ADVERT

DE
Cylance
Heise The Register
What happens when your cloud-based security service goes down?

What happens when your cloud-based security service goes down?

Don’t let outages catch you out

For years anti-malware vendors have used cloud resources to help protect their customers. As the volume of malware has grown exponentially, endpoints have become dependent on online resources to constantly update and protect them from emerging threats.

That’s all very well, as long as it works. Unfortunately, cloud-based services and the connectivity to reach them are not guaranteed. What happens when connections are disrupted and endpoints are left floundering in a rising tide of malware?

Cylance

Anti-malware providers can use the cloud in two obvious ways. The first is to update anti-malware products installed on local machines. Traditional anti-malware tools are next to useless without the regular signature updates that their vendors produce for them. With about 390,000 new malware strains released each day , anti-malware programs would quickly become obsolete without regular updates.

Some security-as-a-service providers simply cut the endpoint out of the equation altogether, instead opting to run the entire anti-malware scanning process in the cloud. This has the advantage of freeing endpoints from the compute-intensive scanning process and eliminating the need for a cumbersome, locally stored database of malware signatures.

The cloud-based approach means that anti-malware users get access to the latest signature updates, either delivered via the internet to the endpoint or simply held in the cloud. They may not be protected from new malware which the vendor has not yet analysed and catalogued, but they will be as up to date as possible when using a conventional anti-malware architecture.

Cloud-based scanning has another advantage: incoming files are usually scanned before they reach your endpoints or servers, providing an extra layer of protection.

Despite these benefits, anti-malware solutions that rely solely on the cloud have a significant downside: the potential for outages.

Lost connections

Cloud-hosted anti-malware scanning is just as likely to suffer from outages as any other cloud-based service. A variety of these have gone down over the years, ranging from Yahoo! email to Google cloud. Microsoft and Amazon too have suffered their fair share of embarrassing outages.

An outage on an anti-malware vendor’s online update services would leave users with internet access but no malware signature updates.

Service-level agreements aren’t enough when security is at risk. If a malware scanning or signature update service stops working but users are still surfing, they are susceptible to drive-by infections and file downloads that could compromise the whole network.

Service disruptions could also knock out internet access entirely for a company due to a networking problem or even undermine large parts of the internet infrastructure.

This can occur due to a broad outage, as happened with the Level 3 fibreoptic cable disruption in 2015, or a systematic attack, as happened with the assault on the internet’s DNS infrastructure in October 2016.

In such cases, employees won’t be able to surf the internet but they can still be vulnerable. Employees may have malicious files sitting on their hard drives or attached to emails in their inboxes that were downloaded before internet access failed.

“Sneakernet” is also still a common attack vector. People will continue to use removable storage devices to distribute files until endpoint manufacturers stop making devices with USB ports or Bluetooth access. Many malware strains, including the likes of Conficker, have devastated networks using compromised memory sticks and hard drives.

If users are not protected by the latest updates – or by any anti-malware scanning service at all – then a single click or memory stick could be enough to compromise their machines, and those of others on the network.

Protecting the endpoint

Here’s how you can minimise the risk to endpoints when cloud services or internet access go down:

Use system administration policies to lock down USB ports by default, eliminating the risks from rogue removable storage. Educate users in basic security hygiene so they are less likely to click on suspicious files. Configure operating systems not to use administrative accounts by default, making it harder for malware to escalate privileges on the endpoint. Patch operating system and application software to minimise the risk of compromise.

Measures such as these should be considered best practice anyway, regardless of whether a machine is connected to online protection or not. On the volatile cybersecurity battlefield, the more layers of protection you have the better.

What is needed is an approach that can protect endpoints even when they are not connected to the cloud. Keeping the protective software on the endpoint makes scanning possible when internet access is unavailable.

The challenge lies in making this software lightweight and able to protect against threats even if they are not explicitly catalogued in signature files. In short, we need a locally installed anti-malware solution that doesn’t rely on signature updates.

Machine learning technology is emerging as a solution that can protect the endpoint independently of cloud connectivity. Machine learning does its heavy lifting separately from the endpoint, back at vendor HQ, crunching millions of files to produce lightweight statistical models that are then used to analyse incoming files in new ways.

That statistical model is constantly revised, but it doesn’t need to be constantly updated on the endpoint because it supports the scanning of files that aren’t yet known.

Unlike signature-based solutions, machine learning algorithms don’t scan files by matching them to a database of malicious file signatures. Instead, the method analyses files based on millions of known characteristics. The key advantage is that machine learning can identify and isolate suspicious files even if they have never been seen before.

This approach also provides self-sufficient protection on the endpoint with a small file set that won’t choke off storage or swallow up computing power. Typically, it uses less than one per cent of CPU capacity to analyse files in real time.

The cloud is the utility of modern computing. Much like water or electricity, it supports everything we do – but like those resources it can sometimes be shut off. If that happens, it’s important to stay protected.

Thanks to new algorithmic approaches that rely on mathematics rather than brute-force signature scanning, that’s a real possibility.

How Artificial Intelligence Will Secure the 21st Century

How Artificial Intelligence Will Secure the 21st Century

Machine Learning and Mathematics Introduce a Brave New World of Predictive Cybersecurity that Rewrites the Rules of Protection

DOWNLOAD HERE
Better Security. Fewer Resources

Better Security. Fewer Resources

Cylance Bolsters Endpoint Protection Without PC Performance Impact or Incremental Costs

DOWNLOAD HERE
Math vs. Malware

Math vs. Malware

Is There a Better Way?

DOWNLOAD HERE
Prevention vs. Detect and Respond

Prevention vs. Detect and Respond

The Risk of Letting Malware Execute

DOWNLOAD HERE
Ransomware Prevention & Remediation

Ransomware Prevention & Remediation

Don’t be the next victim

DOWNLOAD HERE
Empower your endpoints with artificial intelligence

Empower your endpoints with artificial intelligence

Infographic

DOWNLOAD HERE
The case for a new approach to detection and response

The case for a new approach to detection and response

Infographic

DOWNLOAD HERE