Security

Governments Require a Full Complement of Security Tools

IT managers say new sandbox and remediation tools offer a layer of protection that traditional anti-virus software can’t deliver.

Steve Zurier

Google+ Twitter

Steve Zurier is a freelance technology writer based in Columbia, Md.

When it comes to new security products, Vladislav Ryaboy follows the smart money in the cybersecurity community.

“I found that the signature-based anti-virus tools had become useless,” says Ryaboy, information security officer for the city of Miramar, Fla. After seeing a great deal of interest in the FireEye Malware Protection System, he deployed the product to detect and remediate advanced persistent threats (APTs) and zero-day exploits.

Ryaboy says the combination of FireEye with the Mandiant remediation system FireEye acquired offers Miramar the perfect mix of security tools. “It’s a tool that can detect and stop in its tracks — at least for the moment — this new generation of malware. And by automating much of the remediation we used to do, it reduces a great deal of our manual security tasks.”

In addition to gaining visibility into cyberattacks, the FireEye tools help the IT department clean up the network. “We have reduced the presence of adware and spyware,” Ryaboy says, which has also improved overall network performance.

3,294

The number of hits related to a recent zero-day exploit in Adobe Flash used in malvertisement attacks

SOURCE: TrendLabs Security Intelligence Blog, “Trend Micro Discovers New Adobe Flash Zero-Day Exploit Used in Malvertisements,” February 2, 2015

Frank Dickson, a research director for Frost & Sullivan who covers network security, says the city wisely came to the conclusion that they needed more protection than anti-virus software alone could provide.

“There’s a lot of talk now about organizations not needing anti-virus software,” Dickson says. “That’s not really the case. What IT staffs need are tools that complement and extend anti-virus. What’s different is that many of these new tools have been developed to detect and block the latest APTs and zero-day exploits.”

Defense in Depth

Bryant Bradbury, chief information security officer for the city of Seattle, agrees that traditional signature-based anti-virus software has rapidly become ineffective.

“Organizations can’t rely on anti-virus software as we did in the past,” Bradbury says. “It only offers a thin veil of protection. While it still has a place, its value is diminishing by the moment.”

Seattle supplements anti-virus with a full complement of security tools, including intrusion detection/protection, security information and event management, and log managers.

“Organizations should continue to think in terms of a layered defense,” Bradbury recommends. “For example, people often neglect log examinations and some of the industry experts I’ve talked with say some of the more recent breaches could have been prevented if logs were watched more closely.”

Key Product Considerations

Frank Dickson, a research director for Frost & Sullivan who covers network security, offers three questions IT managers should ask when selecting sandboxing and endpoint security tools to supplement anti-virus software.

1. Which devices do the tools support? Not all sandboxes or endpoint tools support every operating system. Ask the manufacturer which OSs it supports and make sure that support corresponds to what’s used on the network.

2. Which file types do the tools support? Possibilities include basic Microsoft Office apps, along with other types of executables, compressed files and Java files. Every network is unique.

3. How well do the tools respond to anti-evasion techniques? Hackers are clever and cunning. Hundreds of techniques have been developed to evade sandboxes. For example, some malware will check to see if the tools are running in a virtual environment, which would allow it to spread throughout systems.

venimo/ThinkStock