Ensuring No Holes Exist in Your Cybersecurity Fence

Perimeter-based security solutions almost universally make the claim that they constantly scan files and links to ensure the organizations they protect are free of viruses. There might be no single organization that is more in need of data security than a financial institution. For a credit union, what could be more powerful than knowing when a virus is headed in your organization’s direction and being able to deflect it before it ever reaches its target?

Let’s back up a bit. How does a malicious file detection engine decide which credit union files are to be scanned for viruses? The persistent and constant scan of an organization’s files can become too expensive and unwieldy for some organizations. Instead, some of these institutions must make decisions on how to parse through files and decide which to scan. How does a credit union decide which files will be scanned?

Most financial institutions usually make that determination based on a set of characteristics that are typical of a malignant file or code. What that leaves the organization with is deciding what to do about the files that do not possess this pre-determined set of characteristics. These files would not be scanned, at least not in the first review, in this scenario.

A majority of financial institutions’ security configurations utilize more than one solution for their security engines. Some of these are proprietary systems, some are integrated with external solutions, and some vendors even collaborate in an effort to build a strong hybrid – “five great engines that detect attacks instead of just one.”

At first glimpse, it does seem like a strong and secure way to approach data security. A financial institution will have several engines, with different levels of knowledge, all integrated into one holistic security solution. There are inherent weaknesses to this approach including the decisive verdicts given to files – “passed” or “blocked.”

When there is more than one engine integrated into a security solution, the organization is typically provided with a set of indicators from different engines that combine and send out a single verdict on a passed or blocked file. The vendor(s) builds logic for it: A proprietary algorithm or a rule-based decisioning engine. The logic build is not easy for an organization tasked with deciding if labeling Engine A’s flag as malicious is correct, and if Engine B’s flag is benign. The challenge is understanding which one is correct and how to decide.

Paradoxically, using additional security engines side by side does not increase the virus detection rate. In fact, it can have the converse effect if an organization does not understand the best use of the security indicators. The result of having too many sources of information is that often some of the information is lost.

Integrating different detection engines into one solution also brings up the issue of how to best conduct updates. Each detection mechanism, due to its reactive nature, is evolving and regularly creates more indicators. In a standalone deployment, the user may receive updates quickly, but as an engine inside the security product, that means regular updates are made to the overall decision algorithm. This takes time to develop and test, and the wait introduces risk and vulnerability that financial transactions cannot tolerate.

What does it say about a financial institution’s security stature that it may take a few days for it to detect a rogue file? The time it takes for a vendor to update its solutions ranges from one day to 12 days. The importance of detecting the threats on first sight is becoming the purpose of cybersecurity today. Attackers are aware of that gap and taking advantage of it. They use an attack just like a paper plate; after it is used, it is thrown away and recycled into something brand new. Often, the virus is infused with new characteristics that solutions are not yet able to detect.

The high investment in continuous scanning protocols raises doubts in the effectiveness of those engines, as they are keeping the cat-and-mouse game alive between malicious actors and the organizations that they target. And this is the preferred version of the game for attackers as they are the ones holding the advantage.

Today, enterprises must look for security solutions that do not pose questions or create doubt.  The best defense against attacks are solutions that provide a definite verdict and are independent of knowledge of past attacks as well as security updates. If a financial institution’s detection engine is not dependent on how an attack looks, it is more likely that it will detect that attack at first sight, which is exactly what is needed for today’s enterprise threat landscape.

Maor Hizkiev is Chief Technology Officer and Co-Founder for BitDam. He can be reached at maor.hizkiev@bitdam.com.