Cyber threats and the entire nature of IT security are moving at a blistering pace. As attacks get more sophisticated and targeted, some previously effective defenses are not what they were – or have become completely ineffective against attacks. Here are three outdated methods of protection, and why they're no longer enough. (For background reading, check out The New Face of 21st Century Cyberwarfare.)
Next-Generation Firewalls (NGFW)
Historically, next-generation firewalls (NGFW) use an application-centric approach to classify network traffic in an effort to stop malware and other attacks. However, NGFWs have been proven ineffective against advanced attacks. That's because the heart of NGFW technology is a basic configuration of IPS signatures, anti-virus software, URL blacklists and reputation analysis. Each of these is reactive in nature and has proved to be unable to stop advanced threats.
Makers of NGFW technology are beefing up their products with additions like cloud-based binaries and DLL analysis, as well as hourly updates on the firewall signature set. The problem is that these options still leave plenty of time for malware to cause damage.
In the face of zero-day and advanced persistent threat (APT) attacks that exploit unknown vulnerabilities, anti-virus is all but helpless in preventing modern cyber threats. Some research suggests that 90 percent of binaries in malware morph within an hour, allowing it to sneak past anti-virus software that relies on signature-based detection and updates that lag behind by hours, days or weeks, depending on the update frequency.
This lag time represents a golden opportunity for malware to propagate from the initial systems it infects. This window is also long enough for the malware to install other infections that can include password crackers and keyloggers that embed deeply into its compromised host system.
At this point, removal becomes increasingly difficult. So why do IT security professionals keep anti-virus software as a trusted part of overall security? These days, anti-virus is often used as a complementary system, or a "first-line" of defense, in conjunction with larger, more advanced systems. The anti-virus captures the "low hanging fruit," which includes older virus signatures, while more robust malware protection systems catch the advanced malware that gets missed.
The cybersecurity industry has given us a legacy of pattern-matching that was once intended to augment port-based blocking and remove the limits of signature and list-based security products. Web gateways employ these same technologies.
Web gateway technology uses databases and lists of known "bad" URLs, but does not take todays real, evolving threats into account. Policy enforcement and low-level security are about the only value that Web gateways bring to the security table as cyberattacks have evolved to render gateways ineffective. The dynamic nature of malware delivery and communication renders lists of "bad" websites and URLs obsolete.
Ironically, as Web gateways gained worldwide adoption, they became somewhat obsolete in terms of security. Web gateway technology still has some use by enforcing corporate rules that limit or restrict Web browsing, but when it comes to protecting against sophisticated attacks, Web gateways have a marginal role at best.
From Major to Minor
While there’s no denying that these three technologies do play some current role in protecting networks against cyber threats, the evolved, next-generation attacks that we see today have rendered them minor parts of more advanced defenses.
One technology that is effective at protecting against advanced malware is stateful firewalls, which are somewhat of a cross between a packet filter and the application-level intelligence gained through a proxy. This is just one of a number of technologies that have replaced or picked up the slack of some of the older technologies – at least for now. Of course, cyber threats continue to evolve, which means that attempts at protection must evolve along with them.