Dual Detection Engines—Using Layered Security to Battle Cybercrime

by MalwarePhishingSpam

As vendors and service providers step-up their efforts to block spam, detect malware, and prevent access to malicious websites for their customers, CYREN engineers and analysts have been asking themselves the question “can more than one embedded engine reduce the risk of cyberattacks?” While a good single engine can provide up to 98% threat detection, the fact of the matter is, no engine is ever going to provide 100% security. We began to wonder how close to 100% security can you get and what it would take to get there.

Many companies only use one embedded engine (either 3rd party or home-grown) that typically focuses in one area, such as anti-virus (AV), anti-spam (AS), or URL filtering. In talking to some of our customers, large and small, we found that the ones achieving close to 99.9% threat detection were using a dual-engine approach to security: layering two different AV engines or two different AS engines to detect malicious content. The success of this dual-engine approach is based on both the quality of the detection technology and the threat coverage of the engine provider; for example, while all AV engines use heuristics, different detection engines use different methods to filter malware, which means that a second engine often detects what the first engine doesn’t and vice versa. Further, some engines analyze a few million pieces of content daily; others several billion. (CYREN analyzes 12 billion daily Internet transactions, from more than 550 million endpoints in 190 countries).

With a dual-engine detection approach, improving overall threat detection becomes less a game of actual numbers (200,000 spam emails slipping through vs. 20,000, let’s say) and more an exercise in substantial risk reduction; increasing your overall threat detection rate by almost 2% can substantially cut your risk of malicious content slipping through the cracks.

When the cybercriminal does break through a detection solution, much is at stake. Recent news reports suggest that the Home Depot breach may cost over $50 million. At some stage, its threat detection solution—either its own, its service provider's, or a 3rd party's—failed spectacularly. And, more than just the chief technology officer’s job is at risk. Corporate management will put the security supplier under intense scrutiny, ask questions, and potentially terminate the relationship with that supplier. Ultimately, depending on the size and impact of an attack, entire corporations could fail, all because one person or a small group of people didn’t do everything possible to maximize overall threat protection.

tl_files/assets_cyren/images/blog/layered_security_2.png

If you are using only one embedded engine, then you’re fighting an entire war with just one soldier. In contrast, by layering your security with a dual engine approach, you’ve just reduced your risk of threats substantially. Layered Security is about the army. It’s based on the concept that two embedded solutions can operate together as a single unit to provide redundant, incremental, and exponential protection benefits to reduce risk and prevent your customer from suffering cybercrime casualties.

A dual-engine or layered security approach offers the benefits of a combination of AntiVirus, AntiSpam or URL filtering engines that use different detection techniques and have different threat databases to provide better detection than a single engine strategy could achieve.

Go back