Perimeter-Based Security: So You’re Saying You Detect The Malware After I Got It?
If you read my previous blog then you already know that I like to dig into other vendors websites and marketing materials.
In this blog, I’d like to share with you another interesting aspect that I’ve learned about perimeter-based security solutions. Apparently, the bigger (and the smaller?) vendors claim that they constantly scan files or links, even after they were flagged as clean. The purpose of doing so is to lower the false negatives rate of the solution and alert on those threats retrospectively.
It does sound nice that you can be notified on a malicious file after it entered your organization, I mean, better late than never right? My claim is that it covers a much bigger problem in today’s detection engines.
Which files are scanned?
First, let’s look at it economically – constantly scanning all the files 7 days back sounds really expensive. So it is probably not something that is actually done as said, but it’s safe to assume that only a subset of those files is actually scanned. So how do they determine which files to scan? I’ll have an educated guess, and say that the subset is determined based on some characteristics, or maybe a low scoring that these files received. So, the question to ask now is “what about the files that are not falling into these categories?”. They are going undetected even a week after they have entered the organization.
Why didn’t you detect it a week ago?
Second, what does it actually mean that after a few days a vendor will suddenly detect a file? It means that they got new data on the file, whether it’s a list of recent malicious files that they received from a partner, a more significant statistics on that file, or that the malicious part in the file was triggered after a few days. Anyway, at the end of the day, it means that they weren’t good enough to detect the file on first sight. And more importantly, it means that you as an organization was exposed to this malicious file, and hey, it might be too late.
From our experience and data that we see at our customers, the time it takes for a vendor to update its solutions, ranges from 1 day to 12 days. The importance of detecting the threats on first sight is becoming THE purpose of cyber security today. Attackers are aware of that gap and taking advantage of it, so they are using an attack just like a disposable plate – after a short use, they throw it away, and recycling it to something brand new which most solutions can’t detect.
The high investing in post-detection mechanisms (continuous scanning and pull capabilities) raises some serious doubts in the effectiveness of those engines, as they are immortalizing the cat-and-mouse game, which is the preferred game for the attackers as they are the ones holding the advantage.
What can you do about it?
My suggestion is to look for solutions that do not pose these questions and doubts, or even better – solutions that are ‘attack-agnostic’. If a detection engine is not dependent at all on how attacks look like, and doesn’t ‘care’ that attacks pretend to be something else, it is more likely that it will detect attacks on first sight.