Back in 2013, General Keith Alexander of US Cyber Command sounded an alarm at a cybersecurity conference, alerting corporations and government agencies of an increased threat of cyberattacks. He called the billions of dollars in intellectual property flowing out of the country “the greatest transfer of wealth in history” and warned that unless we do something, the consequences would only intensify. “Mark my words,” he continued, “it’s going to get worse. The disruptive and destructive attacks on our country will get worse and if we don’t do something, the theft of intellectual property will get worse.”
Six years later, General Alexander’s warning rings truer than ever. It’s no longer “if” a breach is going to happen, it’s “when”, with thousands of companies getting hacked every year, compromising hundreds of millions of sensitive records and costing organizations millions in remediation and recovery efforts. According to Cybersecurity Ventures, cybercrime damages are expected to rise to $6 trillion annually by 2021 – a doubling from $3 trillion in 2015.
So, what’s being done about it? Ironically, as the number and severity of attacks continue to rise, so does the amount of money companies and governments spend on cybersecurity. According to new Gartner research, spending on information security will exceed $124 billion by the end of 2019. And yet, despite billions spent on detection, the greatest transfer of economic wealth in history is still going on. We can do better!
Detection-based tools alone can’t protect against polymorphic malware
It’s clear that simply throwing more money and resources at the problem is not solving the crisis. It’s time for organizations to fundamentally re-examine their approach to security, find out why their current tools still fail to protect, look beyond compliance and detection, and invest in innovative protection solutions that puts them strategically ahead of the attackers.
Most of today’s malware attacks are not sophisticated or targeted exploits created by state-sponsored hacking groups or highly organized criminal syndicates. They’re often opportunistic attempts orchestrated by petty criminals with the help of abundant hacking services and readily-available components available on the dark net. Yet these attacks continue to successfully, and rather easily, penetrate detection-based defenses by becoming polymorphic – constantly changing their signatures to keep antivirus and other malware detection tools from recognizing them as “known” threats.
Need more evidence? A May 2018 Security Week article suggests that as much as 98 percent of malware uses evasion techniques to circumvent detection – a finding corroborated by other research. Pattern-matching signature-based detection tools are frequently powerless against these polymorphic threats, unable to identify them until they have unleashed their payload. It’s also been over five years since a senior Symantec executive declared that “anti-virus is dead” and admitted that signature-based AV is only able to detect circa 45% of cyberattacks. While AI-based automated endpoint detection tools are gaining popularity, the fact is that even the most advanced, AI-based detection tools are still playing catch-up with polymorphic malware authors.
As AI-security vendors learn more about the malware, the malware learns about detection methods, adapting to the newest techniques with even smarter disguises and mutations. A number of cities, including Baltimore and Greenville, NC, have recently fallen victim to a strain of ransomware malware that slipped right past their next-gen antivirus tools because it was “new” and could not be matched to any known samples. Weeks later Baltimore is still struggling to free its computers from the clutches of ransomware, and It may take many months and millions of dollars to get essential city services and operations restored completely.
Bromium: protection before detection
One of the most frustrating problems among enterprise security teams is alert fatigue. Traditional security tools produce many false positives that trying to investigate even the most serious-looking ones is taking countless hours out of the SOC team’s day. At Bromium, we don’t rely on detection. The alerts generated by the Bromium Controller are overwhelmingly true-positive, legitimate malware attacks. The very fact that malware was able to get through detection tools and layered defenses and still find its way to the Bromium engine suggests that it’s a real threat and is worth looking into. First and foremost, however, Bromium is about protection. Our detection capabilities and threat telemetry are an excellent way to improve the organization’s overall security posture, but our main goal is to give our customers the peace of mind that no matter how new, rare, advanced, or polymorphic the malware is, their endpoint