Protecting your organization from advanced threats has always been difficult. Adversaries innovate constantly, changing their attack vectors and finding new ways to infiltrate their target environment. The Trickbot trojan is one of the best examples; its authors have used news coverage from President Trump’s impeachment trial and the WSReset UAC Bypass among other changes to push the trojan past antivirus and malware scanners.
The latest Ponemon Institute research on the State of Endpoint Security Risk makes this abundantly clear. According to Ponemon, 68 percent of respondents have seen the frequency of attacks against their endpoints increase over the last 12 months. Additionally, 73 percent of respondents noted an increase in new or unknown attacks against their organizations more generally. Further complicating matters is that 51 percent of organizations in the Ponemon study say that their organizations aren’t effective at surfacing threats because their endpoint security solutions are failing to detect advanced attacks.
These stats combine to show a few things: organizations face more cyberattacks each year and protecting against those attacks has gotten much harder.
Almost as long as cyberattacks have existed, there have been antivirus solutions designed to prevent organizations from being breached. At one time, those attacks were mostly file-based malware and could be identified by its unique signature. Antivirus solutions correspondingly started to become databases of known malware signatures; if a malware with that signature tried to breach the protected system, it was stopped from executing.
Today, almost every signature-based antivirus solution blocks the same malware using the same signatures. It’s table-stakes, in fact, to borrow a phrase from the marketing world. However, the incidence of malwares that have file signatures is on a decline. Instead, more adversaries now use fileless attacks and in-memory exploits to breach organizations.
According to Ponemon, 41 percent of attacks are expected to be fileless in the coming year. That’s an increase of 17 percent year over year. File-based attacks, by contrast, are expected to decline 9.23 percent in the year ahead from 65 percent to 59 percent of attacks. With the increase in fileless attacks, signature-based antivirus solutions aren’t enough to protect any organization.
Moreover, according to Ponemon, an average of 80 percent of successful breaches are new or unknown “zero-day attacks.” These are the kinds of things that don’t have a signature yet or use polymorphic techniques to circumvent cybersecurity solutions.
Zero days can even stymie the next-gen antivirus solutions that leverage machine learning to detect malicious activity. This is especially true if the zero day is comprised of attributes that were not present in the sample set that was used to train the machine learning algorithm that NGAV uses.
The shifting nature of malware shouldn’t be news for cybersecurity professionals. With 56 percent of organizations changing their antivirus solution in the past two years, according to Ponemon, it’s clear that security teams understand the need for improved protection against cyberthreats. The risk of a breach will only grow over time; the cost of a breach has already increased to $8.94 million from $7.1 million -- an increase of 26 percent year over year.
Organizations and governments need to have the right kind of protection in place to secure their endpoints and critical IT infrastructure from the ever-changing threat landscape. Detection- and signature-based technologies are ill-equipped to respond to the kinds of cyberattacks organizations can look forward to facing in the years ahead.
Even endpoint security tools that emphasize machine learning and predictive models can only go so far. Machine learning is easy to confuse with added noise -- something malicious actors have the power to add into their malware -- and many NGAV and EDR solutions still require manual action to determine the validity of any security alert. This makes detection-based antivirus software ill-suited for the world of evasive malware and in-memory exploits.
For effective endpoint security in the modern world, organizations need a modern solution. Ultimately that comes down to exploit prevention and memory protection as two of the most crucial capabilities that any security product needs to truly keep down your cybersecurity risk.
Signature- and detection-based solutions are fantastic at blocking or alerting on known malicious behavior or files. Where they fall down, and this can also be true for NGAV software, is when it comes to protecting application or system memory against evasive malware. Zero-day attacks are on the rise, and often the most damaging kind are the ones where application memory is used as stepping stone in a lateral movement attack.
Adding memory protection to your security stack prevents the types of attacks that make headlines by bypassing NGAV and EDR. Whether that’s through a solution that employs moving target defense or some other methodology, the reality is that if you’re not protecting application memory with a purpose-built solution then your organization is left open to an attack that exploits those resources.
The frequency of new or unknown attacks will more than double in the coming year, according to Ponemon research, taking up 42 percent of cyberattacks against the average organization. Signature- and detection-based solutions are ill-equipped to ensure endpoint security against this deluge of innovative cyberthreats. Software focused on prevention can help reduce the risk you face against the rising tide of unknown threats, even though the reality is that securing your endpoints is harder than ever.