Detecting the Invisible Part 3: "Retreat from the Breach"

Our approach to securing the enterprise has changed, and breach detection technology has been largely instrumental in this process. This report from NSS Labs is the final in a three-part series on the impact of the breach detection system (BDS).

As the breach detection market continues to mature, several points are worth noting:

BDS features widely vary. An organization should define true need prior to deploying a BDS in order to avoid wasting resources.
The definition of “breach” includes “inbound” (malware has circumvented traditional defenses) and “outbound” components (data is exfiltrated).
Since breach detection represents the last opportunity to discover (and thus prevent) data exfiltration, a low time to detection is critical in any BDS.
Today’s breach detection systems need to produce high quality alerts that are tailored to customers’ specific environments.
Breach detection technology accomplishes much, but it does not resolve the ongoing issue of latency during scanning of SSL traffic.
Antivirus “megavendors” are extending their reach into breach detection technology as they realize the value of deployed sensors. While network out-of-band and in-line deployment modes are still necessary, host-based agents are becoming more prevalent as endpoint forensics becomes more important.

The BDS has become a 24/7/365 local malware research team for organizations. This “malware research team in a box” initially was not well received by anti-malware vendors because the use of a sandbox removed the need for dependence on traditional, signature-based detection, heuristics, and reputation detection methods. However, since many antivirus vendors now have breach detection technologies of their own, they are less concerned about the new product category. Breach detection systems can be easily deployed (in out-of-band sniffing mode) and offer clear results in a reasonably short amount of time, which make them ideal for proof-of-concept scenarios.

Today’s organizations understand the importance of “detecting the invisible” – and therein lies the intrinsic value of the BDS. However, breach detection technology must continue to evolve if it is to stay effective. It won’t be long before malware authors put as much (or more) effort into obfuscating outbound data payloads as they do into obfuscating inbound malware payloads. We are in a digital arms race, and outbound evasion techniques are likely to feature prominently in the future.

Jason Pappalexis is a Research Director at NSS Labs, Inc. the world's leading information security research and advisory company. Follow him on Twitter @jsnppp.

**For more on the breach detection market, read the NSS Labs Market Intelligence Brief: Breach Detection Systems and NSS’ Product Intelligence Briefs, released in October 2014. 

Follow us on Twitter (@NSSLabs) to keep informed as new research is released.