Marcus Chung Executive Vice President and COO Malwarebytes Corporation

When the Sarbanes-Oxley (SOX) legislation first took effect in 2002 in the United States, one of the primary objectives was to have the top management of public companies sign-off and verify financial reporting in order to hold corporate officers accountable for the accuracy of financial statements. 

The goal was to further protect investors by improving the accuracy and reliability of corporate disclosures made pursuant to securities laws. However, the compliance trend that SOX began underlined how the need for better corporate governance and oversight is not limited to the United States as similar legislation has since been passed in several other countries including Japan, Germany, France, Italy, Australia, India and others.

Consequently, the compliance and risk management demands in the medium to large enterprises and government continue to increase as vast libraries of financial reports, proprietary and confidential information are digitized.  This readily available digital data creates extremely attractive high value targets for professional hackers who are increasingly backed by well-funded crime syndicates or even corporate and state-sponsored agencies.  And the tool being used more and more to access that data illegally is malware.

However, it is important to realize that today’s malware has changed dramatically in both volume and the level of sophistication. In fact, the independent testing organization AV-TEST GmbH reports that over 130,000 new malicious programs are reported every day and 2012 figures report that out of a total of more than 100,000,000 malware threats, almost 35,000,000 of those were completely new threats.  That is a tremendous amount of malicious code being developed!

One of the reasons that the malware landscape has changed so quickly over the past five years is that malware development has now become a professional endeavor led by organized crime syndicates or state and government-sponsored organizations creating cyber-attacks. These entities bring substantial resources to malware production and distribution. And though businesses are not typically targeted by governments, they are often caught in the cross-fire. As a result, data breaches and targeted hacks are becoming an all too common occurrence for businesses today.  The recent targeted attacks of Facebook, the New York Times and Wall Street Journal are all eye-opening examples of the vast shift and volume of threats that threaten and attack well-known and what was once thought of as well-protected organizations.

Targeted attacks, such as Advanced Persistent Threats (APTs,) are often the most serious threat that concerns compliance, security and risk management officers. These threats utilize a full “bag of tricks” which can include social engineering techniques, targeted spam or “spearphishing” and typically polymorphic code that is carefully crafted to evade legacy detection technologies and can literally change from one download to the next download.

So, in the face of this increasingly threatening landscape, what can be done to help mitigate and safeguard a company’s valuable digital and information assets? Most companies today are incorporating compliance initiatives into a broader overall Governance, Risk and Compliance (GRC) program that unifies business strategy with risk management and their related requirements.

Properly safeguarding that data for today and the future has clearly become a larger strategic initiative to combat and defend against today’s escalating threats to achieve regulatory compliance.  As a result, it has become imperative that today’s corporations and government organizations need to reduce traditional dependencies on single vendors and migrate towards  a “Defense in Depth” strategy where more than one vendor’s products are incorporated into their overall corporate security infrastructure.  In the absence of such a layered approach, one single point of failure or vulnerability puts the entire security infrastructure and the company’s compliance at risk.

A typical IT department faces many challenges including managing increasingly complex technology projects with limited time, decreasing resources and shrinking budgets. The fight against today’s dynamic malware landscape is a fight much larger than any one security solution or technology and the need for solution interoperability and a layered defense model has increasingly become more of a necessity than novelty. 

Jon Oltsik, Senior Principal Analyst for the Enterprise Strategy Group, reinforced this point in a recent blog post:

“Malware creation and proliferation is increasing rapidly as cyber criminals and state-sponsored organizations create the next round of APTs, botnets, Trojans, and rootkits. What's more, we've entered the era of micro attacks designed to compromise a targeted organization, business unit, or individual.

Legacy security technologies are no match for this onslaught so enterprises are investing in new tools. For example, ESG Research found that 77% of enterprise organizations (i.e., more than 1,000 employees) are increasing their security investment as a direct result of APTs.”

In fact, many of Malwarebytes middle enterprise customers including banks and government entities place a higher value on security solutions that are interoperable and do not require a “rip and replace” deployment. Malwarebytes Enterprise Edition was built to support this evolving and progressive deployment mindset from the beginning, supplementing existing antivirus solutions by providing centrally managed protection against zero hour and zero day polymorphic threats in addition to providing advanced remediation capabilities for infected computer systems.

With over 200 million global downloads, this strategy has clearly been effective.  As a result of Malwarebytes Enterprise Edition’s ability to also prevent “Real-World” and “In the Wild” malware infections and web based attacks, achieving compliance in today’s organizations with this layered security approach has helped to better protect sensitive corporate data from malicious software of all types.  Not only does this help an organization to stay in compliance, the product also ends up saving a significant amount of help desk time.

Most importantly to protect this data for the long term, compliance managers need to stay vigilant, continue to educate themselves and protect the company with the necessary layers of data security!