Recently, one of our clients was hit with a zero day virus. A user opened an email containing an executable file that had a PDF icon. The malware immediately emailed itself to everyone in the unsuspecting user’s address book spreading rampantly throughout the organization. The virus made its way to another organization that our client had done business with and proceeded to infect them as well. This happened in a matter of minutes.
Fortunately for our client, they were subscribed to GCSIT Managed Endpoint Security Service. The client made a call to our helpdesk describing the situation and we obtained a copy of the malicious executable for analysis. A quick check of the executable revealed that only 4 out of 50+ anti-virus vendors had identified the malware previously.
Our helpdesk engineers immediately uploaded the file to our technology partner and within 15 minutes of initial notification, detection and mitigation processes were deployed to our client’s environment through our remote management agents and cleanup was under way.
As for the other organization that was infected, their anti-virus vendor did not detect the malware and days were spent trying to clean it up. They eventually enrolled in our Managed Endpoint Security Service and we were able to clean up the infection and provide continuous monitoring at less cost than they were previously paying to their anti-virus vendor.
“Anti-virus is dead.” Says Brian Dye, Symantec’s senior vice president for information security in a Wall Street Journal Interview in May of 2014. The reality is that traditional anti-virus will identify about 30% of malware. The speed at which new exploits are discovered and the ability for malware writers to rapidly change their code makes it impossible for signature based malware detection to be effective.
Combatting today’s malware requires a multi-faceted approach. Controls every organization should implement at a minimum include:
Of course you have to have anti-virus. Traditional anti-virus will catch the known low-hanging fruit, but a more advanced fully managed solution will greatly enhance your ability to detect and respond to zero day threats. Anti-malware solutions should have the capability to analyze executables for malicious activity, not just match a known signature. GCSITs managed solution will run unknown executable files in a sandbox environment to determine if activities performed by the executable could potentially be malicious. If so, files are quarantined for further analysis. Further, when a system is found to be infected, it can be rolled back to a prior, uninfected state.
2 Advanced Threat Detection
Every organization is at risk from unknown attacks. Firewalls, IPS, gateways, and AV solutions are completely defenseless against unknown threats called advanced targeted attacks. Conventional security controls detect threats too late (if at all) and resolves them too slowly. Advanced threat detection requires a combination of technology, intelligence, and expertise reinforced with an aggressive incident response team.
GCSIT has recently entered into a partnership with FireEye to provide advanced threat detection and protection. With FireEye, you’ll detect attacks as they happen. You’ll understand the risk these attacks pose to your most valued assets and you’ll have the resources to quickly respond and resolve security incidents. The FireEye Global Defense Community includes more than 2,700 customers across 67 countries, including over 157 of the Fortune 500. FireEye dynamically analyzes advanced malware in real time. Suspicious payloads (web objects, email attachments, etc.) are detonated within a hardened virtual environment identifying and responding to threats as they occur, not after. FireEye:
- Protects across web, email, file and mobile vectors as well as latent malware on file shares
- Addresses all stages of advanced attacks by protecting against inbound attacks, outbound callbacks, and malware executable downloads
- Uses multi-flow analysis to understand the full context of advanced attacks
- Point products see only a single attack flow, but advanced persistent threats (APTs) continue
- Threat data is shared in real-time locally and globally via the Dynamic Threat Intelligence Cloud
3 Have a Plan
95% of organizations have suffered a data breach. The median number of days that attackers are present on a victim network before detection is 243. Do you feel you have the right tools, people, and processes to protect, detect, respond, and contain attacks? Having an incident response plan is critical when (not if) you suffer a breach. Having a well-defined and rehearsed incident response plan will help you contain, assess, eradicate, and respond to a security breach. Key components to an incident response plan include:
- Formalization of an incident response team comprised of key personnel from IT, legal, HR, finance, and executive leadership is critical. The purpose of the incident response team is to direct the response, analysis, and mitigation efforts, document actions taken during a breach response, act as an intermediary between C-level executives and other team members, manage timelines, and identify budget and resources necessary among other things.
- Have a call list. Include in your call list key personnel including technology partners and an organization like GCSIT with expertise in incident response and forensic analysis. Upon discovery of a breach, engaging someone with forensic expertise will help you determine your response path. A forensic analyst will be able to help you collect and analyze evidence as well as determine the extent of the breach.
- Document everything. Someone from your incident response team should be designated to document activities during a breach response. Documentation is critical especially for personnel who aren’t involved with initial response activities to be brought up to speed quickly.
- Test your ability to recover from a breach. This can be accomplished through table top exercises and will help identify gaps in your incident response process. Incident response plans should be tested and revised annually.
Security incidents will happen. By implementing appropriate controls within your organization and regularly testing those controls, you’ll greatly minimize the impact if not completely prevent a data breach. Through our highly experienced technical staff and best-of-breed partner network GCSIT has the tools and talent to identify and implement appropriate controls for your unique environment.
Contact us today for more information on how we can help you remain productive and protect your valuable assets.