Antivirus software likes to make a point of popping up a small window in the system tray to show you when they have updated their detection definitions. So your software is up to date and ready to catch all the latest malware, right?
In a test described in its State of Infections Report Q4 2014, Damballa analyzed tens of thousands of sample files that enterprise organizations sent in for review. The files that its Failsafe scanning system detected as malicious were also scanned by the four most commonly deployed antivirus products, although Damballa declined to name names.
They found that within the first hour of identification of suspicious code, the antivirus products only caught 30% of the malware. After 24 hours, 66% of the files were identified as malicious, which means one-third of the files were still slipping through. After seven days, the identification rate rose to 72%. After one month, it identified 93% of the malicious files, and it wasn't until six months later before all malicious files were identified.
This kind of inaccuracy is compounded by the fact that there are so many attacks on companies on any given day. Damballa cited a 2015 Ponemon Institute report that showed the average enterprise receives 17,000 malware alerts weekly from their IT security products. Only 19% of the attacks are deemed to be reliable and just 4% are ever investigated, which suggests security teams don’t have the time or resources to do anything about it.
In a real-world environment, an antivirus product would scan a file just once, usually when it first arrives via email. If the average security team receives 17,000 weekly alerts, or 2,430 alerts every day, then AV products with a 30% accuracy rate on day one would miss 796 malicious files every day.
Damballa's conclusion is that while prevention-based defenses remain important, companies need to put greater emphasis on detection and response. "If you can reduce the time between the initial infection and its discovery and remediation, you reduce your risk of damage," it wrote.
Naturally, Damballa happens to sell one of those discovery solutions, but its recommendations were not entirely self-serving. It recommends automation to handle detection, since 86% of companies surveyed report being short-staffed with cybersecurity experts.
"If security teams can integrate high-fidelity detection with response mechanisms, like endpoint security tools and network access control systems, they can make headway. Instead of a judgment call, decisions are policy-driven," it said.