September 30, 2009
Another study, another set of results that support that the malware threat is quickly outpacing traditional protections. Antivirus vendor PandaLabs released a study yesterday showing that the number of infected PCs worldwide increased by 15% in September. The average number of PCs hit by malware now stands around 59 percent, with the U.S. checking in with a 58 percent infection rate.
The data was pulled from “users that scanned and disinfected their computers with the free Panda ActiveScan online antivirus”. There is no way to know if those users were already running an AV product on their machine, although that data would have really been instructive. Given that these users were running free software it is likely that these are consumer users or small businesses and not enterprise customers, and there is no breakdown of user type in the study.
What the study does show is that the malware problem is getting worse, not better, and that this malware is finding its way to machines. With a plethora of studies showing AV detection rates at less than 50% (some significantly less) it is safe to assume that even with traditional protections in place a lot is getting through.
Of course the obvious question is what did the scanning tool not find? The PandaLabs tools is signature based, meaning it could only find what is already known, leaving any number of already working attacks undiscovered. These infection numbers would undoubtedly be higher if everything could be seen and counted.
The story is simple. Lots of bad stuff is getting through traditional protections, and the bad guys are making more bad stuff and making it harder to detect every day. Traditional protections can only see what is already known in the form of signatures, and even when a signature exists the failure rate is too high. And we haven’t even begun the discussion of seeing all of the damage from an infection or properly remediating the damage. The AV vendors continue to trot out new functions and features to try and patch the gap in their offerings, but it is clear you need something more.
This study supports what I said in an earlier post when I compared traditional protections to an umbrella on a rainy day and noted it is raining and you will get wet. This study is yet another brick in the wall of support for that thesis, and shows again that you will have to decide just how wet you are willing to get.
Leave a Comment » | 
Compliance and Configuration Management, Endpoint Security | Tagged: dynamic persistent threat, endpoint protection, Endpoint Security, zero day malware | 
Permalink
Posted by Jim Ivers
September 22, 2009
I am still a bit baffled by the rush to embrace the reputational aspects of products like Symantec Quorum. I do get how it works, I do get that it adds value and can help a user see if the application they are loading may be malicious based on its reputational score or lack therefof.
What I don’t get is the protection of the endpoint hinges on a user response. The demo I saw of Quorum presents a user with a warning screen. The screen tells them how many people in the Norton community have used the file – few (less than 10), very few, or unknown – and presents the user with three choices:
- Decide later (the Scarlett O’Hara I will worry about that tomorrow option)
- Remove this file from my system
- Run the installation of the product anyway
So essentially the same user that got the endpoint machine into this mess is given a prevalence score and gets a choice of how to proceed. In my opinion, prevalence protection is a smart idea right up to the reliance on the carbon based life form that clicked on something questionable or outright bad in the first place to now somehow have the wisdom and security awareness to properly respond.
I am going to have to go with human nature here and guess that they will pick #3 – run the installation anyway. Because human nature says: “If I clicked on it I want it and I don’t care about your fluffy risk rating”. I actually think there is a direct correlation behind my claim – the more likely someone is to click on something dangerous, it will be proportionately likely that the same person would ignore any warning and proceed without care. In other words, the more likely I need to be protected from my own actions, the more likely I will be to ignore the warning and continue on as if nothing had ever happened.
That is why I really believe that there has to be automated analysis and remediation behind this technology to really make it practical. Just one man’s opinion.
1 Comment | Endpoint Security | Tagged: endpoint protection, Endpoint Security, Symantec Quorum | Permalink
Posted by Jim Ivers
September 10, 2009
I was reading Byron Acohido’s latest post in The Last Watchdog about the new SMB2 zero day vulnerability and it provoked a lot of thinking around how Triumfant is characterized as endpoint protection. Specifically, we get asked if we consider Triumfant a first line of defense or a last line of defense. Reading Acohido’s post made me realize the answer is “yes”.
In the case of the SMB2 zero day vulnerability there is no patch and no malware has been detected that exploits the vulnerability as of yesterday (9/9/09). Traditional defenses for the endpoint will have no knowledge of the eventual attacks that will undoubtedly come and will therefore be ineffective in shielding endpoints from the malware. In this case the traditional defenses offer no defense, so Triumfant is the first line of defense for the endpoint machine. Because Triumfant uses granular change detection to detect attacks and therefore does not require prior knowledge of the attack, it is uniquely able to protect the machine. Acohido predicts that the eventual exploit could be a “Conficker-type worm attack” and when it eventually comes, Triumfant will see it and protect the affected machines.
In short, if the incoming attacks is specifically designed to evade detection from traditional endpoint defense or is a zero day (or very early in its lifecycle), then it is as if the traditional defenses are not even there. So Triumfant becomes the de facto first line of defense. Add to the list rootkits, the work of maliciously intended insiders and corruption to the software supply chain and you get a lot of vectors where Triumfant is the endpoint protection that first engages the enemy. I always add the caveat that we do not position Triumfant as a shield – it detects the malware when it gets to the machine.
In the case of known attacks that the other tools simply miss or the variants that just slip past the signatures or those attacks that get through because the defensive software is improperly configured or deployed, then Triumfant is the last line of defense. Everything that falls through the nets – and there is a lot of evidence (read here, here and here) that there is plenty that does – and makes it to the endpoint will be detected and remediated by Triumfant. We have never positioned Triumfant as a replacement for the existing nets, but we do believe that the holes in those nets are plentiful enough that we provide an excellent complement to traditional defenses.
So there you are – Triumfant is both a first and last line of defense. It simply depends on the context of the attack. Either way, Triumfant is filling critical and frequent gaps in endpoint protection. What makes the story even better is that Triumfant remediates what it detects by synthesizing a remediation and restoring the machine to its pre-attack condition in minutes without human intervention.
Whether it is acting as the tip of the spear or backstop, Triumfant does what no other endpoint protection product can. So when I answer “yes” to the first line or last line of defense question I am not being glib or sarcastic, just accurate.
Leave a Comment » | Endpoint Security | Tagged: conficker, defense in depth, endpoint protection, Endpoint Security, Triumfant Resolution Manager, Worldwide Malware Counter, zero day malware | Permalink
Posted by Jim Ivers
Click here to subscribe
