runs an operating system. Endpoints include workstations, servers, mobile devices, and also those devices that power oil valves, nuclear power plants, and any other networked device on the Internet of Things. That's right, your Nest home thermostat is an endpoint, too. The definition is broad and expansive by design.

Read the rest of this story in the new issue of
InformationWeek Tech Digest. (Free registration required.)


About the Author(s)

Michael A. Davis

CTO of CounterTack

Michael A. Davis has been privileged to help shape and educate the globalcommunity on the evolution of IT security. His portfolio of clients includes international corporations such as AT&T, Sears, and Exelon as well as the U.S. Department of Defense. Davis's early embrace of entrepreneurship earned him a spot on BusinessWeek's "Top 25 Under 25"
list, recognizing his launch of IT security consulting firm Savid Technologies, one of the fastest-growing companies of its decade. He has a passion for educating others and, as a contributing author for the *Hacking Exposed* books, has become a keynote speaker at dozens of conferences and symposiums worldwide.

Davis serves as CTO of CounterTack, provider of an endpoint security platform delivering real-time cyberthreat detection and forensics. He joined the company because he recognized that the battle is moving to the endpoint and that conventional IT security technologies can't protect enterprises. Rather, he saw a need to deliver to the community continuous attack monitoring backed by automated threat analysis.

Davis brings a solid background in IT threat assessment and protection to his latest posting, having been Senior Manager Global Threats for McAfee prior to launching Savid, which was acquired by External IT. Aside from his work advancing cybersecurity, Davis writes for industry publications including InformationWeek and Dark Reading. Additionally, he has been a partner in a number of diverse entrepreneurial startups; held a leadership position at 3Com; managed two Internet service providers; and recently served as President/CEO of the InClaro Group, a firm providing information security advisory and consulting services based on a unique risk assessment methodology.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights