I’m one of those fortunate information security professionals who plays both sides of the technology defense game: I’m your incident response guy and your preventive technologies guy. When I’m working with a company after they’ve been breached I can see pretty quickly what defenses they were missing that allowed the breach in the first place, but then I can help them architect solutions to prevent the next attacks.
In my experience, it is very common for a company that is trying to block attacks to purchase the hottest technologies. In many cases they are better off for it. Our anti-malware defense technologies these days are pretty incredible when you think about it. OS-based application whitelisting is a pretty resilient technology, especially for road warriors with laptops. Advanced malware protection devices that deploy suspicious executables to analyze their effects, next generation firewalls and advanced NetFlow (and its variants) analysis, the list goes on and on from prevention to detection and forensics. We’ve got a lot of solutions to choose from. But for most of us, the sum of those solutions are more than we can afford to buy.
So while a secure web gateway or an advanced malware appliance is nothing short of awesome for a fixed network, it may not be ideal for a team of laptop-carrying road warriors. And while application white listing may be ideal for companies that can support a culture of uniformity, we all know situations where that level of control is not sustainable.
At HALOCK, we’ve been conducting risk assessments for years, and we realized that by modifying our risk assessment processes, we can help our clients determine which blended anti-malware approaches make the most sense for them and for which of their assets. If you’ve grown accustomed to settling for 80/20 solutions given your limited budgets and your varied devices, you’d be surprised at how a risk analysis can get you closer to 95/5 solutions. The mechanism behind that improvement is that in a risk assessment you are carefully analyzing the impacts and likelihoods of foreseeable threats to each asset, then choosing a safeguard that addresses each threat that you are guarding against. Once you’ve carefully thought this through, you’ve got a strategic blend of the most optimum security investments for the maximum coverage.
And because you’re supposed to by law protect your information assets according to risk … why would you make a security investment decision any other way?
I will be speaking about our approach to a new Malware Defense Strategy at CAMP IT on Thursday, October 24th at the Donald E. Stephens Convention Center in Rosemont, IL if you’d like to come down to see us.
About the author
Jibran Ilyas is the Incident Response Team Lead at HALOCK Security Labs. He has investigated some of the world’s largest data breaches and devised Malware Defense strategies for principal clients. Jibran has presented at several global security conferences including DEFCON, Black Hat, SecTor and SOURCE Barcelona, in the area of Computer Forensics and Cyber Crime. Jibran has been the co-author of Global Security Intelligence reports and has trained USSS and other Law Enforcement agencies on Incident Response and Forensics.