Is Malware Detection (and Intrusion Detection) a Thing of the Past?
I saw a really great article in Network World magazine (link here) that suggested that so much of malware now comes in through social engineering or valid (whitelisted) entry vectors that they think detection packages are a thing of the past in the not too distant future.
Clearly social behaviors are a key to most virus incursions and malware infections – "Click here to get your $2MM inheritance!" – you can see this today, along with sites that provide content getting infected and dropping code onto unsuspecting user’s systems. These are really tough to protect against. They’re also getting better about removing themselves. I recently helped someone remove malware from their system that they both didn’t know was there (you couldn’t tell unless you knew what you were looking for) and didn’t have the means of removing.
To me, this points to protecting systems differently, along with educating users constantly. On the first, protecting systems, it means a lot more than having virus protection installed (exactly as the original writer suggested). It’s controlling systems more completely. This goes to the whole BYOD thing as well – managing different types of devices that are connected to your networks. Not an easy thing yet. The tools are pretty inconsistent across platforms and the threats are much smarter than the tools in some cases.
Right now, your best defense is likely to be education. I’ve always felt that was a cop-out – but I really think at this point education is your first line of defense. Teach users how security works, teach them what happens when they’re in a compromised systems environment. Teach them how to respond. I hate to say, it but they need to understand that "see something, say something" applies in a huge way.
How do you handle awareness and protection of your systems? What works? What doesn’t?