Using a risk model based on security statistics is a valid and useful approach to defending against cyber attacks. A company can decide that if one type of attack is affecting a large percentage of companies, then chances are, they may be next. The company can take steps to defend against that attack. However, sometimes past statistics are not enough and can be misleading.
Fooled by Randomness: The Hidden Role of Chance in Life and in the Markets by Nassim Nicholas Taleb is a book that I found particularly insightful. I read this book before its predecessor, The Black Swan: Impact of the Highly Improbable. These books challenge thinking based solely on what is known, past statistics, and Gaussian distributions (or bell curves to you and me).
For example, in the book one investor was making a massive amount of money on a type of investment based on a pattern he discovered. Unfortunately, he did not consider that something outside this trend he saw might be possible. When the market changed, his wealth vanished.
The “Black Swan” in the first book is the idea that just because you have never seen a black swan, doesn’t mean one doesn’t exist. Decision-making based on faulty statistical logic can be very detrimental because often the random, catastrophic event causes much more damage than known risks.
This concept applies very well to the experiences faced by many security people who knew what was possible, but executives had not yet seen it happen to them personally so they didn’t believe it would. That is, not until we got to the point where multiple cyber attacks and data breaches were in the news every day. Hopefully by now, security people have less problem convincing people that breaches can and will happen and companies should prepare for them.
Traditional Security Products Block Only the Known
Some security technologies base protection on past statistics. For example, a traditional anti-virus product blocks software that has already attacked someone else. When security professionals and tools figure out that a file is a malicious executable, they create an abbreviated copy of that malware called a hash or a “signature” which identifies the malware based on various known characteristics. A traditional anti-virus product or IPS (intrusion prevention system) blocks files or packets matching known hashes or signatures on other hosts or in network traffic.
Although signatures and hashes help block known threats, they do not protect against unknown attacks that no one has seen yet, or in other words zero day malware. At some point, that malware was new. The malware could be based on prior malware but was altered in some way so it no longer matches the known characteristics used to match and stop it. It could be polymorphic malware that is constantly changing as it executes. A machine running a traditional security product would be unprotected.
So, is the traditional approach of matching signatures and hashes useless? No! Known malware and known vulnerabilities still cause a vast number of cyber incidents. In the Q2 WatchGuard Internet Security Report, our Gateway Antivirus service caught 47% of malware reported by customers. Signatures and hashes are one of the most efficient ways to identify known malware and block it which improves the performance of security systems.
Protecting Against the Unknown
How can companies protect systems and networks from the unknown? WatchGuard offers security services that spot malware never seen before using many different techniques not based on signatures or hashes.
- WatchGuard APT Blocker focuses on behavioral analysis, identifying and submitting suspicious files to a cloud-based sandbox where the code is emulated, executed, and analyzed to determine its threat potential.
- WatchGuard Gateway AntiVirus now uses signatures and dynamic heuristic analysis (behavior analysis) with code emulation to catch polymorphic viruses and malicious code that signatures can’t catch.
- WatchGuard Threat Detection and Response (TDR) is a collection of tools that correlate threat indicators from Fireboxes and Host Sensors to stop known, unknown and evasive malware threats.
- WatchGuard Dimension is an award-winning security monitoring product that provides visibility and reporting to help companies identify network security threats, issues, and trends. This information helps network administrators create security policies based on environment specific data.
Security Services Need to Be Enabled to Protect You
The entire WatchGuard suite of tools offers an array of techniques to identify unknown as well as known malware. The most important thing WatchGuard customers need to do is to enable the different services on their Fireboxes and endpoints. WatchGuard offers advanced protection by delivering many services that work together, but only the enabled services can help. Make sure you are getting all the protections available by following the instructions in the documentation and contacting WatchGuard customer support if you need help. — Teri Radichel (@teriradichel)