Cyber Attacks: Why You Need to Stop Scanning and Start Preventing
Scanning technologies have long been an important weapon in the enterprise IT security arsenal. Tools like antivirus software, IDS and IPS, and SIEM are mature, widely used and mostly good at what they do, which is detect anomalous and suspicious activity on an organization’s network.
However, as spending in this area of security increases, it’s worth asking whether these technologies by themselves are really helping enterprises fend off cyberattacks.
Granted, some regulated industries have no other choice than to use antivirus software, and no-one would deny that tools like SIEM can play an important role in an organization’s defense-in-depth strategy. But there’s definitely a risk that some enterprises are focusing too heavily on their ability to scan for attacks (that have already occurred) and too little on their ability to prevent them. Counterintuitive as it sounds, this could actually make them an easier target to cybercriminals.
Here are a few of the reasons it might be a good idea to stop scanning and start preventing.
Malware Threats are Growing Fast
It’s no secret that malware threats are growing at an incredible rate. According to Symantec’s latest Internet Security Threat Report, a massive 430 million new malware variants were discovered in 2015 alone. That puts a lot of pressure on organizations to keep their endpoints updated, particularly in an age of enterprise mobility and mobile malware, and means that undiscovered variants are an ever-present and unaccounted-for threat.
The malware industry is very different today than it was back in the early 2000s. Virus authors are less likely to be amateur hackers and more likely to be professional criminals who can quickly tailor their code to a specific target. Antivirus software alone isn’t a realistic defense against these actors.
False Positives Hide Genuine Threats
In a previous blog, we wrote about how a common problem with IDS, IPS and SIEM solutions is that they often pick up hundreds of false positives alongside genuine threats, making it difficult – if not impossible – for admins to tell one from the other or even have the time to weed through scan results. This mostly happens because many organizations still use VPN-based architectures that are very open in the network layer, allowing legitimate users and harmless applications to generate suspicious-looking traffic.
Scanning is Reactive, Not Proactive
Finally, the biggest and most obvious problem with scanning technologies is their reactive nature.
While antivirus software and IPS do include countermeasures, the tactic of waiting for suspicious activity to occur on your network before acting is, for the reasons outlined above, a fundamentally risky one. Today’s cybercriminals are extremely effective at evading detection, and – if said countermeasures fail – can make off with massive amounts of data long before the organization has a chance to react. A proactive, preventative approach is by far the better option.
What enterprises need, then, is to reduce the attack surface for their hackers via more sophisticated network segmentation techniques – such as the software-defined perimeter security model- that provides users with access to specific applications and services, but not the underlying network layer. And they need to establish context-aware authentication and authorization rules to set user permissions dynamically, allowing them to prevent suspicious activity by checking whether the connection itself is suspicious first.
This way, it becomes much easier for organizations to fend off cyberattacks before the damage is done.
Download the whitepaper After the Perimeter: How a ‘Segment of One’ Simplifies and Improves Security for suggestions on how to rethink your network access.