Skip to main content

Anti-Virus Isn’t Enough – An Introduction to Layered Defense

By May 20, 2015May 14th, 2021Cybersecurity

This is the first in Alpine’s series on the modern security stack.  Over the next few weeks, we will delve more deeply into each of the technologies that form a proper layered defense strategy.

Do you have good security?  Of course!  We have the best anti-virus money can buy…

Those of us in the security services and architecture arena have seen this conversation time and time again.  And it makes us cringe every time.  Sure, there was a time when a solid anti-virus would prevent the lion’s share of problems that the young malware authors presented.  But that time has passed.

Anti-virus software has always been software that played catch-up to attacks by cyber criminals.  When you boil it down AV is a list of signatures that detects known viruses, trojans, and other malicious pieces of code as they enter a machine, then reacts by deleting, cleaning, or quarantining the infected file.  The biggest downfall to this is that they can only detect known malicious code, so any nefarious software that has been modified or newly created could bypass AV detection with ease.  Especially in today’s ever-advancing Internet-based world, anti-virus software cannot be the first and last line of defense.

Some more advanced anti-virus vendors are moving towards a heuristic analysis of application behavior to detect malware.  These scanners look for patterns of known bad behavior and try to make assumptions as to the likelihood that a given application is malicious.  It’s definitely better than the database method described above, but still falls short of the modern attacker’s toolset, which can include polymorphic applications, reverse shells for interactive action, code obfuscation, and more.

Email and Web Browsing – The Ills of Connectivity

Email has long been used as a point of entry for an attacker.  In the past, spam messages would be sent with files embedded or links awkwardly attached in the hopes a few users would open them.  Today, advanced attackers and cyber criminals are much more creative, stealthy, and targeted in their tactics when preying on users.  Malware is being constantly updated to evade signature-based detections.  Victims are being chosen based on intelligence about their behavior, likes, and dislikes.  The malicious emails look more and more legitimate.

The web introduces similar pitfalls.  You may believe that a link you are clicking is clean, but you are really being redirected to an attacker’s infrastructure so they can push malware to your computer or slurp your credentials.  Sometimes otherwise legitimate websites are compromised to serve malware to unsuspecting users.  Drive-by malware, uneducated users, and loose content filtering rules in corporate environments are introducing a raft of entry points for the creative attacker, and even the best anti-virus is not going to stop it.

All interactions between computers can be risky when attached to the Internet.  Connectivity brings us many positives – but it is not without its downsides.  There is no single solution, anti-virus or otherwise, that can unequivocally, 100%, completely protect a connected computer or its data.  It takes more…

Security in Layers

It does seem terrifying that an attacker has all of these tools at their disposal.  It can make a business owner or security professional feel a bit outmatched.  However, there are definitive security controls that can be put into place to help mitigate these issues.

Security should be treated as an onion — in layers.  When protections are implemented this way an attacker has to bypass multiple disparate layers of security hardware and software in order to succeed in their nefarious plans.

Today’s forward-thinking security experts are using multiple advanced toolsets to build a layered defense.  The centerpiece of a protective stack that is ready for the next creative attack vector is Real Time Threat Intelligence and Management appliances.  These devices consume feeds of shared threat information gathered from ongoing and past attacks and research all over the globe.  The devices are updated constantly with the rules, tactics, and behaviors in play.  This threat intelligence information is applied against the real-time data traversing the network to protect it from that point forward.  But it doesn’t stop there.  Advanced threat management platforms will also apply the community-acquired threat intelligence indicators to historical metadata that describe activity on the network in the past.  With this security time machine, a company can know not just that it’s protected now, but that it was or was not compromised in the past.  Sensitive data can sleep soundly.

Other components that comprise the layers include:

  • Full Packet Capture — Keep a history of all data that has traversed your Internet pipe so that you can analyze even further back in time when you detect a possible incident.
  • Web Content Filtering — Keep your employees (or children) from going to websites that are known to be risky.  Keep the lists up to date by subscribing to public repositories of known bad actors.
  • Email Content Filtering — Apply behavioral and analytical scoring to a message to determine if it’s spam/malicious, or allowable.  Use this platform to search for protected content in incoming and outgoing mail.  Use the platform to encrypt your mail.  Take the opportunity to tighten an otherwise loose medium.
  • SSL Decryption — Don’t be blind to encrypted traffic.  Be your own Man In The Middle and make all of your users’ traffic visible to inspection.  Without this, the bad guys have an easy path to exfiltrate your data.
  • DNS Black Hole — If you know there are attackers down a given road, why not avoid that road?  Keep your people safe from more than just web traffic by preventing DNS from resolving.  It also helps to identify infected hosts!
  • Firewalls — Yes!  They still add a ton of value — but only if they’re configured…  Be as thoughtful and restrictive as possible.  Take a white-listing approach, rather than a black list.  Perhaps even consider a “Next Generation” Firewall, which gives you the ability to block/allow based on more than just ports and protocols – but also by applications being utilized.
  • IDS/IPS — Intrusion Detection is good.  Intrusion Prevention is better.  Yes, they’re usually signature-based.  But as another layer in our defensive armor, the value is still strong!
  • Security Policy — The human layer is the biggest threat to the enterprise.  There is no programmatic way to keep a person from making a bad decision.  All we can do is educate, coerce, and remediate when the eventualities hit us.
  • And more…

The old adage of “Defense in Depth” has never rung more true than today.  The attackers are getting more creative.  To stop the threats of today and tomorrow, we must step up – onion in hand.

Disclaimer: ‘Onion’ is being used as a metaphor for defense in depth and not as a reference to the Linux distribution Security Onion.

Frank Urbanski

Author Frank Urbanski

Frank worked for 8+ years as a Software and Cyber Security Engineer within the defense industry. At Alpine Cyber Solutions Frank oversees the Security Services line of business. He has his passions set on Incident Response, Automation, and Threat Management.

More posts by Frank Urbanski

Join the discussion One Comment

Leave a Reply