The eye is often so firmly on advanced and targeted threats, that basic malware is missed and therefore often succeeds.
Manoj Apte, SVP at Zscaler, told IT Security Guru that companies may say that they have every kind of security feature available, but ifae security operations centre (SOC) team is doing things that they shouldn’t be bothered about and are inundated with other things, then the business will consequently suffer.
“They say: we have a proxy, we have the best firewall, the best anti-virus from the best company, a SIEM solution and FireEye watching our security, so there’s no problem on the network security front,” he said. “But usually when any large website has a hack, it all comes down to the desktop of the user, since in-line devices do not scan.”
Apte said that eventually the SOC team will narrow disruptions down to a case of ‘silly malware that should have been blocked by in-line devices’. He said: “The SOC team is worked down to doing things they shouldn’t be bothered about while they are inundated with other things. In-line security is not good enough as you will get so many alerts that it is impossible to figure out what is the more important part. That is what happens in every enterprise today.”
Apte said that environments should identify and block these sort of things in order to focus on what is bigger and more dangerous to avoid, and that the SOC has to decide what to block and show what has been logged, but they often get bogged down as they cannot keep up and log management is often badly tuned and configured.
He said: “If security equipment tried to detect everything, it will slow everyone down as there are too many things to look at. Because IT is under-funded and resourced, often technology is configured this way. It has four or six proxy boxes and we say inspect more, as you can only go for class A or class B, but class B will still cause you problems, and we still see Conficker still trying to call home.”
CISO Amar Singh told IT Security Guru that in principle, he fully supports the argument. “I would prefer to have as much class A, B and C malware etc dealt with by the likes of ZScaler before it comes anywhere close to my corporate cyber space,” he said. “Depending on my organisation’s risk appetite, (defence etc) I can them employ specialist security tools to deal with what manages to get through.”
Commenting, Brian Honan, CEO of BH Consulting, said that companies do struggle with resources for information security and those teams have to manage with what they have.
“However, I do not agree with the statement ‘that if security equipment tried to detect everything, it will slow everyone down as there are too many things to look at’, then this is a failure not of the technology, but of the ability of the CISO to communicate information security risk effectively to senior management and the board or the CISO is not managing their budget effectively,” he said.
“If the head of sales were to ignore ‘class B’ sales leads and only chase the ’class A’ leads they would soon lose their job, or move to an organisation that would give them the resources to chase all sales leads. Similarly, a CISO that is not getting the full support of senior management needs to consider if they are working for the right organisation or if the problem is with their ability to deal with business issues.”
Asked if businesses keeping up with modern and more legacy malware is an issue, Honan said: “Many companies struggle to keep old malware at bay. But this is due to
poorly patching practises, older machines now being upgraded, or systems running out of data anti-virus, more than SOCs chasing the latest and greatest APT.”
