With corporate networks increasingly under threat, effective means of protection are becoming ever more important. Intelligent CIO asks Christopher Green, Vice President, Middle East, Africa and Turkey at Malwarebytes, about the best ways for enterprises to protect their networks.
What is the best way of protecting a corporate network when accessed by remote devices such as laptops or other mobile devices?
There is a real need to make sure the device is healthy and not already pre-infected before it accesses the network. This might seem like an obvious first step but is one that is equally as easy to overlook. Devices should be scanned and cleaned prior to connecting with the corporate network to ensure infected systems aren’t accessing other endpoints and data.
What are the dangers of more companies allowing greater numbers of mobile devices on to its corporate network?
This very much depends on if a company has an active BYOD policy rather than assigning corporate devices to employees. When people bring their own device to work, managing that device becomes a lot more complicated. For example, even if you have concerns the device has been compromised, you can’t wipe it because legally the company does not own the phone.
If you decide not to issue devices to staff, then firms need to reduce the risk associated with BYOD through a clear policy that employees are trained on regularly. As part of this policy, employee-owned devices should always connect to guest WiFi and PIN passwords on their phones that are regularly changed. Better yet, you should consider providing the user with easy access to a mobile security solution for their device (and paying for it).
Whose responsibility is the endpoint security strategy within an organisation?
This will depend on the structure of the organisation, but a CIO or CISO is usually responsible for the cyber-strategy. However, cyber is not ‘just’ IT’s problem – the whole C-Suite needs to be championing cybersecurity awareness so that every employee is thinking twice about whether to click on that suspicious email or click on an unknown URL. A cyber savvy workforce is one of the best defences companies can have.
What responsibility do employees have to ensure the safety of their devices when it comes to accessing the corporate network?
This is something of a grey area. Through a well thought out, active BYOD policy companies can place the onus on employees to ensure that their devices are clean, but ultimately it is the business’s responsibility. That links back to my earlier point. Each company needs to assess the risk of a BYOD policy versus the cost of issuing company-owned devices.
What is the benefit of having a multi-layered defence model?
Every layer is designed to make it as difficult as possible for an attacker to get through. It can be similar to your personal house, where you have a fence, a lock at every door and window, cameras for the yard and garden and maybe even a gated community with security personnel.
This means an attacker has to get through all these defensive layers until they can finally get and steal the jewellery in the safe of the house. And what you need is something that can work online as well as offline.
Therefore signature-based and signature-less layers in a single agent is the best approach here, to keep it manageable. Also, an artificial intelligence layer is nowadays standard and needed. In our case we have this integrated into our Endpoint Protection product that has seven layers and on top of this we have the proprietary patented Linking Engine technology that ensures thorough clean up, even if something gets through.
How important is an immediate response when an infection does occur?
How long do you want to have a thief in your house before you call the police? As we have seen through our statistics no solution is a hundred percent secure 100% of the time.
In fact, we see that the average rate at which other security vendors are failing is around 30% on critical issues like trojans, ransomware, rootkits and other similar bad malware.
Also, Ponemon Institute’s 2017 Cost of a Data Breach study tells us that the average dwell time for an undetected attacker inside an organisation is around 191 days, whereby the lowest was 24 and the highest was 546 days.
The more time a cybercriminal has to widen their attack vector the more they can elevate their privileges, extract data and dissect data. This enables further manual ransomware injection and backdoors into the organisation to be built, not to mention using spyware to look for company trade secrets or intellectual property. If these secrets get out, the company might be in danger of being bankrupted.
Is it possible to return an endpoint to a healthy state AND minimise the impact to the end-user?
Absolutely. That is what we have been doing for over eight years and that is the work that is still driving our company and products. As most professionals out there will know, we are cleaning up what other vendors are/were unable to stop. This has transformed over the years into the simple fact that everything that we can clean-up, we could have prevented in real-time.
How do Malwarebytes solutions detect and block threats?
We do this with a blend of above mentioned technologies we call Multi-Vector Protection: This provides a layered approach, including both static and dynamic detection techniques across the entire attack chain. This approach provides protection against all types of threats from traditional viruses to tomorrow’s advanced threats.
More details on our layered approach:
Web protection – Prevents access to command and control (C&C) servers and malicious websites
Application hardening – Reduces the vulnerability surface, making the endpoints more resilient. Proactively detects fingerprinting attempts made by advanced exploit attacks
Exploit mitigation – Proactively detects and blocks attempts to compromise application vulnerabilities and remotely execute code on the endpoint
Application behaviour protection – Ensures applications behave as intended, preventing them from being leveraged to infect endpoints
Anomaly detection machine learning – Proactively identifies unknown viruses and malware based on anomalous features from known good files
Payload analysis – Identifies entire families of known malware by using a combination of heuristic and behavioural rules
Ransomware mitigation – Detects and blocks ransomware from encrypting files using signature-less behavioural monitoring technology
Linking Engine – Proprietary, signature-less remediation technology that identifies and thoroughly removes all threat artefacts associated with the primary threat payload
Malwarebytes Cloud Platform – Console provides centralised policy management and consolidated threat visibility across all endpoints globally. Also enables asset management capabilities
Are there any new advanced threats that have recently appeared on the scene?
Cryptomining is the obvious threat to talk about. Cryptomining could even be described as a prevalent and opportunistic threat.
Despite the fact that in the last quarter three new ransomware (disruptive threat) families emerged (GandCrab, Scarabey and Hermes, to learn more on those, download the Q1 Cybercrime Tactics and Techniques report under: https://go.malwarebytes.com/CTNTQ1FY19.html), Cryptomining has risen to become a huge threat vector. The hijacking by hackers of UK government websites to mine crypto-cash shows how mainstream it has become.
Yet companies are unprepared for this type of attack. Our Malwarebytes Labs CT&T Q1 report found that malicious Cryptomining had increased on a grand scale – across all platforms, devices, operating systems, and in all browsers. Macs and mobile devices are not exempt; criminals have even used the cryptocurrency craze for social engineering purposes.