If you're only looking for malware, how will you spot an attack that doesn't use it?
Security company CrowdStrike established a local presence earlier this year, and "we've had a phenomenal start in Australia", APAC vice-president of strategy Mike Sentonas told iTWire.
The primary focus was initially on serving existing customers but there has been "an amazing amount of interest" from other companies and as a result CrowdStrike has approximately doubled its local sales and pre-sales teams.
Several of the company's new customers approached CrowdStrike after experiencing a breach, he said.
{loadposition stephen08}The trick, Sentonas suggested, is understanding what's happening on a network.
He described the "prevention vs detection" debate as "silly" because it is obvious that everyone wants to prevent as many breaches as possible.
The situation is somewhat like a cricket match where a bowler only needs to get past a batsman's defence once to take a wicket. So, Sentonas said, it is important to understand what happened when a breach occurred, what tools and techniques were used, and what was targeted. That information could be put to work to prevent a recurrence.
For example, CrowdStrike has detected many cases of data exfiltration and is working with its customers to determine what had been taken.
While most examples of state-based attacks on private companies have occurred overseas, there have been some "interesting" attacks over the last six months on Australian targets that would bypass most security architectures, he said.
Among the trends seen by CrowdStrike, insider attacks are "becoming more and more common", and serious attackers are minimising their use of malware because it draws attention to illicit activity. So when malware is used to gain a toehold, such an attacker will clean it to avoid leaving traces. Once that's done, the only way to detect the intrusion is to spot unusual behaviour.
But malware still works well, according to Sentonas, especially if it can avoid signature-based detection.
The problem for the local market is that many Australian organisations are using security systems designed only to defend against malware. Sentonas mentioned, but did not name, large organisations still using signature-driven anti-malware technology that is being repeatedly breached.
Now CrowdStrike has the necessary detection mechanisms in place it is moving into the protection arena by applying technologies such as machine learning, he said.