‘Close’ Doesn’t Count in Cyber Security - VMRay

‘Close’ Doesn’t Count in Cyber Security

Jun 01st 2017

Even though enterprises spend millions every year on information security they still remain vulnerable to persistent cybercriminals in a world where cybercrime like ransomware is pervasive. Organizations cannot afford to do the “bare minimum” when it comes to threat analysis. As the saying goes, ” ‘close’ only counts in horseshoes and hand grenades” and not in cyber security. One breach can end up costing millions of dollars in lost business and remediation.

In many industries, information security is driven by compliance regulations and the inevitable security checklists. Checklists are without a doubt a good thing, as evidenced by the Checklist Manifesto. However, the dark side of checklists is the false sense of security they can provide when they are viewed as all that is needed, rather than as a bare minimum requirement.

Too often customers can be driven by checklists and view compliance as a goal in and of itself, rather than as a starting point towards security maturity. Relying on security solutions that simply check the boxes could result in companies having to put out fires more often than preventing them. As an example, every organization that has been in the news for the last several years for major credit card breaches was PCI-compliant.

Threat analysis is too often seen as one of those checklist items. A vendor will include a sandbox solution for threat analysis as part of their security suite and many times this will meet the minimum requirements as specified by the customer.

What could go wrong? Let’s count the ways:

  1. Dynamic threat analysis, like math, is hard. Evading detection by malware, effectively scoring malicious activity, scaling, and multi-vendor interoperability all require active R&D by the vendor. When the sandbox portion of a security suite generates a $1 or less per $100 of revenue for the vendor, chances are that attention to detail may get put aside.
  2. Malware authors love soft targets they can evade. Kevin Mandia, the CEO of FireEye was refreshingly honest in describing how the WannaCry Ransomware was able to evade analysis in FireEye products through a relatively trivial trick.
  3. Spending up front is a hard cost, and with customers overwhelmed by vendor FUD, it can seem like a safer choice to defer the certain expense of upfront investment and accept the risk of a future yet unquantifiable costly breach.
  4. When vendors are being all things to all people, compromises are inevitable. The focus may not always be on fast, accurate analysis and detection.

At VMRay, we do one thing and one thing only. Our mission is to provide the fastest, most accurate threat analysis and detection on the market.

Calculate how much malware false positives are costing your organization:
Malware False Positive Cost Calculator