We are entering a new age of cyber threats and need to change our approach to cyber defence, according to Roger Thompson, chief emerging threats researcher at ICSA Labs.
“We need to stop relying on signature-based scanning systems,” Thompson told the second annual (ISC)2 Security Congress in Philadelphia.
There will probably always be a need for signature-based systems, but they cannot comprise the front-line of cyber defence anymore, he said, because such systems cannot be updated fast enough.
According to Thompson, most cyber threat labs are seeing an average of 300,000 malware samples a day, 70,000 of which are new and unique.
Most of these new threats are downloaders designed to bypass traditional, signature-based anti-malware systems, which then install the real payload.
For each preceding age of malware, there has been an extinction level event, said Thompson. For MsDos-based viruses, for example, the extinction level event was Windows 95.
“Organisations cannot be complacent because, for the current age of web exploits and cyber weapons, there is no extinction level event in sight,” Thompson said.
In the light of this fact, Thompson said information security professionals should change the way they are doing things. They should seek security systems with strong behaviour-detection capabilities as important components of a set of layered defences.
“Think of the defence layers as layers of Swiss cheese; each layer has holes in it, but with several layers, most – and possibly all – the holes will be covered,” Thompson said.
Thompson said ICSA is planning a new round of testing that will show how well existing anti-virus systems cope with downloaders.
He said this will help organisations choose security systems with strong behaviour-detection capabilities and encourage security suppliers to meet the real needs of their customers.
In 1993, organisations opted for signature-based systems and these have become entrenched, rather than integrity-management systems that pick up changes and behaviour-based detection systems, said Thompson.
“That may have made sense back then, but it does not anymore because cyber criminals have discovered all they need is something a little new to evade detection, which is why behaviour-based systems are now a necessary layer of defence,” he told Computer Weekly.
By adding behaviour-based systems, organisations can make it much more difficult for cyber criminals to bypass defences and gain a foothold.
“At the moment, it’s a doddle. The world will be better off when there are more behaviour-detection systems in place,” said Thompson.
Considering the increasingly likelihood of data being wiped by the latest cyber attacks, he added that a good data backup system is essential.
“Backup is your friend in the next few years,” he told the information security professionals attending the conference. Without automated backup, he said, recovery from total data loss may be impossible.