Malware or non-malware attacks - which are the greatest threat?

Look at the attacker, not the tool say security experts

When people who are not security experts think of IT risks, malware is often top-of-mind, perhaps because viruses are easy to picture - and of course everybody is familiar with AV software on their home computers. But malware is really just one tool in a determined attacker's toolkit.

During a Computing web seminar Security is a big data problem - it belongs in the cloud today, the panellists discussed strength-in-depth approaches to IT security, including the viability of security operations centres (SOC) for different types and sizes of company.

But first the malware question. In a survey of 150 IT professionals 68 per cent said that malware is the greatest IT threat to their organisation as opposed to 32 percent opting for non-malware vectors.

Rick McElroy, security strategist at Carbon Black, said he was not surprised by this figure, but that it indicates a need for better education into the risks. The focus on malware is, in part, media led, he suggested.

"Malware gets all the headlines," McElroy said. "It looks really bad when I got WannaCry on my laptop. But look at it this way - WannaCry wants to be found. If I'm an attacker and I have PowerShell running about an entire Windows environment you're not going to see me stealing credentials because I look just like a sysadmin."

The Sony attackers were in the system for four years before they were discovered, he pointed out.

McElroy continued: "A focus on malware will leave you only defending against malware. If you take a more holistic approach and focus on the attacker, well, malware is just one of the tools they use.

"So look at the entire kill chain and drive visibility up the chain. Make the attackers work harder at every stage. When you make them go through manual coding you make and do a lot of work and the chances are, if you're not defending against a nation state, they'll go off and find an easier target."

Nick Rosser, head of IT at investment management firm Saunderson House is a keen advocate of the holistic approach. His company takes a risk-based attitude to security, using best of breed solutions to protect the organisation's assets according to their value.

While SOCs tend to be associated with large organisations, having a dedicated pool of expertise is certainly an approach that he is looking at.

"Were an SME so it's all about size appropriate solutions," Rosser said.

"The benefits of SOC I absolutely see, having specialists who really understand, who are monitoring, who are taking that holistic approach and looking at all the possible potential threats, but it's how you deliver that in an SME environment. There's no point in us having a dedicated team internally because we could not find enough of the right calibre individuals."

As someone who has set up SOCs himself, McElroy agreed with this assessment. IT security requires a number of specialisations that are hard to find, or at least very expensive. Smaller companies should take the partnership route, he suggested.

"It's not a one size fits all, for different reasons - time, money, resources. I have helped build SOCs and I always sit down at the table and say 'look we can't do all this ourselves, we'll need to find partners. We're not going to treat them like a vendor because they'll be on my team'."

It's important to take a wider view of security and how it fits in with the business, he went on. IT people, and security folks in particular, "need to get their heads up" and engage with people rather than just with the technology, he said. A change in culture where security is led from the top and has a people-focus is more important than any technological fix.

The web seminar 'Security is a big data problem - it belongs in the cloud' will be available to view on demand shortly.