A security vendor warned that firewalls, antivirus, filters and intrusion prevention systems are not enough to stop cyber-attackers from getting into the network.
So long as organizations continue to invest in security
products that are defensive, cyber-attackers will continue to successfully
breach networks and steal information, warned a security expert.
Organizations have invested in traditional defenses that are
"fundamentally reactive" as they rely on known methods of attack, Ashar Aziz,
CEO, CTO and founder of FireEye, told eWEEK. The fact that defense contractors
, L-3 Communications and Northrop Grumman
or companies like Dow
Chemical and Google are hit by cyber-attacks is not because they "forgot to do
something," but because the vulnerability is systemic and pervasive across all
organizations, according to Aziz.
Firewalls, antivrus, e-mail filters, Web gateway, intrusion
prevention systems and other security products are "obsoleted" by the current
threat, because they tend to use unexpected attack vectors or exploit zero-day
vulnerabilities. These existing products all require the threat to be analyzed,
understood, and a signature, patch or policy created to detect and block future
incidents. The "biggest security handicap" is that organizations invested in
technology that depends on defensive mechanisms, Aziz said.
"The underlying story
is that virtually every organization, whether it's a financial services
company, a large company like Google, or a technology company like Juniper
Networks, is equally vulnerable to attack," Aziz said.
To illustrate his point, Aziz mentioned two FireEye
customers - both defense contractors - who recently deployed FireEye's Malware
Protection System "downstream" from their existing security products. Within 24
hours, the MPS had detected a number of threats that had slipped past the other
systems, Aziz said.
"Every organization allows Web pages to come in. They don't
know which pages are going to attack and which ones are safe," Aziz said.
FireEye MPS creates a virtual execution environment to
processes all content that enters the network. As soon as the virtual
environment notices suspicious activity, whether it's a new process running, a
processing being arbitrarily shut off (such as the antivirus), or some other
unexpected change to the environment, the system blocks the malware from
continuing to execute. Once detected, MPS logs the events in real-time to track
what the malware is doing, such as installing a keylogger. The MPS can work
with e-mail to examine all incoming messages and attached files, as well as
process Web pages while the user is surfing the web.
Aziz compared letting the Web site or e-mail attachment
execute in the virtual environment to sending a canary down into the coal mine.
"If the canary dies, there's malware," Aziz said.
Existing security products tend to be reactive to the threat
and are incapable of protecting yesterday's threats, not the latest attack. However,
attackers are continuously evolving their methods and testing malware against
the same security products to ensure they can be bypassed. What organizations
need to do is to deploy "second-generation" security tools to "augment"
existing security products, Aziz said.
There are more nation-sponsored, advanced persistent
threats, but they aren't the only kind of attacks. Cyber-criminal motivated
attacks are equally successful in infiltrating and compromising organizations,
precisely because they use stealth tactics. Security products fail at
"counter-stealth," according to Aziz
Invincea is another
company that believes a virtual environment was necessary to trap threats from
executing on the network. Unlike FireEye, Invincea just puts the entire user
into a "protective bubble" when surfing the Web or opening up a PDF file, said
Anup Ghosh, founder and chief scientist of Invincea. The Web browser and PDF
reader open in a virtual environment so malicious scripts and programs can't
damage the user's computer or spill into the rest of the network, according to
The user has become the primary target for our adversaries,
regardless of whether the attacks are launched by cyber-criminals or
nation-states, Ghosh said. "Regardless of all the patches applied to
technology, one cannot apply a patch to Layer 8- the human brain," said Ghosh.
Curious users make mistakes that result in the network getting "pwned" and
intellectual property "exfiltrated, " he said.
"So far, the bad guys keep showing they're getting better
and smarter and rather than being proactive about potential threats and
attacks, the security industry is still reactive," said Ghosh.