It’s at times like these that defense in depth really shines!
To detect targeted threats, companies must first be more aware of what is going on in their networks, Percoco says. By watching for events — and not just suspicious activity — a company can detect the existence of an infection. Known as indicators of compromise, or IOCs, these events can tip a company off that something unwanted is inside the firewall.
Finally, companies can take the “deny all” approach to applications, just like the recommended practice for firewall rules. Known as whitelisting, the defensive technology allows only known good programs to run on systems. With millions of variants of malware being generated every year, focusing on the 10,000 to 25,000 programs running on a typical system make more sense, Bit9’s Sverdlove says.
I expect whitelisting to become more popular, and hopefully, much easier. The main problem I’ve seen with whitelisting is that the basic set of apps is easy to enumerate and whitelist, but then as patches get rolled out — nearly every other week for Java and Firefox — the app must be re-whitelisted. It just doesn’t seem to scale well when you have lots of users roaming around with lots of applications, and lots of updates, and lots of broken, no-longer-whitelisted applications.