Study on Malware Detection Rates Makes the Point(s)
October 26, 2010 1 Comment
Last week I was pointed to a recent group test report by NSS Labs on anti-malware products by a blog entry by Andy Greenberg on the Forbes web site. Triumfant does not have a massive research group so I rely on data such as this report to back up many of the things written on this blog. The NSS labs study is done independently and without sponsorship, so it is a good source of supporting data.
Allow me to step through some of the points I touch on frequently (links added for your convenience) and use the NSS data to support those points:
The odds are not in your favor. The NSS summary offers two key takeaways from the numbers:
- Cybercriminals have between a 10% – 45% chance of getting past your AV with Web Malware (depending on the product)
- Cybercriminals have between 25% – 97% chance of compromising your machine using exploits (depending on the product)
One of the more popular posts that addresses this issue further is “Antivirus Detection Rates – It is Clear You Need a Plan B“.
Adding more layers to your AV product will never get you to the 100% shield. In previous posts such as “Defense in Depth – There is No Perfect Shield“ , I discuss how everyone wants a 100% shield. The NSS Labs study shows there is no 100% shield now nor is there one in sight. You are not getting closer to a 100% shield, it is moving away from you. The statistics show that the only AV software that actually improved their detection score from the previous test was McAfee, who went from 81.6% to 85.2% in one year. McAfee threw the considerable weight of their very large organization at the problem, and are still missing one in every seven attacks. One can also assume just the increased volume of attacks ate away any of the gain McAfee was able to realize. Kudos to Mcafee, because on average…
The detection rates are decreasing. According to the NSS Labs report “products slipped by 6% on average from 2009 to 2010” in their ability to detect malware. The press is full of claims by the AV vendors that they have either upped the capabilities of their AV products or added elements to their AV suites to close the gap. All evidence to the contrary. Detection reports from AV suites use volumes of detected attacks artificially inflated by the increasing number of attacks to obfuscate the declining detection rates as a percentage of attacks (“Antivirus Detection Rates – Undetected Attacks Are Still Attacks“). And yes, the proper conclusion is that decreasing detection rates translates into more attacks reaching your endpoints.
Attempts at closing the detection gaps are negatively affecting performance. As AV vendors attempt to plug the leaks with add-ons to their AV suites, there is an effect on the performance of the machine that is not proportional to the extra protection. If you look at the performance data on pages 13-17 of the report you will see that the Microsoft Essentials offering consistently rates low on system impact. Given that Microsoft is not generally lauded for their efficient design, one can conclude that it is the lack of add-on capabilities that at the very least contributes to the proportionately less impact of MSE on the machines.
Exploits must factor into the equation. The NSS Labs report has a separate section on the ability of the products to protect against exploits encountered while using the World Wide Web. The reports shows that “over half of the AV products stop less than 50% of the exploit attacks” and many of the products that score best in malware protection are the worst for exploit protection. Exploits are just as dangerous to your organization as traditional malware and you must consider the performance against these exploits when considering the efficacy of your protections.
All of these points lead to the two most important points that you can simply no longer ignore:
Attacks are getting through to your endpoints. The best-case scenario according to the NSS Labs study is that one out of every ten malware attacks and one out of every four exploits makes it past your defenses to the endpoint. We often address the challenges of protecting endpoints in terms of the growing number of signatures, increasing complexity of attacks, and other factors, but these numbers are right there for you to either accept or ignore. You could spend every dollar you have on shields and it will not change this fact. In fact, I would argue that for every additional dollar you spend on shields you are getting pennies back (“New Math of Endpoint Protection“).
The equation for endpoint protection has changed, and detection must now be added to prevention. The data in the NSS Labs study clearly supports the fact that you must have a tool in place that will use an alternative approach to detect when a malicious attack or exploit has successfully infiltrated your machines at a rate ranging from 10% – 45% (and trending downward, BTW). The facts dictate that you revisit your endpoint protection strategy and embrace the fact that “Endpoint Protection Must Be About Prevention AND Detection“. Better yet, you need a tool that can help you address the detected attacks quickly and efficiently to contain the attack from spreading and minimize the operational impact.
Two weeks ago an article in Information Week called “Outgunned: How Security Tech Is Failing Us” took a hard look at why organizations are losing the battle against the evolving threats. The statistics behind this study support my response that asks the question “Is Security Tech Failing Us or Are We Failing to See the Light?“. The numbers in the report suggest that we are the ones who are failing because we stare directly at the hard evidence and choose to ignore it. Regardless of how we interpret the numbers and reconcile what they are telling us, the hard truth is that at least one out of every ten attacks are getting through. No amount of denial will change that.