Sage Advice - Cybersecurity Blog

What You Don’t Know: Cyber Defense Against Unknown Threats

detecting-unknown-threats.jpgEven with all the traditional cybersecurity defenses, breaches still occur.  “So, why haven’t these traditional security products adequately protected you?” asked Jack Walsh, New Initiatives and Mobility Programs Manager at ICSA Labs, during his talk at the 2016 CyberCrime Symposium.  According to Walsh, it’s due, in part, to the fact that while they do an okay job against known threats, they “don’t do a good job at all against unknown and new threats.”

It’s widely known that defending your network from breaches requires a defense-in-depth strategy, but in today’s cyber-threat environment there is still a real need for a way to detect these unknown threats.  In response many advanced threat defense (ATD) solutions have recently become available.  In his session, Walsh discusses the work that ICSA Labs is doing to test these new solutions and how enterprises and organizations can benefit from the results.  But first, a little background.

The Need for Cyber Defense Emerges

As businesses became more reliant on technology and storing digital data, cyber-criminals saw an opportunity and the number of cyber-attacks began to rise.  Public awareness of the potential for breaches began to increase in the early 2000’s with reports of large breaches at well-known companies like AOL, TJ Maxx, and Heartland.  As the frequency of breaches increased and awareness grew, so did the knowledge that organizations needed a way to protect themselves.  And so began the rise in available security products – technologies like antivirus (AV), firewalls, and intrusion protection systems (IPS) to name a few.

With the number of products available, ICSA Labs, an independent division of Verizon, saw a need to provide organizations with credible, independent, third-party product assurance.  So, for 25 years they have been providing third-party testing and certification of security and health IT products, as well as network-connected devices, to measure product compliance, reliability, and performance.  “All of the work we do is really for enterprises and organizations like you,” Walsh tells attendees. 

According to Walsh, ongoing certification testing, like that done at ICSA Labs, is valuable because, “Buyers need an objective way to confirm that security products introduced into their organization will function as advertised, interoperate, and conform to privacy and security requirements.  And vendors need a cost effective way to credibly demonstrate that their products will satisfy buyers’ needs.”

Expanding Threats Prompts New Solutions

Even with the explosion of traditional security products and a marked increase in security spending by organizations, as visualized here and referenced by Walsh during his presentation, things didn’t really improve.  “They actually got a lot worse.”  Today, as shown in this chart of the World’s Biggest Data Breaches, not only are there more breaches, there are more records being stolen.

While there are many contributing factors, Walsh believes that one of the main reasons is that we don’t have a great method for detecting new and unknown threats.  Others agreed, and new ATD products began entering the marketplace.  This led ICSA to expand their testing capabilities.  “From the beginning our testing focused on known malicious malware-type threats,” said Walsh, “but in 2015 we launched a new program to test ATD products aimed at protecting organizations from unknown threats.”

Unknown threats aren’t necessarily advanced, but that doesn’t mean that they are easy to detect.  “I believe the defense provided by these vendor products – the way they’re detecting threats – is what’s advanced,” said Walsh.  “They’re doing it a different way than traditional products have done it.”

A Method for Testing ATD Solutions

There are a myriad of ways that ATD products are detecting unknown threats, and as such ICSA Lab’s testing program is looking at all the different types of vendor solutions, whether it’s an endpoint solution, a perimeter solution, a sandbox, or ones that utilize multiple methodologies.

The basis for their testing, according to Walsh, is focused on what people are really worried about, namely breaches. That’s why “we wanted to use threat vectors that are leading to breaches in our testing.”  During the test, ICSA Labs delivers new and little-known malicious threats, mostly collected in the SPAM they receive, to security vendor solutions that are part of the program.  They use many of the top threat vectors that have led to enterprise cybersecurity incidents and breaches as reported in the latest Verizon Data Breach Investigation Report (DBIR), including direct installs, email attachments, web downloads, web drive-bys, and email links. 

As part of the program, products are tested quarterly.  “For us, certification testing is an ongoing thing,” said Walsh.  This benefits organization because, “you’re looking for a product that protects against yesterday’s threats, yes, but today’s threats and hopefully tomorrow’s as well.”  Products are subjected to continuous testing over a three to five week period, every quarter.  They are tested on how well they detect unknown and little-known threats, while having minimal false positives.  If a product passes the certification test, a report is published and posted.  All reports from ICSA Labs is available to the public for free on their website.

At the time of the Symposium only five ATD products had been certified.  Walsh is hoping to see all vendors in this space participate, and hopes that potential buyers, like those attending the Symposium, can help in that effort.  “We offer this testing to benefit your organizations,” Walsh said. “Without you asking for ICSA Lab certified products, the testing just disappears.” 

In closing, Walsh warns attendees that ATD solutions aren’t a stand-alone cybersecurity solution.  They won’t solve all your problems.  But ATDs can be incorporated into your existing defense-in-depth strategy to help improve your organization’s ability to detect unknown threats. 

This is the ninth in our series presenting key takeaways and actionable insight from select presentations given at Sage Data Security’s 2016 CyberCrime Symposium, held November 3-4, 2016. If you couldn’t get a seat at the event or just want a refresher, check out our series featuring actionable insight from select presentations. 


No one is immune to cyber-attacks

Be confident that threats to your network will be detected consistently and accurately with Tyler detect. Our team of cybersecurity experts actively investigates to find threats and are always ready to offer you support and answer your questions.

Learn More

Topics: CyberCrime Symposium, Malware, Cyber Defense


The Sage Cybersecurity Lifecycle

The Sage Data Security Cybersecurity Lifecycle

Cybersecurity isn’t a destination.

There is no single, straight path that will get you to the point where you can say, “We did it! We’re 100% cyber-secure.”

A more realistic destination is cyber resiliency – the ability to prepare for and adapt to changing conditions, so you can withstand and recover rapidly from disruptions. Achieving cyber resilience depends on what we like to call the cybersecurity lifecycle – an ongoing cycle of interconnected elements that compliment and reinforce one another.

Learn More