Neil MacDonald

A member of the Gartner Blog Network

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio

Coverage Areas:

This Just In: Signature-based Protection Ineffective Against Targeted Attacks

by Neil MacDonald  |  January 31, 2013  |  1 Comment


Seriously, is anyone surprised?

I’m sure you’ve seen the news about Chinese infiltration at the New York Times:

According to the article:

Over the course of three months, attackers installed 45 pieces of custom malware. The Times — which uses antivirus products made by Symantec — found only one instance in which Symantec identified an attacker’s software as malicious and quarantined it, according to Mandiant.

Signature-based protection alone hasn’t been enough to protect endpoints for years – see this post titled “Is antivirus obsolete?”. That’s why Gartner dropped its antivirus magic quadrant in 2006.

Further, like other advanced attacks, application control (also referred to as whitelisting) solutions likely would have stopped this attack in its tracks – see this post from 2010.

Unfortunately, application control has a historical reputation of not being deployable or manageable for end-user systems. The reality is that application control can and will be successfully deployed for end user systems and provides excellent protection from these types of attacks.  I just published a research note for Gartner clients on this topic titled “How to Successfully Deploy Application Control” that provides specific guidance on adopting this approach.

Why aren’t you deploying this type of approach, at least for some segments of your user population?

1 Comment »

Category: Beyond Anti-Virus Endpoint Protection Platform     Tags: , , , , , ,

1 response so far ↓

  • 1 tearline   February 1, 2013 at 2:28 pm

    I don’t like AVs, but in the end against APT your only defense is someone in the inside that can look for those subtle signs that something wrong is going on. All the equipment and IPS, IDS, HIPS wont do a thing since the attacker has all the time in the world to craft his tools to evade all those defenses or at least to fly very very low.
    I think everyone knows that AVs are not the solution for APT, AV vendors should just admit that and we can all move on..