It is Raining and You Will Get Wet
August 26, 2009 Leave a comment
Ever walk down the street on a rainy day? You can have the best umbrella in the world and you will still get wet. When I get asked the question “why do I need Triumfant when I have other defensive software?” the answer is found in that rainy walk – because you will still get wet. Malicious stuff will get through your defensive shields and when it does you need something that will address these problems on your endpoint machines.
Notice that I am not looking to convince you I have a better umbrella, because we never portray Triumfant as a shield. Nor am I telling you to throw away your existing umbrella, because we never position Triumfant as a replacement for antivirus software, nor do we claim that having Triumfant means you no longer need AV.
But you do need to recognize it is raining and you will get wet. I have touched on the proof points separately at times but I have never laid them end to end until now. So here they are:
- It rains harder every day. Symantec reported in their Global Internet Security Threat Report, 2009 that there were 1.6M new malware instances in 2008, exceeding the 1M counted as the number of attacks for all previous years combined. Both McAfee and Symantec show that this 1.6M number was passed sometime mid-summer for 2009. If you graph the numbers you will see that they increase geometrically. For example, McAfee saw twice as many attacks in the second half of 2008 than the first half of that same year.
- It is raining sideways more than ever. McAfee Avert Labs noted in a recent blog post that they see 6,000 new malware instances per day that pass through their signatures, generic filters and heuristics. Extrapolating this number for the entire year would get you to over 2M attacks that pass through the traditional protections.
- The rain comes from a different direction every second. An August 13 article in SC Magazine notes a study that found that cyber criminals are now designing malware to last 24 hours before becoming inactive. The study noted that 52 percent spread for just 24 hours, nineteen percent last for two days, and nine percent persist for three days. Malware designers produce hundreds of unique samples that carry the malicious payload to evade detection. Essentially, by the time the malware is detected, analyzed and a signature created, the cyber criminals have long since moved on.
- The rain is straining the capacity of your umbrella. A recent White Paper called the Cyber Intelligence Report, August 2009 by Cyveillance provided average daily detection rates for the period of 5/12/09 through 06/10/09. Cyveillance fed active attacks consisting of confirmed malicious files they had detected from the Web into 13 of the top antivirus solutions and tracked the detection rates. The results are, to say the least, eye opening, as the average detection rate reported was roughly 30 percent.
It is raining hard and relentlessly on your endpoints and sometimes it is coming down sideways. But it is not just the traditional attack vectors that you must address in the fight for endpoint protection. There are increasingly nasty rootkits that evade traditional defenses. There are polymorphic attacks with rotating binaries that automatically morph themselves to never look the same way on any two machines. There are new classes of attacks like drive-by SQL injections and registry based attacks. There is the work of the maliciously intended insider who either directly corrupts the machine or alters its defenses so it can be corrupted by outside influences. There are new ways to subvert software assurance and the software supply chain to imbed malicious code in what is thought to be trusted software. And as always, there is the most nefarious problem of them all – the carbon based life form installing peer-to-peer software, using Facebook, and going to Jessica Biel picture sites. It is not just raining sideways, sometimes it must feel like it is raining up!
What is clear is that bad things will get past the traditional defenses to the endpoint, and it is time to consider what will protect your organization when that happens. That is where we come in – we see the malicious attacks that make it to your endpoints. The stuff that falls through the other defenses, the zero day attacks, and the newest variations of existing attacks. And all of the attacks that come through exotic vectors that defensive endpoint security software may not yet address. We build a normative whitelist of your environment and can tell you if something is installing that does not exist anywhere else in your environment.
And once we detect it, we can also remediate it. The context provided by our patented analytics enables Resolution Manager to see all of the changes to a machine that are part of the attack, making our solution uniquely able to build a remediation to address the entire scope of the attack and restore the machine to its pre-attack condition. BTW, that context I speak of is what really sets us apart – for example it allows us to beat the false positive problem – so you may want to look at the associated post.
Folks, it is raining, and don’t look for the rain to quit or even subside because it gets worse by the day. And you will get wet. That is the value of Triumfant – we are that last line of defense when you do.