Gartner Blog Network


This Just In: Signature-based Protection Ineffective Against Targeted Attacks

by Neil MacDonald  |  January 31, 2013  |  1 Comment

 

Seriously, is anyone surprised?

I’m sure you’ve seen the news about Chinese infiltration at the New York Times:

http://www.nytimes.com/2013/01/31/technology/chinese-hackers-infiltrate-new-york-times-computers.html

According to the article:

Over the course of three months, attackers installed 45 pieces of custom malware. The Times — which uses antivirus products made by Symantec — found only one instance in which Symantec identified an attacker’s software as malicious and quarantined it, according to Mandiant.

Signature-based protection alone hasn’t been enough to protect endpoints for years – see this post titled “Is antivirus obsolete?”. That’s why Gartner dropped its antivirus magic quadrant in 2006.

Further, like other advanced attacks, application control (also referred to as whitelisting) solutions likely would have stopped this attack in its tracks – see this post from 2010.

Unfortunately, application control has a historical reputation of not being deployable or manageable for end-user systems. The reality is that application control can and will be successfully deployed for end user systems and provides excellent protection from these types of attacks.  I just published a research note for Gartner clients on this topic titled “How to Successfully Deploy Application Control” that provides specific guidance on adopting this approach.

Why aren’t you deploying this type of approach, at least for some segments of your user population?

Category: beyond-anti-virus  endpoint-protection-platform  

Tags: apts  best-practices  beyond-anti-virus  defense-in-depth  endpoint-protection-platform  lockdown  whitelisting  

Neil MacDonald
VP & Gartner Fellow
15 years at Gartner
25 years IT industry

Neil MacDonald is a vice president, distinguished analyst and Gartner Fellow in Gartner Research. Mr. MacDonald is a member of Gartner's information security and privacy research team, focusing on operating system and application-level security strategies. Specific research areas include Windows security…Read Full Bio


Thoughts on This Just In: Signature-based Protection Ineffective Against Targeted Attacks


  1. tearline says:

    I don’t like AVs, but in the end against APT your only defense is someone in the inside that can look for those subtle signs that something wrong is going on. All the equipment and IPS, IDS, HIPS wont do a thing since the attacker has all the time in the world to craft his tools to evade all those defenses or at least to fly very very low.
    I think everyone knows that AVs are not the solution for APT, AV vendors should just admit that and we can all move on..



Comments are closed

Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.