One of the most famous quotes attributed to Sun Tzu is, "If you know your enemy and know yourself, you need not fear the results of a hundred battles." This statement should certainly apply to the current cyber threat landscape. Security professionals should have strong knowledge about new types of malware, the cybercrime market, and the tactics used by cyber adversaries so they can design and implement the appropriate countermeasures.
Yup, security professionals should know about sophisticated cyber threats in order to bolster defenses and detect anomalous network behavior. Unfortunately, many security professionals aren't nearly knowledgeable enough in this area. ESG recently published a new research report titled, Advanced Malware Detection and Prevention Trends. The data gathered for this report revealed that:
- 40% of enterprise security professionals (i.e. those working at organizations with more than 1,000 employees) are "not very familiar" or "not at all familiar" with polymorphic malware
- 40% of enterprise security professionals) are "not very familiar" or "not at all familiar" with metamorphic malware
- 41% of enterprise security professionals) are "not very familiar" or "not at all familiar" with modern malware packing techniques
- 50% of enterprise security professionals) are "not very familiar" or "not at all familiar" with malware Command & Control (C&C) communications techniques
This data sure seems alarming to me. How can security professionals prevent, detect, or respond to malware attacks if they don't know what to look for in the first place? Yikes! Additionally, why are so many security professionals in the dark here? ESG speculates that this situation may be related to:
1. The security skills shortage. In early 2013, ESG research discovered that 25% say they have a "problematic shortage" of IT security skills. This skills shortage means that the overworked security team spends its time fighting fires with little time remaining for incremental training.
2. The "prevention" mindset. CISSPs think in terms of controls like vulnerability scanning, hardened configurations, and patch management in order to block malware by reducing the attack surface. Yes, these steps are still necessary but they are not a panacea and are no longer enough alone.
3. The "silver bullet" approach to security. Security behavior has always followed a binary patter of action/reaction. The onset of SPAM led to deployment of SPAM filters. Web threats led to web gateways, and so on. Too many security professionals believe that advanced malware can be addressed in a similar manner through the deployment of network sandboxing gateways. No doubt this is better than doing nothing but it is only part of an overall anti-malware strategy.
Tuesday October 1 marks the start of the Federal government's annual Cybersecurity Awareness Month. Generally this effort is focused on consumer education but ESG research reveals that security professionals are also in need of additional training - and soon.
Sign up for Computerworld eNewsletters.