The Singapore Government is cutting off Internet connections from work computers used officially by public servants from May 2017, in an effort to plug potential leaks from work emails and shared documents – amidst today’s advanced security threats.
I invited Tony Jarvis from Check Point Software Technologies to share his opinion on how best to secure an organisation’s network and IT assets. This guest blog is written by him.
Tony Jarvis is the Chief Strategist (Asia, Middle East and Africa) for Check Point Software Technologies.
With every detection of a new threat, the security landscape evolves and attackers are no longer just looking at inventive ways to infiltrate a network but also innovative evasion techniques and the damage it will inflict.
“To say the security landscape is constantly changing would be an understatement,” says Tony Jarvis, Chief Strategist (Asia, Middle East and Africa) for Check Point Software Technologies.
What really matters is how vendors respond to the ever-evolving landscape and not just make incremental enhancements to existing solutions that still predominantly focus on detection, rather than prevention.
With the numerous acquisitions and layoffs being announced, the real question that CIOs and CISOs need to ask is: “Is my security vendor in for the long run?”
Central to any effective security strategy is the ability to stop threats before the initial compromise.
The only way to do this is with prevention.
Many vendors simply can’t do it, which is why they talk about detection.
Tapping an expert’s views
I also asked Tony specifically for his take on the Singapore Government’s move to cut Internet access from work computers used by civil servants from May next year.
Here are more of his opinions in a Q&A format.
The majority of solutions being deployed today rely on a detection capability, with some requiring users to choose whether infected files should be quarantined or allowed to pass through.
Not only is this intrusive to the user experience, it’s also prone to human error.
Inflexible deployment models calling for an all or nothing use of cloud or private malware analysis fail to meet many customers’ requirements.
To make matters worse, the sandboxing process often takes too long, giving malware plenty of time to get to work before its presence becomes known.
As part of the strategy to advance sandbox technology, Check Point acquired Hyperwise in 2015.
Integrating the Hyperwise specialty in “CPU-level Threat Prevention” with Check Point’s Next Generation Threat Prevention solutions, Check Point Sandblast is able to take advantage of advanced feature in Intel’s more recent processors and detect exploits employed by a malware.
There are only a small number of such exploits available, and even though there are millions of types of malware in use, they all share those same few exploits.
This makes it possible to detect unknown malware – something that signatures and generic heuristics aren’t capable of.
This can even be triggered by an alert found by an existing antivirus, anti-bot, or threat emulation agent on the endpoint.
When a malicious file is found, it can be quarantined either at the process level or the host itself.
Doing so prevents the threat from moving laterally and spreading to other machines on the network.
Whilst prevention is definitely better than cure, CIOs are often under pressure to uphold the flow of business operations and minimise latency on the networks.
Traditional sandboxing, while somewhat effective, should be able to detect sophisticated evasion techniques and prevent infections from getting into the network.
If the file in question is a document, a safe version without active content should be reconstructed on the fly and sent to users without impacting the speed of business.
The original file can then be held for emulation to occur.
A hybrid approach towards leveraging the cloud gives organisations maximum flexibility.
Certain files can be sent to the cloud for analysis, with others kept on-network, depending on file type and sensitivity.
However, traditional sandboxes have been around for years, and work at the operating system level.
This has given modern malware authors time to understand how they work and develop new evasion techniques with high degrees of success.
CryptXXX Ransomware was identified in April 2016 and uses a virtual machine evasion technique involving a time delay – specifically, the dll waits 62 minutes before executing the launch – this makes it harder to connect the incident to the source.
Sound security strategies also stress on the importance of understanding and responding to a given incident.
All too often, machines are re-imaged, without an understanding of how they were compromised in the first place or what damage was done.
Without this knowledge, there is nothing stopping an attacker from coming back, as no additional security measures have been implemented.
This means that the organisation has not made the step forward, remaining in the position prior to the attack.
The best practice would be an automated incident analysis report tracking the attack from its origin, pinpointing exactly what happened and when.
Full visibility of infected hosts, how the threat arrived, and where it spread take the guesswork out of incident response.
And just as the same as sandboxing, this needs to be done within minutes in order to make informed decisions in response to a security incident, without needing to triage events and decide which ones warrant further time and expense.
As a finale to the incident, a script should be deployed to the endpoint to clean the infected host.
The job of CIOs today is increasingly challenging, having to balance the financial investment with the level of security while maintaining a smooth business operation.
Security vendors need to go beyond just providing their service but partner with their customers to consult and assist in setting long term security strategies.
So they themselves need to be in it for the long haul, continue to innovate and advance their own security offerings.
Tags: byline, Check Point, civil service, endpoint, Government, guest blog, Hyperwise, Internet, interview, opinion, security, Singapore, Tony Jarvis