Antivirus tools miss almost 70 percent of malware within the first hour
Threat protection company Damballa has released its latest State of Infections report for the fourth quarter of 2014 which highlights the limitations of a prevention-focused approach to security.
The report finds that within the first hour of submission, AV products missed nearly 70 percent of malware. Further, when rescanned to identify malware signatures, only 66 percent were identified after 24 hours, and after seven days the total was 72 percent. It took more than six months for AV products to create signatures for 100 percent of new malicious files.
This has an impact on containment and raises the risk that at any time there may be live infections on a network. The report also highlights the importance of automating manual processes and decreasing the noise from false positives to make the most of skilled security manpower, rather than trawling through uncorroborated alerts to find the true infections.
In order to reduce manual efforts, Damballa advises that security teams must have automatic detection of actual infections able to reach a statistical threshold of confidence in a true positive infection. They also need integration between detection and response systems, and policies that enable automated response based on a degree of confidence.
"What's clear from these figures is that we have to turn the table on infection 'dwell' time. In much that same way that a flu vaccine hinges on making 'best-guess' decisions about the most prevalent virus strains -- AV is only effective for some of the people some of the time. Viruses morph and mutate and new ones can appear in the time it takes to address the most commonly found malware", says Brian Foster CTO of Damballa. "Dependence on prevention tools simply isn't enough in this new age of advanced malware infections; attackers can morph malware code on a whim, yet organizations have a finite number of staff to deal with the barrage of noise generated from security alerts. We urge taking a fresh 'breach-readiness' approach, which reduces dependence on people and legacy prevention tools".
The full report is available to download from the Damballa website.