Toolkit

Story: Research reveals stalemate in 'IT security war'

Posted by: Mel Morris (Wednesday 19 April 2006, 11:25 PM)

Security Vendors are stretched in three critical areas:

1. Conventional Malware Research is failing to cope with the volume of malcode. This is because so much of today's cyber attacks are utilising personalised executables. In some cases an attack will morph each occurence of its payload. One AV company recently shared with me that they issued more signatures in 2005 than in the previous 10 years combined. Security Vendor's research teams and technologies are already stretched beyond their design limits. Security Vendors must evolve new, automated detection techniques quickly to stand any chance of regaining control.

2. Today's end-point products lack enough self protection, and industrial strength clean-up capabilities to prevent disablement by powerful targeted malware which employs the latest persistence technologies such as Winlogon/Notify and Kernel Rootkits.

3. Since inception Security Products have been focused on protection against known attacks. Host Intrusion Prevention technologies have shown promise but most implementations have been softened to avoid the management and disruption costs that false positives have inflicted on the user experience. Many products now need Security Consultants to configure these technologies to achieve a compromise between protection and user disruption.
Security Products must monitor all software activity. Only then can we tell which systems were infected and when. Today's UTM approaches are very poor with 90% focus on known threats. The balance needs to shift towards finding new threats through end-point telemetry and automated malware detection, analysis and determination.