By Leon Ward, UK Field Product Manager, Sourcefire
“An ounce of prevention is worth a pound of cure.” Coined by Benjamin Franklin back in 1736, and applicable to so many aspects of life and business, the phrase even served the IT security industry well for the first quarter of a century. But today this phrase no longer rings true. 
As our protection methods get better and better and
security effectiveness levels reach new heights, the bad guys are digging deep and using advanced malware, targeted attacks and new attack vectors to try to circumvent existing protection methods. These attacks are so stealthy that many security professionals struggle to determine if they even have an advanced malware problem. These malicious threats hone in on their victims, disguise themselves to evade defences, can hide for extensive periods and then launch their attacks at any time. Given this new level of sophistication, malware outbreaks are inevitable.
Once you do identify malware on your network, there remain a lot of unknowns, for example: How did the malware get in? How extensive is the outbreak? How does the malware behave? What is needed to recover? How can the outbreak be stopped?
To answer these questions and mitigate the impact of a breach, you need defences that address the full attack continuum – before it begins, during the time it is in progress and even after it begins to damage systems. Let’s take a closer look at some of the best practices in each of these phases and how
layers of security infrastructure at each phase must work together for better protection.
Before an attack: It’s pretty simple. You can’t protect what you can’t see. Or, put another way, you need to know what’s on your network in order to defend it – devices, operating systems, services, applications, users, content and potential vulnerabilities. Being able to establish a baseline of information is a critical first step in defending your organisation from attack. Implementing access control over applications and users is also important in this phase. Minimising the attack surface through intelligent and granular controls reduces your organisation’s vulnerability to attackers taking advantage of today’s many attack vectors to glean information and penetrate networks. But this alone is no longer enough.
During an attack:To combat today’s increasingly sophisticated malware, you need the best threat detection possible. To help assess security effectiveness and performance levels, third-party tests of IT security solutions in real-world environments can help you separate hype from reality. Once you can detect a file as malware you can block it. And because malware changes so quickly, having the ability to learn and update detection information based on evolving threat intelligence is critical to
maintaining security effectiveness. Still, given the nature of malware today,the best threat detection alone isn’t sufficient to protect your environment.
After an attack: Once advanced malware enters your network it’s safe to assume it will attempt to infect other systems. At this point, marginalising the impact of an attack becomes the end game. You need to take a proactive stance to understand the scope of the damage, contain the event, remediate it and bring operations back to normal. Technologies that provide continuous analysis so that you can take informed protection measures, and even retroactively quarantine files that may have passed through unnoticed but are now identified as malicious, can help you stem the damage and remediate.
Franklin’s words of wisdom put us on the right path. But when it comes to the challenge of defending our networks today, “security – before, during and after the threat” are more suitable watchwords.
Leon Ward
Field Product Manager
Sourcefire
Leon works as a field product manager for Sourcefire. Prior to joining Sourcefire, Leon was involved in the design and development of open source (OSS) Intrusion Prevention Systems. Leon applies his strong background in UNIX security and protocol analysis to overcome the challenges of network security monitoring in the enterprise, specifically in the areas of network intrusion detection, threat mitigation, event analysis and vulnerability assessment. In the little spare time Leon finds, he is the lead contributor to the open source network traffic forensics project OpenFPC (Open Full Packet Capture).
About Sourcefire
Sourcefire, Inc. (Nasdaq:FIRE), a world leader in intelligent cybersecurity solutions, is transforming the way global large- to mid-size organisations and government agencies manage and minimise network security risks. With solutions from a next-generation network security platform to advanced malware protection, Sourcefire provides customers with Agile Security® that is as dynamic as the real world it protects and the attackers against which it defends. Trusted for more than 10 years, Sourcefire has been consistently recognised for its innovation and industry leadership with numerous patents, world-class research, and award-winning technology. Today, the name Sourcefire has grown synonymous with innovation, security intelligence and agile end-to-end security protection. For more information about Sourcefire, please visit www.sourcefire.com.
Sourcefire, the Sourcefire logo, Snort, the Snort and Pig logo, Agile Security and the Agile Security logo, ClamAV, FireAMP, FirePOWER, FireSIGHT and certain other trademarks and logos are trademarks or registered trademarks of Sourcefire, Inc. in the United States and other countries. Other company, product and service names may be trademarks or service marks of others.
