Nathan Gilks by Nathan Gilks | | Blog

Threat detection is hard. Anyone doubting that should spare a thought for Webroot and their users. In late April the anti-virus vendor’s update caused chaos. The update started moving core Windows files into quarantine, rendering workstations inoperable and classifying Facebook as a phishing site. The update was withdrawn after 15 minutes but not before many users – both individuals and corporates – had seen their workstations disabled.

This unfortunate incident highlights just how difficult it is to secure critical data and assets by attempting to detect threats. Looking for known patterns to indicate the presence of malware, applying Bayesian and heuristic techniques all run the risk of either missing a new exploit or triggering a false positive.

Attackers of course know that threat detection is hard and have capitalised on the advantage they possess to continually re-invent the exploits they use to avoid detection. Indeed, if the last 25 years of cyber security have taught us anything, it is that for the most sophisticated and insidious of cyber crimes, threat detection doesn’t work. Here at Deep Secure we believe there is a better way.

Working with organisations with systems and data that must not be compromised and cannot be allowed to fail we have developed an approach based on threat removal – rather than detection. The Deep Secure Content Threat Removal platform works by using a process of transformation to prevent any exploit contained in seemingly valid business communication from entering an organisation. The platform enforces a protocol break at the boundary and removes the business information, before creating wholly new content from scratch on the other side of the protocol break and sending it forward to its destination. Only business information passes end-to-end and the zero-day exploit is automatically discarded.

The advanced threat protection platform supports a wide range of application-to-application and general business communication across the network boundary and has a number of benefits. It works against unknown attacks. It does not need to maintain a list of known attacks and attack techniques. It works without needing to interact with the vendor. There is no need for signature updates to be brought in regularly from the Internet. There is no need to report behaviour to a central control system for correlation. There’s no risk of a false-positive rendering workstations inoperable and critical data inaccessible. Using this approach you don’t need to “detect” the zero day exploit or “isolate” it to observe the behavioural characteristics. You just remove it.

No doubt Webroot’s users were supported by the vendor with advice and tools to help them recover from the problem, but as users of Trend (2008), Mcafee (2010) and Panda (2015) can all attest, threat detection carries not only the risk that a zero-day exploit will compromise systems but that false-positives will have a highly detrimental impact on the business.

If your business has digital assets that you absolutely cannot afford to have compromised, you need to be certain you can remove the threat rather than making attempts at detection and hoping you don’t trigger costly false-positives. Contact Deep Secure today to find out more about how the Deep Secure Content Threat Removal platform does exactly that.

View all posts