A report from FireEye [FEYE] and its subsidiary Mandiant has found that 97 percent of organizations using legacy cybersecurity products are not receiving any protection from their investments.
Sandboxing, signature-based protections, application blacklists, legacy anti-virus software and stove-piped security solutions are among the most popular and least effective tools that organizations have used to combat increasing cyber threats, according to FireEye.
Over the past 15 years, organizations have continually adopted defense-in-depth strategies, layering on defensive strategies that they expect will work together and do not, said the company’s Global Government Chief Technology Officer Tony Cole.
The report compares compares current security architecture to France’s Maginot Line in World War II: the defenses held against some attacks but failed to protect against the German’s unforeseen deployment of motorized infantry with Blitzkrieg. Similarly, advanced cyber threat actors have attacked through methods that have caught defenses off guard.
Basing its findings on actual security performance in real companies, FireEye concluded that most organizations need to redeploy their security architecture. Potential changes include non-signature-based detection, integrated solutions instead of stove-piped point products, effective after-actions following a breach and becoming part of an integrated community that shares threat intelligence.
Cost may prove a roadblock to such overhauls, particularly in the public sector where IT budgets continue to flatten. Cole acknowledged newer software is not cheap, but the public sector has options to upgrade without overspending. Cole recommends targeting the greatest threat vectors first–web and email–while maintaining old security systems elsewhere.
“You can’t just say now I’m going to get rid of AV [anti-virus software],” he said. “It’s kind of a mix across the board. You have to keep some technology while spending on the new.”
When the budget becomes available, agencies can begin upgrading security elsewhere, including file-based software for data centers and securely allowing new operating systems into the environment.
Another way agencies can begin to get ahead of threats is through predicative intelligence, Cole said. In an ideal scenario, an agency would see an attack coming through one vector–a phishing email, for example–before the same threat reached another vector, such as a web-based attack.
While Cole would not discuss agencies by name, he said the adoption of new security tools has been “mixed.” The National Institute of Standards and Technology (NIST) upgraded security controls with special publication 800-53 last year, but not all agencies have made progress on implementation.
“Some are moving very quickly…others are way, way behind the curve and are not even aware of the changes,” he said.
The need to adapt more rapidly stems from the adversary’s ability to analyze changes in security. Unlike traditional weapons system, the adversary, which has grown to include the militaries of other nation-states, has direct access to security technology through network probes and social media.
“This is the only thing we’ve ever had where we’ve had adversaries able to look at our infrastructure on a continuous basis,” Cole said.
FireEye Chief Executive Officer David DeWalt recognized the evolving landscape at the company’s 2014 Government Forum in mid-May.
“We’ve really seen the change happen. We really saw nation-state military operations change the entire game,” he said. “We have highly advanced APT [advanced persistent threat] kinds of scenarios that are much more difficult for any technology to track and much more persistent.”