For the first time, NTT has pooled the resources of its group companies and produced a threat report based on an analysis of 3 billion attacks. What it found is that while attackers move faster than defenders, and there are still many basic processes and procedures that companies are failing to implement.
For example, while Target had some good security prior to its breach in 2013, it "failed to observe some basic security controls, including maintaining appropriate network segmentation, an active patch management process and an event response process." Problems include a failure by business to adapt to the changing threat landscape fast enough, and a failure to implement – or in some cases, make use of – the new security controls that are becoming available.
Two key elements are that business does not respond to security issues fast enough, while criminals adapt their own techniques with great speed. For example, criminals are expert at creating new and adapting old malware to defeat anti-virus products. The reportsuggests that 54% of malware designed to take over a compromised systems went undetected by the anti-virus solutions used, while 71% of data theft malware was similarly undetected. NTT Group does not suggest that anti-virus is no longer necessary, but that this perimeter defense needs to augmented by internal network defense.
Target had actually done just that and installed FireEye software. This software worked in that it detected the breach, but Target managementappears to have ignored the warnings or simply reacted too slowly.
Another area in which defense is laggardly is in patch management. 50% of the vulnerabilities detected in scans during 2013 were assigned CVE classification between 2004 and 2011. "This," says the report, "indicates a massive gap between the detection and remediation phases of VLM, indicating failure of a basic security control." But while business is slow to protect old vulnerabilities, the criminals are not slow in exploiting new ones. "Research indicates exploit kit developers are pruning older exploits and favoring newer ones, as 78% of current exploit kits are taking advantage of vulnerabilities less than two years old." The result is a continuing gap between attack and defense.
NTT makes four primary proposals. Firstly, companies should still protect their perimeter, even thought that perimeter is continuing to change and shrink. The primary tool here is still up-to-date anti-virus. Although this would seem to be a given, NTT notes that "43% of incident response engagements were the result of malware against a particular end point," and that significant factors "were missing basic controls, such as anti-virus, anti-malware and effective lifecycle management."
Secondly, patch management needs to be improved. While accepting that this is not easy, and that "timely installation of every patch on every system is often impractical," the report stresses that companies must be aware of the issues "and need to ensure they are prioritizing countermeasures against these exploits."
Thirdly, business needs to define and test incident response. "Too many organizations have untested, immature or non-existent incident response programs. This makes them unprepared for the inevitable attack." Appropriate incident response, it says, "is critical to minimize the impact of security breaches."
But none of this will be enough on its own. So, fourthly, business must learn to be as fast in exploiting new defense technologies as criminals are in exploiting new attack vectors. "The speed of exploit weaponization is increasing," says NTT, "and may surpass an organization’s ability to respond quickly and effectively (if it has not already). New technologies include capabilities such as application isolation techniques, micro VMs, sandboxing and machine learning. These technologies focus on application control and isolation, incident containment and rapid detection via behavioral analytics, are likely to grow in importance. These technologies assume the perimeter will fall and compromise is inevitable, and while some preventive techniques can help, the best defensive approach is to limit exposure and detect (and respond to) incidents quickly."