A recent test showed that some well-known threat detection products were unable to detect custom-written malware...
samples thrown at them. Should enterprises still include these systems in their defense initiatives if they are ineffective? What other types of technologies and methods should be used for advanced persistent threat detection and prevention?
The current consensus on old signature-based antimalware tools is that they are ineffective against targeted attacks or any attack where malware is used that doesn't have a signature yet. The antimalware industry realized long ago that signatures alone are not sufficient to protect their customers; in response, they started adding heuristics, anomaly detection and other functionality (such as a host-based intrusion protection system). Many vendors say their new functionality can protect against an advanced persistent threat (APT) or targeted attacks.
The industry is now in the process of improving the new functionality to protect against ever-evolving attacks. The November 2014 Technical Report of MRG Effitas Ltd. and CrySyS Lab (along with other reports like it) are critical to make improvements and help enterprises understand the limitations of current systems. Independent tests such as these provide an enterprise a place to start when determining how a tool might fit into its environment and improve process efficiency.
Enterprises need to evaluate how any security tool operates in their environment; for an APT tool, this may take longer than the standard vendor 30-day evaluation, but an enterprise must be confident that the tool it chooses will provide the stated functionality and value.
The MRG Effitas and CrySyS Lab report reminds readers that anti-APT tools do not all function the same and may not be interchangeable in an enterprise's environment. Security teams should evaluate how an anti-APT tool would fit into their existing information security program and identify how it will integrate with their internal systems. They could even use actual attack data from their enterprise network to evaluate if and how the proposed tool would have protected it from an attack.
If an enterprise chooses a network-based anti-APT tool, it should still evaluate other protections, such as endpoint antimalware, whitelisting and host intrusion detection protection tools, to see if they will be effective in complementing the anti-APT tool. Also note that internal monitoring tools, log analysis, host-based intrusion detection and other technologies will also need to be updated to detect and prevent current threat vectors.
Ask the Expert:
SearchSecurity expert Nick Lewis is ready to answer your enterprise threat questions -- submit them now. (All questions are anonymous.)
Dig Deeper on Malware, virus, Trojan and spyware protection and removal
Related Q&A from Nick Lewis
Researchers developed aIR-Jumper, an exploit that leverages lights within security cameras to extract data. Learn how this attack works and how to ... Continue Reading
The com.google.provision virus reportedly targets Android users, but little is known about it. Nick Lewis discusses the mystery threat and how Common... Continue Reading
A bug in Microsoft's Internet Explorer update exposes information that users enter into the browser's address bar. Learn more about the bug and URL ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.