Detection or Prevention – Which of Them Actually Stops Zero-Day Malware?
October 29, 2018
It’s a simple matter of facts. Zero-day malware has proven to bypass even the most advanced detection mechanisms on the market. That alone should illustrate how defenseless organizations are when trying to protect themselves against one of the most sophisticated threats by using irrelevant tools. Perhaps this mindset is what helped lead us to the point where there were 1,579 publicly disclosed data breaches in 2017 – a 44% increase from 2016.
Make no mistake- cyber detection solutions are the most common form of cyber defense in organizations today for a good reason – they provide visibility and insight into how much they were attacked, where the attacks came from, where they were stopped, or where they were headed – but they fall short when it comes to the most important challenge – stopping the attack from ever happening in the first place.
When it comes to choosing the right cyber ecosystem, it seems the risk might lie in choosing one over the other. Because when deployed separately, detection or prevention are imperfect, at best, but when combined – they seem to be the ultimate technological mix for a comprehensive cyber defense, including against zero-day malware exploits.
And here’s why –
Detection: snapping the trap
In 2015, threat detection solutions or security event and incident management (SIEM) was the fastest-growing segment of the security market, with spending jumping 15.8% from 2014. According to Gartner, this trend towards detection is hardly over and is expected to continue through 2020.
Detection-based solutions are, of course, vital; if a mouse gets in the house, you want it caught in a snap trap. Further, detection-based solutions provide additional benefits to organizations, most significantly with the visibility they provide into the types of attacks being levied at the organization, the employees most frequently targeted, the systems being targeted, the vulnerabilities that exist, how the attacker was able to maneuver once inside the network, and how the organization’s cybersecurity tools performed in the face of an incident.
Detection is an essential component of strong cyber defense. If an attacker manages to get into an organization, they need to be stopped. Further, if organizations are going to improve their cybersecurity, the information that can be gleaned from detection solutions will go a long way towards informing decisions on technology needs, system fortifications, and employee training.
However, it’s not enough.
The damage done before the trap is snapped
If you catch a mouse in your house, that mouse is no longer free to get in your pantry and eat your food. A good thing, certainly. However, that doesn’t erase what the mouse was already able to do. On an internal network, this could mean a backdoor was installed, administrative accounts were compromised, or customer data was stolen. This is one of the main problems with detection, and it shows in cyber attack statistics: According to the Ponemon Institute’s Cost of a Data Breach study-
In 2017 it took an average of 191 days for a data breach to be detected, and 66 days for it to be fully contained.
Further, in a world where unknown threats and zero-day malware are being developed continuously, cybersecurity that relies solely on detection solutions being able to recognize suspicious or malicious behavior from brand new threats is woefully substandard.
Today’s cyber attacks – especially zero-day malware attacks – are sophisticated enough to evade even the best detection mechanisms. Perhaps not indefinitely, but certainly long enough for damage to be done. As many detection solutions are signature-based, they are not equipped to detect new malicious code or malware, rendering them entirely irrelevant for stopping the threats coming from dangerous cyber criminals. Some malware is even sophisticated enough to recognize that it is in a sandbox and will wait until it has escaped the sandbox to execute malicious code.
Prevention: rendering the snap trap unnecessary
Prevention-based cybersecurity solutions are all about stopping the attacks before they ever really become attacks. Forget the snap trap- prevention means keeping the mouse from ever getting into the house in the first place, by stopping the attack from ever gaining a foothold in the target network or system.
Prior to a fundamental shift towards detection-based solutions in 2014 and 2015, prevention had been the basis of cybersecurity strategies for decades. Well-known and widely-used prevention solutions include firewalls, malware scanners or endpoint protection platforms. However, while these can all be integral components of a comprehensive cybersecurity strategy, many of them rely on signature-based monitoring or whitelisting and blacklisting to identify threats and attack attempts. For known threats, these tactics are highly efficient. For unknown threats, like zero-day malware, they’re scarily insufficient, and the unknown threat will slip right through the preventative cybersecurity measures.
Letting a brand new breed of mouse into the house
While all prevention solutions are dedicated to stopping attacks before they start, only select prevention solutions truly prevent every attack attempt they encounter. A dedicated solution for preventing file-borne zero-day malware as well as all other known and unknown file-borne threats, is an invaluable layer of security, one that should be combined with leading detection-based solutions for the most comprehensive cybersecurity possible.
In 2018 (and beyond), any comprehensive cybersecurity strategy has to have both detection and prevention layers, and those prevention layers need to be carefully selected. Neglecting either detection or prevention is likely to end in a disaster, such as a headline-grabbing data breach or an embarrassing ransomware incident costing organizations six, seven or even eight figures by the time it’s all been cleaned up.
Benjamin Franklin once said, “an ounce of prevention is worth a pound of cure.” This seems to be true both in medicine and in cybersecurity, and the reality is that today you have the tools to prevent what can be prevented, detect what can’t, and avoid the potential disaster if you fail to do both.