Change in the World of Information Security
This year, Cerdant implemented and became a reseller of what we believe is the most effective endpoint security solution in existence. It’s called Cylance. You may have seen their advertising in airports or in trade publications. Simply put, it’s a game changer. Today, I can state with a high degree of confidence that the effectiveness of this product is the highest of any security technology in the market that we know of. In addition, there are features of this cloud managed solution that don’t exist on other endpoint solutions which will increase your security by helping to manage the things that your end users do to jeopardize your data. The following is an overview of the product and the reasons we feel it’s a necessary solution for data security.
I feel fairly certain that if we interviewed every one of our customers, we would find that they take the same steps to secure their data that they have been for a long time. They use Anti-Virus. They have firewalls with signature-based Deep Packet Inspection (DPI). They backup their data every day. In some cases, they may have implemented some “security best practices” such as restricting user privileges and access. And almost everyone has some form of spam filter. A spam filter is judged, not on how well it prevents malware, but on how well it keeps your mailbox from filling up with junk.
The hope among us all is that after taking all of those steps, we can rest fairly well knowing that we did all we could and that we’re as safe as we can be within reason. Well, let’s just review how well that strategy is working. Let’s just assume for a moment that the core of your security is built around three key technologies; firewalls, anti-virus and backup. Of course, there are other steps companies can take to improve their security posture, but these three things are the backbone of any company’s security. If I were to tell you that two of those three technologies were losing their effectiveness, you might first be incredulous, but if you became convinced you might then be concerned.
For the vast majority (over 90%) of all businesses, that statement is true. That’s because, in spite of the changes in the security landscape over the past several years, businesses have done little to change the technologies they use to protect their data. It’s no wonder why. Change is hard and if it costs more money, it seems nearly impossible to quantify the return on investment. For almost all other technology investments, there is a clear value. You buy a new server because your old one can’t keep up with your growing business. You purchase productivity software to get more done with less human effort. And when you make those investments, you feel the immediate benefit of having done so. Security technology isn’t like that. It fights two headwinds; inertia and measurable return on investment.
But change is necessary in order to protect your data, so let’s begin by returning to my earlier statement that two of the three most important technologies you use to secure your data are becoming less effective. Those technologies are firewalls utilizing DPI and anti-virus. They both have a common feature used to defend against malware and that is the ability to block it by matching it to a signature database of known malware. I’m sure at one point in the past, the effective rate of this prevention method was above 90%. Depending on the source quoted, today it has dropped to less than 50%. The “Achilles heel” of this strategy lies in the words “known malware”.
Signature-based solutions rely heavily on a collaboration between various industry organizations and other technology to maintain an up-to-date list of malware and associated signatures. Unfortunately, signature-based solutions use a method of detecting malware that is easily circumvented with a few changes to a file containing malicious code. In fact, the industry organizations that work together to identify malware are also used by the bad guys to determine if their code will be picked up by popular AV solutions. If you visit the site you can upload a file that you are concerned about and it will render a verdict and show you which of the dozens of AV solutions will pick it up. The trouble is, the same site is available to the authors of malware so they can test their results (which they do) before releasing a zero-day threat that they know will get past most defenses.
Even if your anti-virus or other technology has heuristic or “sandbox” technology, those features only provide incremental improvement to the catch-rate. The reason, once again, is that the bad guys already know what technology is being used to stop them and they design their software to circumvent those features. In the case of heuristics or sandboxing, those technologies rely on the results of detonation or the execution of the program in a virtual environment so they can observe behavior and render a verdict before allowing the program to proceed. It didn’t take that long before malware authors figured out how to detect those features and take simple steps like delaying the malicious action until long after those technologies had to render a verdict and allow the application to run.
So let’s assume that what you’re doing isn’t working as well. It’s still working and after all, what’s the real threat out there? Ransomware in one form or another has been around for a very long time; perhaps 25 years or more. The problem was that it only worked in places where the path of payments could not easily be traced. That certainly doesn’t describe the US banking and monetary systems. Then a few years back an unrelated technology solved that problem. Bitcoin as a true currency had to reach the critical mass to the point that you could easily purchase it and it had a known value that was reliable. It was always untraceable, which is one of the features that made it popular in the first place. The result was that now bad guys could demand payment in a currency of a known value that could not be traced back to them. It has become the perfect storm. Estimates are that in 2016, the amount of ransom paid was approximately $100 million worldwide. In 2017, that number is expected to top $1 billion.
The difference with ransomware versus almost all other malware is that the payment method makes it possible for any 18 years old with a PC and a little time on their hands to craft their own unique version of the malware and launch it on any organization they choose. It can even be used on a company they used to work for and they can make good (untraceable) money. The toolkits needed to create this form of malware can easily be found with Google.
Unfortunately, several of our customers have been hit over the past year by ransomware. And when that happens, the last line of defense is the other leg of the stool; backup or rather restoral. Then comes the two most common IT prayers. “Please God let the files I need be in the backup set” followed by “Please God let the restoration complete without errors.” But even if your prayers were answered, the time and disruption associated with this last line of defense is significant. It still costs money.
So what is the solution? There are only a few things standing between your business and ransomware. Using a layered security approach is an idea that has been around as long as there has been malware. Removing your firewall and getting rid of anti-virus just because they’re less effective may not be the best solution. They’re still effective, but the gap between what they stop and what they don’t stop has become significant as to require a change in strategy.
The latest technology in the fight against cyber criminals is endpoint security utilizing AI (Artificial Intelligence) and it’s reasonably affordable and easy to deploy. So let’s assume for the moment that one of your employees or end users is surfing the Internet and is presented a screen advising them that their Adobe Flash player is out of date and that they need to update immediately. Unless 100% of your employees would never think of clicking on that “OK” button, you are now at risk for ransomware. Once they click on that button, then it’s up to either your firewall or your AV to stop that file. We just discussed how well that works so then let’s assume that file is headed to the PC. What endpoint security software utilizing AI does is examines the file for its attributes. It doesn’t detonate it in a sandbox. It examines the code for what it wants to do and it doesn’t care if it plans to do it now or later. It then decides if that code is malicious and renders a verdict before it can even execute. It doesn’t need signatures because it doesn’t use that methodology. And unlike traditional AV, even if you have a computer that’s been turned off for a couple of weeks, it doesn’t need to reach out for updates before it’s safe to use it.
We hope you’ll take some time to consider this important solution. If you then feel like you want more information, please contact our sales team or call us at 877.616.9384. You can also read more about Cylance on our website.