There are four primary stages of the attack vector for malware; and security strategies are breaking down across all of them. Research shows that for many organizations, implemented security does not necessarily equal effective security.
That’s the word from Barkly, which found that for nearly half the organizations it surveyed, security designed to prevent malware delivery was bypassed, and a quarter of organizations suffered an attack that got past all security solutions and caused damage. In the last 12 months, malware was delivered to 47% of surveyed organizations, executed at 37%, caused damage at 25% and cause irreversible damage at 14%.
The issue is that too many companies have a focus on "protection" without a holistic view of how the pieces that make up that protection should work together. The result is a porous security posture that today’s sophisticated malware is making full use of, the firm concluded.
“[Protection] can refer to things as disparate as antivirus, backup or even cyber-insurance,” explained Jonathan Crowe, researcher at Barkly. “As a result, while it's certainly easy for companies to perpetually stack on more and more ‘protection,’ it can often be difficult to determine how various pieces of protection can work together. Not to mention make sure each one is protecting you in a different, complimentary, non-redundant way….we encourage companies to break down their stacks by mapping their current security solutions to the four primary stages of the attack cycle.”
The attack cycle consists of delivery, pre-execution, runtime (as malware attempts to execute, the goal is to identify and block it before damage can be done) and post-damage (remediation). An impressive four out of five companies say they have protection that addresses each stage of the attack cycle, with the numbers broken down like this:
- 94% reported they had security designed to prevent malware delivery (ex: firewalls)
- 84% reported they had security designed to prevent malware execution (ex: antivirus and next-generation antivirus)
- 82% reported they had security designed to block malware in the process of executing in real time (ex: runtime malware defense)
- 86% reported they had security designed to mitigate and/or clean up damage from malware (ex: backups)
But the responses show these precautions aren’t as effective as they should be. Out of the half of respondents that had malware delivered, 79% had their pre-execution security bypassed, as well. Two-thirds of those organizations suffered damage from the malware executing successfully. And despite reporting that they had some form of protection designed to stop malware during runtime, for 68% of the organizations that saw malware reach that point, the adventure unfortunately continued. Only a third were able to block all malware that was in the process of executing before damage was done. For over half those organizations, the damage they suffered was irreversible; i.e., data was lost or exposed, or they experienced some amount of downtime.
“Traditionally, investment in security has been concentrated at the two opposite ends of the attack cycle—either preventing malware from landing and executing or detecting and cleaning up the resulting infections when it does,” Crowe said. “Unfortunately, the point at which the largest percentage of organizations saw their protection fall down was at the pre-execution stage. Once malware was on a device, the solutions they had in place (AV, NGAV) weren't always able to stop it from executing.”
One of the biggest limitations attackers take advantage of is the reliance of security tools on file scanning, which forces pre-execution tools to make a prediction as to whether or not a file is malicious, based solely on its appearance, which attackers can often alter or disguise.
Crowe noted that in light of these statistics, runtime protection might be the next area of innovation for the security community.
“Solutions designed to react to malicious activity in real time are relatively new, and shouldn't be confused with solutions designed to detect and respond to damage and other indicators of compromise. True runtime protection blocks malware in the process of executing, before compromise has taken place,” he said. “Knowing that they can't completely count on blocking malware before it executes, organizations need to make sure they have additional protection in place that can respond to and block malware in the moment as it's attempting to do something malicious. Blocking malware during runtime represents the last opportunity organizations have to stop an attack before damage is done.”