Traditional Security Measures.
Anti-Virus
Malicious software generally employs AV detection or evasion. Advanced forms of these techniques disable AV protection entirely. Even up to date and fully functional AV software can fall short in the arena of compromise detection and remediation. Signature based detection alone cannot keep up with the massive number of newly created malware every day.
In the first half of 2009, McAfee saw almost 1.2 million fresh malware samples, amounting to nearly 6,000 new samples each day.
The amount of malware to process has become overwhelming for every anti-virus company and has resulted in a common delay between when malicious software is released into the wild and when it is finally detected by AV, averaging anywhere from 1 to 3 months. Criminal attackers can leverage this delay to gain access to systems unnoticed, having plenty of time to extract data and personally identifiable information, including financial records.
Intrusion Detection/Prevention Systems
Current tactics to bypass IDS/IPS technologies use encrypted, hidden, or mutilated traffic and payloads. Malicious software can also bypass anomaly detection, only activating once a predetermined action within the system occurs. Anomaly detection, while valuable, is not capable of providing a flawless security barrier. Once an attacker knows the rules and workarounds of these systems, evasion techniques become simple and common practice.
False positives and false negatives can be a difficult problem when dealing with IDS/IPS. Defining or changing signatures and rules to keep numbers low for one often means an increase in the numbers for the other. Nemesis has a sophisticated compromise detection system that can identify malware and botnet beaconing behaviour, no matter what pattern or format it takes on.
At the heart of the Nemesis system, is the Maelstrom analysis engine. Maelstrom is our core binary analysis engine and malicious domain extraction tool. Engineered by Defence Intelligence, Maelstrom analyzes 40,000 unique binaries per day and identifies over 15 million malicious domains per year. Maelstrom data is enhanced by exclusive data and analysis by Defence Intelligence and key contributors in the security industry. Our expert threat analysis team ensures quality results, increasing detection rates while maintaining near zero false positives.
Firewalls
Criminals make use of the most common communication methods on the Internet to distribute malicious software. They control victims in a large and distributed manner. Static rule protection against all threats is virtually impossible for any company that utilizes the Internet. Even well formed and thorough firewall rules have little effect on modern malware.
Most current malware communicates through channels that must remain open for normal network activity. If your company relies solely on a firewall for protection, then there is literally nothing to keep malicious software from freely entering and leaving your network, taking vital data with it. Much of the beaconing and communication attempts made by malware originate from the compromised system, and the installation of the malware is often accepted unknowingly by the end user. Proxy integration and usage is also not uncommon for modern day malicious software.
