When companies grow, their networks grow with them. What naturally follows is a growth in administration. As a Systems Engineer in the Nordics I meet a lot of quickly growing companies and they have a lot in common when it comes to facing the challenges of their rapid growth. Typically they will have very flat network structures and simple security solutions all managed by a single person or a very small team. These small teams are made up of generalists that need to cover everything including virtual environments, storage, networks, firewalls and general security. Sooner or later, these IT teams will enter a critical phase between small and mid-size.
At this critical phase there are a lot of projects going on and the staff is under a lot of stress. This is a critical time especially for security and there are a lot of things to be done. Unfortunately, security is often put on hold for tasks such as redesign of the network or implementation of newly acquired business support systems (cloud based or not). I'll get back to that in my next blog post.
When push comes to shove there needs to be a security solution on the table. Let's disregard the whole company security policy discussion for a moment (it would be a very, very big blog post) and look at threat prevention in terms of advanced threat detection (ATD).
The ATD Solution
Generally an ATD/Sandboxing solution does not replace proper threat prevention technologies - traditional antivirus, web filter, and IPS. But it is a good compliment and here is why:
|Most malwares today are distributed broadly and are often a part of building a botnet. So a client downloads a file playing host to malware, file dropper, or the like.|
|The first thing a UTM firewall will do is to check its policies to see if the client is allowed to access the server at all.|
|If this is ok the web filter will be checked to see if access to this site is allowed, let us assume that the malwares URL is tagged as a malicious site and we block that category. Problem solved, a log entry is made about the incident and that is it. This could be presented in a report or flagged for further investigation.|
These can be, looking at the environment such as lack of applications for targeted OS, extended sleep calls, mouse and keyboard input, forcing the user to make an active choice by asking for some confirmation with a pop up. Sandboxing will always be a cat and mouse game against malware developers.
The malware gets detected and scores high, a notification is sent to the IT staff and now the work begins. Was the file sent to a machine that can execute it or not? Was it shared? Was it executed? Was the virus detected by the local antivirus client?
More often than not the simplest action is to reinstall the machine and just get on with every day IT work. But it is important for even small organizations to have a defined, if straightforward, response process. That's all good but an ATD solution can put enormous pressure on the IT staff and forcing them to handle reinstallation of machines, restoring backups and such.
Even worse, it can distract the staff from more serious problems and intrusion attempts. If you get a lot of hits in your sandbox and you are a company that are not regularly facing external threats you will be doing a lot of reinstallations and damage control.
It is also likely that the antivirus and web filter could be improved. Which is why the relationship between advanced threat detection and traditional threat prevention is so important.
With a proper base line defense of firewalling, Web filtering, network based antivirus and client antivirus the company IT staff will be able to cope.
In this case an Advanced Threat Detection solution adds a great extra layer of security. If basic security functions are lacking, the sandbox will get a lot of hits and send the IT staff to less qualified tasks than needed and distracts from real threats.
In the SMB segment, that is a big problem.