Almost 40 percent of IT decision-makers surveyed for a Vanson Bourne study commissioned by McAfee report that they don't believe they can detect and track Advanced Evasion Techniques (AETs).
The report, "The Security Industry's Dirty Little Secret," which surveyed 800 CIOs and security managers from the United States, United Kingdom, Germany, France, Australia, Brazil, and South Africa, found that two-thirds of respondents believe the biggest challenge to implementing technology to combat AETs is convincing their boards that the threats are serious.
But serious and costly they are, with 22 percent of the professionals surveyed admitting to network breaches (costing an average of $1 million) and 40 percent of those believing that AETs played an important role in the attacks.
As the name implies, AETs evade detection as cyber criminals spend weeks, even months, patiently searching for and exploiting vulnerabilities in corporate networks.
“AETs are the delivery methods hackers use to bypass businesses' security defenses to get a piece of malware into a company's network,” says Jennifer Geisler, senior director, network security, at McAfee.
AETs also fly below the radar of most firewalls — McAfee notes that less than one percent of the estimated 800 million known AETs (representing a significant rise since 2010) are detected by firewalls.
“Most security system vendors understand them but are unable to detect them” because they don't “perform normalized data stream inspection, which is the primary way to identify AETs.,” Geisler said. “Additionally there's industry confusion around AETs vs. APTs [Advanced Persistent Threats] by CIOs, CISOs and security professionals, which is a recipe for trouble.”
In addition, the industry has been hyper-focused on the “sexier” malware. “We agree that it's important to detect new threats,” Geisler said. “But it's also important for businesses to know how hackers are getting into their networks.”
To protect against AETs, Geisler urges security professionals “to first talk about the threat across all levels of your organization, understand the scope of the problem and look at your defenses.”
[An earlier version of this story incorrectly referred cited the McAfee-commissioned report as the Van Bourne study and misspelled Geisler in two instances].