Human expertise filling endpoint security holes that defunct antivirus tools no longer can

Monitoring of endpoint traffic is key to modern security defences but a human element is also essential to make up for the deficiencies of outdated signature-based antivirus security solutions that haven't been effective for many years, a senior security consultant has warned.

The ubiquity of laptops, smartphones, tablets and other endpoint devices had created security exposures outside of the conventional security perimeter – which can't be effectively picked up by conventional firewall and security appliance-based security, Phillip Simpson, Asia-Pacific and Japan principal consultant with Dell SecureWorks, told CSO Australia.

“Historically customers have bought these fantastic appliances that are really good at picking up well-known attacks,” he explained. “But if you look at current attacks that customers are experiencing, they're not so much people trying to break in through traditional efforts – but people trying to break in through very well crafted phishing emails.”

This migration in security attack had increased the significance of the human element in mitigating exposure to security threats – although regular studies of human behaviour continue to show that despite years of education by IT security practitioners, users are still prone to click on convincingly tailored emails that are increasingly designed to appeal to specific types of companies or people in certain roles.

The 2015 Verizon Data Breach Investigations Report (DBIR), for one, found that a new phishing campaign can net its first victim within 82 seconds of the first email being sent out.

That leaves an extremely small window of opportunity to react, Simpson said, and in such circumstances conventional endpoint protection – typically achieved by loading signature-based scanners onto endpoint devices – is completely useless.

“There is a common misconception that antivirus solutions will protect endpoints,” he explained. “But that went away years ago because the bad guys can easily go to Web sites, upload their malware, scan it with all major antivirus engines and then change it until it's not detected.”

“Something else is needed for the 30 percent of malware that's written and executed but isn't picked up by antivirus platforms.”

Regular testing by the Enex TestLab eThreatz program, which regularly tests major antivirus tools against a random sample of current malware threats, has consistently found widely varying efficacy rates as vendors play leapfrog with new threats that in some cases have pushed detection rates down to zero.

As if it weren't bad enough that these tools are proving ineffective, their increasing circumvention by hackers was seeing entire industries peppered with emails that include industry jargon, third-party logos and other elements that are carefully designed to make the emails look legitimate.

Choosing the best targets requires nothing more than casual searching and browsing through social-media sites: malware authors “can spend 20 minutes on LinkedIn to find someone who is likely to click a link if you send it to them,” Simpson said, noting that phishing emails may be written to a template for an industry and then changed slightly based on the specific target.

“That's easier for malware authors than staying up all night and downing Red Bulls while they try to find a way to hack their way in.”

Australia was punching well above its weight in terms of its position as a target by phishers, he added, with its English-language usage and relative wealth meaning that it is typically targeted in the same actions as higher-profile US and UK targets. Australia also attracts attention from phishers due to its high usage of social media, which is increasingly being leveraged to drive targeted attacks that have made Australia the world's most-targeted social media victims.

Tapping into the human element

Despite the spread of technological solutions aiming to intercept or minimise damage from new attacks, Simpson believes the rapidly changing face of malware and novel forms of attack still require the involvement of human expertise.

Companies that are serious about their security, he said, need to be supported by a team of security specialists – either inhouse or, more frequently, working for an outsourced security provider – who can recognise an upswell in attacks against a particular industry vertical and warn other potential targets ahead of time about what to look out for.

“Some of this process is automatable,” he explained, “in the sense of collecting and gathering the requests, and looking for information on botnets. But the technology only gets you halfway there; at some point you have to have humans in the chain.”

“The real value comes from the human who has that experience in the malware group,” he continued. “That experience lets them look at an attack, read the intelligence and give you a sense of how serious the attack is; otherwise it all just becomes noise.”

The Dell SecureWorks team in which Simpson works, for example, has some 75 dedicated security experts around the world constantly monitoring the flow of attacks and analysing new threat intelligence on attacks as they happen.

This constant surveillance not only helps keep the organisation's view of the current threat environment up to date, but contributes to a recurring learning process. Over time, applied analytics allows such a team to not only learn what techniques malware authors are applying to their work, but to pick out the precursors to an attack and predict ahead of time what's coming.

Categorised according to verticals, this approach allows threat-intelligence providers to continuously work together to improve the forecasting and response capabilities that are collectively available to the security industry.

“The more advanced warning you have, the better prepared you are to respond,” Simpson said, noting that many organisations maintain their own internal security teams that work closely with Dell SecureWorks' experts to evaluate new threats and respond to them in real time.

“Researchers spend a lot of time looking through the underworld's underbelly looking for indicators of future attacks,” he continued, “and we have developed services that are specific to customers that let us predict an attack before it comes.”

“Getting access to the intelligence that we gather – not just on the customer but on their industry or region – helps the groups think as a whole. As long as we can see as many of those attacks as possible, everybody should benefit. We all have the same adversary.”

Dell SecureWorks CYBERINSIGHTS SURVEY - Go into the draw to win a GoPro Hero 3 Black Edition or to the equivalent a $500 Visa card voucher.

Start Survey Now!