Why real-time security defenses are needed to fight malware

Protection is needed at each stage of the attack cycle, so that healthcare organizations can prevent damage to IT systems as quickly as possible.


No security solution is a silver bullet. When savvy organizations build out their security stacks, they make sure they have a variety of solutions that protect them at different stages along the malware attack cycle should any of their "upstream" defenses fail.

But how exactly are healthcare organizations doing that? What stages and solutions are they prioritizing, and how are their resulting security stacks holding up against modern malware attacks? To find out, IT and security pros at small- and medium-sized organizations were surveyed. Here are the results.

Four out of five organizations say they have protection that addresses each stage of the attack cycle.
  • Some 94 percent reported they had security designed to prevent malware delivery (ex: firewalls)
  • A total of 84 percent reported they had security designed to prevent malware execution (such as antivirus and next-generation antivirus)
  • Some 82 percent reported they had security designed to block malware in the process of executing in real time (ex: runtime malware defense)
  • About 86 percent reported they had security designed to mitigate and/or clean up damage from malware (ex: backups)

Despite this coverage, however, one in four organizations acknowledge they have suffered at least one attack that got past all their security solutions and caused damage in the past 12 months.

The chart accompanying this article reflects how far along attacks against these organizations were able to get before they were (or weren’t) blocked. Nearly half of organizations experienced a breakdown in preventing malware delivery.

Despite having protection in place designed to prevent the delivery of malware, 47 percent of the organizations surveyed reported that malware had affected one or more of their machines.

After malware was delivered, 79 percent of those organizations experienced a breakdown in protection that allowed it to execute. File scanning antivirus products are some of the most commonly deployed security solutions. Unfortunately, they’re also some of the most commonly circumvented. Nearly four out of five organizations that had malware on their machines failed to block it before it was executed.

After malware was delivered, 68 percent of those organizations failed to prevent it from doing damage. Once execution is initiated, there is still an opportunity to block malware before damage is done. The most effective way is to utilize runtime malware defense to identify and block malicious activity in real time. Two thirds of the organizations failed to consistently capitalize on that opportunity, however.

The survey also found that 56 percent of organizations that suffered damage reported it was irreversible. For these respondents, one or more of the attacks resulted in damage that their "post-damage" solutions (incident detection systems, backup and others) weren't able to help them recover from. Data was either lost or exposed, or they experienced some amount of downtime.

The weakest link identified was pre-execution protection. While survey responses indicated breakdowns in protection at each stage of the attack cycle, the most common collapse came during the pre-execution stage, when antivirus and next-generation antivirus solutions failed to prevent malware from executing. The problem isn’t with any particular type of pre-execution solution so much as it is with the general approach of scanning files to determine whether they are malware based solely on their appearance.

Attackers continue to develop new techniques for disguising their malware or hiding it from pre-execution defenses, making this stage perhaps the most difficult one to address.

Knowing that they can't completely count on their current solutions to block malware before it executes, organizations are instead looking to put additional protection in place that can respond to and block malware just as it's attempting to do something malicious.

Hospitals and healthcare providers are particularly interested in stopping infections before they start, because attacks that breach their systems put sensitive patient data at risk and open them up to regulatory fines and penalties.

The biggest opportunity lies in runtime protection. Traditionally, investment in security has been concentrated at the two opposite ends of the attack cycle—either preventing malware from landing and executing, or detecting and cleaning up the resulting infections when it does. However, experienced security teams know that not every piece of malicious software can be caught in advance, and they know that cleaning up after an event is painful and often incomplete. As a result, runtime malware defense is the next area of hardening that that both vendors and their customers are focusing on.

More for you

Loading data for hdm_tax_topic #care-team-experience...