Websense 2015 Threat Report: Top Takeaways for the C-Suite

Last week, Websense released its 2015 Threat Report. This year’s report dives into how existing tools, not technical expertise, are being increasingly used to infiltrate and navigate networks. Rather than reinvent the wheel, or in this case the exploit, threat actors are simply modifying or adding onto the technological groundwork laid by those before them. Many of these tools still aren’t being identified by traditional network defenses meaning an attack no longer needs to be advanced to be successful. With entry-level attackers now creating real risk for organizations and their executives, here are three things leaders need to know to limit their exposure.

The C-Suite Threat Report “Three”

1. “It takes 11 years of security research experience to acquire the skills needed to defend against modern day attacks.”
   Hiring and building a good Security Operations team to manage current threats takes time. A majority of organizations outsource this analysis due to limited resources. But outsourcing often leads to longer response times, time that often determines the difference between whether data is protected or lost. Technical training for existing security staff and regular educational training toward modifying dangerous behaviors for other employees will go a long way toward decreasing instances where time is of the essence.
2. “Sensitivity to potentially illegal recruitment and hiring practices will be just one of the many challenges in acquiring suitably qualified staff, even at C-level positions.”
   Simply hiring skilled staff seems a simple enough solution to fill organizational security gaps. But with limited supply, comes increased demand. Approaching and acquiring talent could in itself be a significant risk for companies seeking talent. Most threat intelligence programs are custom designed, comprising of unique threat strategies and concerns, meaning a talent fit for one organization may not automatically translate to meet the needs of another. When the skills to analyze malware also equate to the skills to build it, there’s also the unique challenge of correctly vetting candidates to ensure they don’t become the threat themselves. In addition, poaching skilled staff has the potential to leave both companies and individuals open to potential legal action if an employee’s former company determines a non-compete clause or other agreement has been violated. Taking the time to identify and invest in existing talent internally is often a more productive and economical means for managing the challenge presented by a limited pool of available expertise.
3. “… most malware exhibited only six behavioral attributes, thereby minimizing their detection. In contrast, malware that appears to be uninterested in organizations with sandboxing defenses, typically combine 15 attributes in a ‘brute force’ approach once they penetrate other defenses.”
   As CSOs are currently discovering, sandboxing is a component of network security, not a solution. Malicious files are more frequently exhibiting a unique combination of attributes not common across other file groups, making them unrecognizable in their new sequence and contexts. These covert forms of malware may not be ‘new’, but because their attack is frequently non-linear, defenses must be augmented that span the entire 7-Stage Kill Chain to detect and stop them. Relying on sandboxing alone leaves an organization vulnerable to exploit.