Traditional approaches of managing security through checklists, rules, and compliance can't keep up with the increasing malware volumes and propagation rates we are seeing today. A case in point is several recent "Threat Reports" detailing the severity of the modern threat landscape where:
- A total of approximately 1.81 million website redirect events were used in 2013 to infect endpoints. (Websense Threat Report 2014, registration required)
- Known malware -- including Ransomware and rootkits -- grew about 15%, totaling approximately 196 million unique samples (McAfee Threat Report Fourth Quarter 2013)
- Application vulnerabilities are about 175% higher than operating system (OS) and browser vulnerabilities combined (Microsoft Security Intelligence Report Volume 15).
With the rapid proliferation of mobile technology, traditional personal computing devices today represent a much smaller share of endpoint devices than in the past.
In the report "Enterprise Endpoint Protection When the Consumer Is King" (subscription required), Gartner indicates that, even though traditional personal computing devices like laptops and desktops represent a smaller share of endpoint devices used, they still represent the most infected and require the most effort to secure. Additionally, due to our continued use of traditional signature-based or blacklisting technologies, these devices remain the primary target for cyberattacks.
A game of cat and mouse
At a high level, the four primary goals of almost all cyberattacks are to target a vulnerability, drop payload, remain undetected, and harvest data. But today, it's not feasible to continue playing "cat and mouse" with cyber criminals when they have invested significant effort in understanding our blacklisting technologies' weaknesses, strengths, and even how they handle different attacks patterns. With this knowledge, cyber criminals are able to wreak havoc by:
- Developing attacks that have limited distribution and are intended for targeted individuals/organizations
- Circulating attacks quickly to guarantee blind spots in blacklisting technologies can be exploited
- Creating noise to divert the security team's attention and increase the possibility of an attack going unnoticed.
As the ineffectiveness of blacklisting creates greater opportunities for attacks, we as security professionals must re-evaluate whether continuing to model our methodologies on the principle of constant "known-bad" protection is working. More important, as our IT infrastructure expands further to accommodate mobile computing platforms, desktop virtualization and cloud, we must work towards implementing security controls that are based on dynamic "known-good" protection.
To do this, we have to turn our attention to the security strategies that reduce our attack surface(s) through deny by default application control mechanisms and vulnerability management.
Consider all of the security controls we deploy to traditional personal computing devices -- anti-virus, intrusion prevention, data loss prevention, etc. These are just a few of the security technologies that contribute -- in varying degrees of effectiveness -- to endpoint protection. However, to maintain acceptable risk levels in the face of increasing threats and evolving technologies, we must change our outlook and approach to an endpoint protection strategy with a risk-based perspective.
There are many technologies that contribute to reducing the attack surface of traditional personal computing devices. Historically, our industry has followed blacklisting security models that define what should be restricted and implicitly allows everything else but this is proving to be ineffective due to declining detection rates.
Look on the bright side
With a risk-based approach, instead of managing threats through specific technology functionalities, we manage the attack surface with the goal of reducing a much larger number of threats without getting into specifics. In 2010, for example, when the Australian Signals Directorate adopted a risk-based approach to mitigate targeted cyber intrusions, it found that no single security control prevents malicious activity, but a combination of specific "positive security" strategies proved to be 85% effective in mitigating intrusions.
A risk-based or positive security methodology will also result in demonstrable business benefits with respect to traditional personal computing devices by:
- Displacing security controls (such as antivirus) that have become ineffective and/or contribute little value to the overall endpoint protection
- Improving overall endpoint performance by eliminating (blacklist) signature databases that consume significant network and system resources
- Reducing the strain on supporting infrastructure(s) for deploying (blacklisting) signature updates across remote locations
- Enhancing operational efficiencies by lessening the work effort required to reactively maintain security technologies.
By changing our endpoint protection strategy to follow positive security models, we align with proven industry practices of least-privilege, or deny-by-default, and we position ourselves as attack-agnostic where we can be more relaxed when it comes to attack-signature deployment. In an environment where threats are a constantly moving target, this approach is a far more effective endpoint protection strategy.