There is an endpoint protection gap against modern threats, the result of a recent survey by the Ponemon Institute and Barkly have shown.
The organisations polled 660 IT and security professionals to get insight on the state of endpoint security risk, and have found that:
> 64% of organizations experienced a successful endpoint attack in 2018 (a 20% increase from the previous 12-month period).
> 63 percent say that the frequency of attacks they’re facing has also increased over the past 12 months.
> The costs of a successful attack has also increased 42% year-over-year – attacks on SMBs cost an average of $7,120,000 ($763 per endpoint), which is nearly two times the cost per endpoint for larger organizations ($440).
> The biggest threat to organizations are zero-day and fileless attacks. Zero-day attacks accounted for 40 percent of the total attacks organizations faced, yet were responsible for 76 percent of successful compromises.
Successful zero-day attacks
In this survey, the zero-day attack category encompasses zero-day vulnerability exploitation and new/polymorphic malware variants.
“In developing the survey to solicit real-world experience with existing protections, it isn’t practical to look for some differentiation on the specific reason why an attack is viewed as zero-day, especially when much of the response methodology involves wiping the machine and moving on, as opposed to investing in a deep analysis. That level of distinction isn’t available or meaningful to most respondents,” Jack Danahy, Barkly CTO and co-founder, explained.
“The distinction, instead, is the knowable provenance of the attack. Using common information sources like VirusTotal, victims do things like check the hashes of successful attacks, identifying those that have been seen before. If the hash of a malicious executable isn’t previously known, or if the technique leaves behind no such artifact, then, from the victim’s perspective, it is new or unknown.”
Meeting the challenge
Another thing that the survey showed is that, on average, respondents estimated their current AV is effective at blocking only 43 percent of attacks.
“This is part of the value in the survey: Learning from the respondents that they have determined that a retrospective view of security (blocking only those malicious executables that have been seen before) isn’t nearly sufficient,” Danahy added.
“It also tells us that looking ahead, the comparatively high success rates of generally-defined zero-days (polymorphs, true zero-day exploits, and others) will likely incent the development of more polymorphing techniques, and more successful ‘zero-day’ attacks.”
Challenged with a protection gap against modern threats, organizations have struggled to find the right solution to close this gap. Some decide to add solutions on top of AV to catch the things that AV can’t catch, others have decided to replace AV altogether or to focus more on quickly detecting and responding to attacks instead of preventing them.
But it’s obvious that the ideal option has to proactively block zero-day and fileless attacks and has to be sophisticated enough to do so without adding unnecessary complexity to endpoint management.