More Proof That Signatures are Unsustainable – Malware Now Dies Before a Signature Can Be Written
August 13, 2009 Leave a comment
An interesting article came out in SC Magazine today that notes that most malware (52% according to the article) dies before a signature can be created and well before it can be distributed. What is more telling is that the cyber criminals are purposefully loading up the AV companies with piles of new attacks to make it very difficult for them to keep up with the onslaught.
This supports our contention that signature based endpoint security is simply no longer viable as a way to detect malicious attacks in the current world in which organizations have to operate. Gartner analysts Peter Firstbrook notes in the article: “The database of signatures is growing rapidly, but effectiveness is declining.” There are also malware numbers from Panda Security that track with the alarming numbers we have reported from both Symantec and McAfee. Panda says that they had collected 18M malware samples to-date through 2008, and have already collected 12M through August of this year.
This is, of course, the very point we have been trying to make with the Worldwide Malware Signature Counter. The quantitative evidence is overwhelming and every time new data comes out, the thesis behind the counter grows increasingly rock solid.
Quite simply, the malware game has changed and the protections have not kept up. Prior knowledge of an attack in the form of signatures is no longer a sustainable way of detecting malware, as this article clearly indicates. Current signature alternatives such as heuristics, behavioral analysis and reputation based detection have too many false positives or are too broad to be effective. Malware is evolving, and organizations must be ready to look beyond traditional endpoint protection – the usual suspects in the center aisles of the RSA Conference – if they are to have any hope to protecting critical data from the threats described in this article.
Fortunately there are new, compelling solutions that can detect that can detect dynamic, targeted attacks (what we call the dynamic persisten threat) without prior knowledge and provide a complete view of the attack and the collateral damage it causes to the victim machine. In just the past 10 days I have had the chance to show our product to multiple groups of some of the most senior security people I have had the privilege to encounter, and all of them came away very impressed with how we not only detect but also remediate an attack without a signature. We show all of them the same basic demonstration use used for the three minute malware challenge we did at RSA where we put malware on a machine and watch Triumfant detect, analyse and remediate the attack in minutes. No prior knowledge required, no human intervention needed.
The sentence at the end of the article says it all: “While AV companies are quickly working to create signatures for malware variants, businesses should be most worried about targeted attacks that security firms may not even be aware of.” The evidence is everywhere, and this problem will only accelerate over time. The longer your organization ignores the warning signs the larger the gap will grow in your endpoint protection and therefore your risk. Don’t be afraid to look beyond the traditional security vendors for a solution, because that is where you will find it.