New survey data offers a glimpse at just how far down the attack cycle today's malware is getting, highlighting breakdowns in protection at several stages.
As far as security terminology goes, the word "protection" is as broad and ambiguous as it gets. It can refer to things as disparate as antivirus, backup, or even cyber insurance. As a result, while it's certainly easy for companies to perpetually stack on more and more "protection," it can often be difficult to determine how various pieces of protection can work together. Not to mention make sure each one is protecting you in a different, complimentary, non-redundant way.
To help bring a little clarity to the hazy "protection" picture, we encourage companies to break down their stacks by mapping their current security solutions to the four primary stages of the attack cycle:
- Delivery (companies obviously want something in place to prevent malware from getting onto their devices in the first place)
- Pre-execution (the goal is to prevent malware on a device from running)
- Runtime (as malware attempts to execute, the goal is to identify and block it before damage can be done)
- Post-damage (the goal at this point is to contain, clean up, and recover from the attack)
Which stage(s) are companies best prepared to address? What types of "protection" are they prioritizing? And how is what they have holding up at each stage of the attack cycle against today's modern malware?
To find out, we surveyed IT managers and system admins at small and medium-sized businesses and asked them to tell us about their security stacks and their experiences with attacks. Here's what we found.
Complete Coverage...in Theory
4 out of 5 companies say they have protection that addresses each stage of the attack cycle
- 94% reported they had security designed to prevent malware delivery (ex: firewalls)
- 84% reported they had security designed to prevent malware execution (ex: antivirus and next-generation antivirus)
- 82% reported they had security designed to block malware in the process of executing in real time (ex: runtime malware defense)
- 86% reported they had security designed to mitigate and/or clean up damage from malware (ex: backups)
Those stats are certainly encouraging, but even with the vast majority of companies reporting comprehensive coverage across these stages, attacks are still getting through and causing damage.
Where (or When) Protection is Breaking Down
1 in 4 organizations suffered an attack that got past all their security solutions and caused damage | tweet this
Below is a chart that reflects how far along attacks against the organizations in our survey group were able to get before they were blocked. As these numbers show, implemented security does not necessarily = effective security.
Here is the breakdown of organizations that experienced the following over the previous 12 months:
- Malware was delivered: 47 percent of organizations
- Delivered malware was executed: 37 percent of organizations
- Executed malware caused damage: 25 percent of organizations
- Damage was irreversible: 14 percent of organizations
For nearly half the organizations, security designed to prevent malware delivery was bypassed
Despite having protection in place designed to prevent the delivery of malware, nearly half the organizations we surveyed reported that malware had in fact landed on one or more of their machines.
79 percent of those organizations had their pre-execution security bypassed, as well
To make matters worse, once malware was successfully delivered, it doesn't appear that solutions designed to prevent malware from executing (antivirus, NGAV, etc.) were able to reliably hold up. Nearly four out of five respondents who had their delivery protection bypassed also saw their pre-execution protection fail at least once.
Two-thirds of those organizations suffered damage from the malware executing successfully
Despite reporting that they had some form of protection designed to stop malware during runtime, for 68 percent of the organizations that saw malware reach that point, the adventure unfortunately continues.
Only a third were able to block all malware that was in the process of executing before damage was done.
For over half those organizations, the damage they suffered was irreversible
In total, 25 percent of survey repondents reported they had experienced at least one attack that managed to bypass all three layers of security — delivery, pre-execution, and runtime — designed to prevent malware infections.
For 56 percent of those respondents, one or more of the attacks resulted in damage that their "post-damage" solutions weren't able to help them recover from. Data was lost or exposed, or they experienced some amount of downtime.
Addressing the Need for Better Security at Each Stage of the Attack Cycle
Traditionally, investment in security has been concentrated at the two opposite ends of the attack cycle — either preventing malware from landing and executing or detecting and cleaning up the resulting infections when it does.
As these responses indicate, however, organizations are still struggling to adopt security that can provide them with comprehensive coverage against either one of those scenarios.
The fact that, despite their best efforts, roughly half of organizations are still seeing malware land on their machines puts more pressure on them to strengthen their ability to identify and block malware once it's there.
That roughly half of the organizations experiencing successful infections are suffering irreversible damage (despite investment in backup) provides additional urgency.
Weakest link: Pre-execution protection
Unfortunately, the point at which the largest percentage of organizations saw their protection fall down was at the pre-execution stage. Once malware was on a device, the solutions they had in place (AV, NGAV) weren't always able to stop it from executing.
Attackers have had years and years to become acquainted with pre-execution defenses and develop techniques for evading detection. One of the biggest limitations attackers take advantage of is the reliance of these tools on file scanning. It essentially forces pre-execution tools to make a prediction as to whether or not a file is malicious based solely on its appearance (which attackers can often alter or disguise).
Knowing that they can't completely count on blocking malware before it executes, organizations need to make sure they have additional protection in place that can respond to and block malware in the moment as it's attempting to do something malicious.
Biggest opportunity: Runtime protection
Blocking malware during runtime represents the last opportunity organizations have to stop an attack before damage is done.
Solutions designed to react to malicious activity in real time are relatively new, and shouldn't be confused with solutions designed to detect and respond to damage and other indicators of compromise. True runtime protection blocks malware in the process of executing, before compromise has taken place.
The failure rates indicated in the survey responses underscore a crucial opportunity for improvement here. And as Barkly co-founder Jack Danahy explains, this is where a lot of industry attention is shifting.
"Experienced security teams know that not every piece of malicious software can be caught in advance, and they know that cleaning up after an event is painful and often incomplete. As a result, runtime malware defense is the next area of hardening that that both vendors and their customers are focusing on." Tweet this
— Jack Danahy, co-founder and CTO at Barkly
You'll never find a single solution that's a silver bullet for preventing all infections, but ensuring you're making it difficult for malware to progress at each step along the attack cycle is the next best thing.
To learn more about how companies are improving their runtime protection see our Complete Guide to Runtime Malware Defense.
Feature photo by QuidoX