The Kill Shot - Ending the Threat
Here at Secure Vizion we spend a lot of time in retrospect. It is necessary to analyze how things came to be in any instance where support is needed. This is doubly true with regard to data security compromise or breach. In any instance of breach into any customer we correlate/analyze available data regarding the event and attempt to identify:
- What is the evil in our midst?
- What is the extent of the access?
- How do we kill it?
- How did this occur?
- How do we prevent this type of breach in the future?
The first three are obvious rapid response and triage to stop the threat. The last two require enormous effort in small business. They rarely have the luxury of the absolutely awesome Splunk or its ilk. This is the reason most small businesses do not investigate the source of malware breaches; most don't monitor for breach activity. It is time consuming and costly.
Secure Vizion felt this cost first hand. With our promise since opening our doors to always perform forensics and cleanup for free if something got through our defenses; 2015 was a very expensive year for us.
Year of Creation for All Malware in Existence
We had to stop relying on the traditional "what's it look like it's gonna do" antivirus + IPS + web filtering approach. It was either that or back down on a decade old promise to never charge for cleanup of malware should it get through our defenses. That's not an option.
The Kill Shot - aka The Kill Chain
We established application authority to stop the madness. This is the kill shot to which I refer. It is as simple as checking an IMMUTABLE identification for every program before it is allowed to run to see if it has been approved for use at the customer site. This is done rapidly and in real time on every attempted execution.
Why is this a kill shot we consider future resilient?
Because every infection (NOTE: I did not say every breach) requires a payload, rather, an executable file. File types which execute on Windows are hard coded into the system. If a piece of code is hacked or tweaked it no longer has the same fingerprints as the original verified version. Every single malware to date requires execution of a payload. If one only allows known good programs identified by fingerprints to run, it is not possible today to infect a machine with malware without physical access to the hardware. Even your kids incessant need to download silly games loaded with malware can't infect your computer.
If your business lacks Application Authority it is not possible to stop modern malware. Reach out to us if you want to learn how to establish application authority and end the threat.