Human expertise filling endpoint security holes that defunct antivirus tools no longer can

Monitoring of endpoint traffic is key to modern security defences but a human element is also essential to make up for the deficiencies of outdated signature-based antivirus security solutions that haven't been effective for many years, a senior security consultant has warned.

The ubiquity of laptops, smartphones, tablets and other endpoint devices had created security exposures outside of the conventional security perimeter – which can't be effectively picked up by conventional firewall and security appliance-based security, Phillip Simpson, Asia-Pacific and Japan principal consultant with Dell SecureWorks, told CSO Australia.

“Historically customers have bought these fantastic appliances that are really good at picking up well-known attacks,” he explained. “But if you look at current attacks that customers are experiencing, they're not so much people trying to break in through traditional efforts – but people trying to break in through very well crafted phishing emails.”

This migration in security attack had increased the significance of the human element in mitigating exposure to security threats – although regular studies of human behaviour continue to show that despite years of education by IT security practitioners, users are still prone to click on convincingly tailored emails that are increasingly designed to appeal to specific types of companies or people in certain roles.

The 2015 Verizon Data Breach Investigations Report (DBIR), for one, found that a new phishing campaign can net its first victim within 82 seconds of the first email being sent out.

That leaves an extremely small window of opportunity to react, Simpson said, and in such circumstances conventional endpoint protection – typically achieved by loading signature-based scanners onto endpoint devices – is completely useless.

“There is a common misconception that antivirus solutions will protect endpoints,” he explained. “But that went away years ago because the bad guys can easily go to Web sites, upload their malware, scan it with all major antivirus engines and then change it until it's not detected.”

“Something else is needed for the 30 percent of malware that's written and executed but isn't picked up by antivirus platforms.”

Regular testing by the Enex TestLab eThreatz program, which regularly tests major antivirus tools against a random sample of current malware threats, has consistently found widely varying efficacy rates as vendors play leapfrog with new threats that in some cases have pushed detection rates down to zero.

As if it weren't bad enough that these tools are proving ineffective, their increasing circumvention by hackers was seeing entire industries peppered with emails that include industry jargon, third-party logos and other elements that are carefully designed to make the emails look legitimate.

Choosing the best targets requires nothing more than casual searching and browsing through social-media sites: malware authors “can spend 20 minutes on LinkedIn to find someone who is likely to click a link if you send it to them,” Simpson said, noting that phishing emails may be written to a template for an industry and then changed slightly based on the specific target.

“That's easier for malware authors than staying up all night and downing Red Bulls while they try to find a way to hack their way in.”

Australia was punching well above its weight in terms of its position as a target by phishers, he added, with its English-language usage and relative wealth meaning that it is typically targeted in the same actions as higher-profile US and UK targets. Australia also attracts attention from phishers due to its high usage of social media, which is increasingly being leveraged to drive targeted attacks that have made Australia the world's most-targeted social media victims.

Tapping into the human element

Despite the spread of technological solutions aiming to intercept or minimise damage from new attacks, Simpson believes the rapidly changing face of malware and novel forms of attack still require the involvement of human expertise.

Companies that are serious about their security, he said, need to be supported by a team of security specialists – either inhouse or, more frequently, working for an outsourced security provider – who can recognise an upswell in attacks against a particular industry vertical and warn other potential targets ahead of time about what to look out for.

“Some of this process is automatable,” he explained, “in the sense of collecting and gathering the requests, and looking for information on botnets. But the technology only gets you halfway there; at some point you have to have humans in the chain.”

“The real value comes from the human who has that experience in the malware group,” he continued. “That experience lets them look at an attack, read the intelligence and give you a sense of how serious the attack is; otherwise it all just becomes noise.”

The Dell SecureWorks team in which Simpson works, for example, has some 75 dedicated security experts around the world constantly monitoring the flow of attacks and analysing new threat intelligence on attacks as they happen.

This constant surveillance not only helps keep the organisation's view of the current threat environment up to date, but contributes to a recurring learning process. Over time, applied analytics allows such a team to not only learn what techniques malware authors are applying to their work, but to pick out the precursors to an attack and predict ahead of time what's coming.

Categorised according to verticals, this approach allows threat-intelligence providers to continuously work together to improve the forecasting and response capabilities that are collectively available to the security industry.

“The more advanced warning you have, the better prepared you are to respond,” Simpson said, noting that many organisations maintain their own internal security teams that work closely with Dell SecureWorks' experts to evaluate new threats and respond to them in real time.

“Researchers spend a lot of time looking through the underworld's underbelly looking for indicators of future attacks,” he continued, “and we have developed services that are specific to customers that let us predict an attack before it comes.”

“Getting access to the intelligence that we gather – not just on the customer but on their industry or region – helps the groups think as a whole. As long as we can see as many of those attacks as possible, everybody should benefit. We all have the same adversary.”

Dell SecureWorks CYBERINSIGHTS SURVEY - Go into the draw to win a GoPro Hero 3 Black Edition or to the equivalent a $500 Visa card voucher.

Start Survey Now!

Join the CSO newsletter!

Error: Please check your email address.

Tags security attacksDell SecureWorks#DellData Breach Investigations Report (DBIR)security solutionsPhillip Simpsonantivirussecurity defenceseThreatzsmartphonesendpoint security#CSOAustraliatabletslaptopshuman elementCSO Australia

More about CSODellEnex TestLabSecureWorksVerizonVisa

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts