Traditional security (firewalls, anti-virus, intrusion detection, etc.) is based on the concept of identifying and stopping the known bad. Intrusion detection (IDS/IPS) and anti-virus (AV) are primarily based on being able to detect the known bad based on a blacklist (signatures) of previously identified malware. So much new malware is being created everyday and so much malware is never identified that the known bad list never matches the actual bad software, websites, and domains.
Most experts agree that signature based security products are about 30% effective. The 2011 Verizon Data Breach Survey stated that approximately 1% of breaches were detected by AV or IDS. Amazingly, organizations spend around 97% of their IT security budget on these types of protective controls.
The data is conclusive that attempting to prevent attacks by stopping the known bad isn’t successful. The grey area between known bad and known good is too large. Because this grey area includes mostly good executables and URLs, organizations tend to shy away from the more secure approach – only allowing the known good (whitelisting) does have an impact on users being denied accessed to legitimate sites.
A complete Critical Start Malware Capability Assessment includes the following services: