Exhibit Hall Hard Truth – Buy One of Everything and You Will Still Be Breached

December 1, 2011 by Leave a comment

This week I spent the day at a table at an exhibit hall at a conference.  Traffic was light in the exhibit area and it gave me a lot of time to think, which is often dangerous.  The show is was one of egalitarian exhibits where everyone gets the same six foot table, so there was no little vendors being dwarfed by massive booths with overwhelming A/V systems and elaborate staging.  Mostly pop-up banners and table covers.  The somewhat equal playing field allowed for some interesting observations and one important epiphany.

First, IT security is the land of really bad company names.  I won’t call out any here.  But, really?

Second, if it were your first time in an exhibit hall how could you possibly come to any rational conclusions?  Every booth seemed to promise the same thing and share the same set of bulleted claims to the point that I think you could have randomly redistributed banners and most booths would have not missed a beat.

Finally, I was struck by the fact the emphasis on prevention and the pursuit of the perfect shield is really sending a very loud message if the attendees were willing to see the forest for the trees. Of the 50 tables at the show, 47 were about preventing attacks, 2 were consulting shops, and one, Triumfant, was about detecting breaches.

Notice I said breaches.  I realize that everyone talks about detecting attacks as the recognition needed to prevent attacks.  Triumfant is distinguished in that we detect successful attacks – the ones that get through the defenses.  Therefore, we detect breaches.

And now for the epiphany: shouldn’t the vast number of prevention solutions and all of the noise really tell you something about prevention?  If shields are working so darn well, then why do we have hundreds of shield solutions in the market?  Why does your endpoint solution (AV vendor) continuously have to add layer upon layer of new technology?  Why are you neck deep in the spent shell casings of silver bullet technologies that will finally provide you with the 100% of myth and legend?

Repeat after me: Attacks get through your shields.  Attacks get through everyone’s shields.  You have been breached.  You can buy every prevention product on the market and you will continue to be breached. And no, this is not all about exotic targeted attacks and the advanced persistent threat.  Sometimes it is just basic, opportunistic malware that gets through.

It gets worse.  You are not prepared.  You do not have the tools in place to detect a breach.  The Verizon Business Data Breach Investigations Report showed that you will only find it yourself 6% of the time.  You are unprepared to detect successful attacks, yet you continue to shop for silver bullets instead of facing the hard truth.

I am talking about the ability to detect a breach within minutes of infection, alert the proper personnel, and return detailed actionable information. If you choose wisely, you may even get a solution so sophisticated that it can build a remediation for the breach, stop the malicious software, and repair the machine (including collateral damage) also within minutes of the infection.

My big takeaway from my time at the shows was really quite simple: the noise and confusion of the security shows and the broad infosec market is actually telling you something if you step back and listen.

Filed under Endpoint Security Tagged with , , , , ,

Making the Case for Rapid Detection and Response

October 4, 2011 by 9 Comments

In my post “You Need a Plan B for Security“, I cited two numbers from the Verizon Business 2011 Data Breach Investigations Report (published May 2011): 60 and 86.  These two numbers jumped out at me from the report because they are subjective numbers that emphatically support the need for rapid detection and response to identify those attacks that get through preventative IT security software. The attacks that either evade perimeter and endpoint shields, or the attacks that the shields simply fail to detect.

“60” represents the percentage of attacks in the study that went undiscovered for a month or more.  Three out of five attacks that got past the organization’s shields were free to do damage on the host machine and the network for an extended period.  Free to establish command and control, spread to critical systems, and exfiltrate sensitive data and intellectual property.  By the way, there is nothing to indicate that these attacks were super sophisticated zero days or the advanced persistent threat.  The lack of rapid detection and response makes such sophistication unnecessary.

Organizations rest in the false security of security suite reports that show a steady increase in malware detection rates artificially inflated by the always-increasing number of attacks.  Or they are willing to take a gamble that the number of attacks that do get through will be minimal.  Ask Sony how many attacks it takes to cause an enormous amount of seemingly endless headaches and public relations hits.  Better yet, ask their CEO who is under pressure to resign because of the incident.

“86” represents the percentage of reported attacks that were discovered by a third party.  Conversely, this means the attacked organization found the problem only one out of eight times.  If a third party had not brought the attack to their attention, it may have never been discovered.  One could easily surmise that if left to the attacked organization to detect the problem, the 60% number above could have been much worse.

It is clear that organizations are not prepared to detect and respond to successful attacks.  One out of eight is a horrible rate given the accelerating pace that attacks are getting through the shields.  They most certainly are not prepared to detect these attacks rapidly before they can cause significant damage.

There is another component to consider.  Detection of the attack by a third party means that the attacked organization’s dirty laundry is now public.  At a minimum this erodes public and consumer trust and at its worse can negatively impact the organization’s brand and potentially affect valuation.

Budgets are tight, the economy staggering.  Rather than spend more money on yet another shield that will get compromised, organizations may want to take the numbers 60 and 86 to heart and take a hard look at their rapid detection and response capability.  Because by ignoring the need for rapid detection and response, organizations are enabling the adversary to establish a long term and highly destructive presence in their environments.

Attacks are getting through.  You must have a way to effectively identify successful attacks and provide the actionable information to make an informed and rapid response.

Filed under Endpoint Security Tagged with , , , , , ,

Plan B Gets a Name: Rapid Detection and Response

September 22, 2011 by 3 Comments

I have been openly evangelizing for a Plan B for malware detection for three years.  I have also been looking for a name for this approach, and today I saw an article that used a term that I have seen in several places lately that I think has some merit:

Rapid Detection and Response.

Great way to describe the concepts offered in a general sense here, and a great way to describe one of the fundamental benefits of Triumfant.

In short, the perimeter is porous, and attackers are smart, motivated and well funded and will target specific things at specific organizations.  The net is that attacks are getting past shields at an increasing rate.  You must have a way of quickly identifying the attacks that do get through and have the information to trake an immediate and informed response.

Triumfant detects the attacks that evade your defenses.  Detection is within minutes of the attacks and returns a comprehensive forensic analysis of the attack including every granular attribute affected.   Triumfant will also build a contextual remediation that will repair the machine, stopping the attack and fixing the collateral damage to the machine.  For details, I suggest you go to the solution brief and the white paper on Malware Detection and Remediation.

Triumfant detects, it does so rapidly, and it formulates a response automatically.  Triumfant detect rootkits.  Triumfant detects zero day attacks.  Triumfant detects the advanced persistent threat.  That sounds like Rapid Detection and Response to me.

Filed under Endpoint Security Tagged with , , , , ,

You Need a Plan B for Endpoint Security

September 20, 2011 by 5 Comments

You need a Plan B.

Plan A in endpoint security is to prevent malicious software from infiltrating a machine.  Most of the software on the exhibit floor of any IT security show is Plan A software with the remainder aimed at identity management.  As the number and complexity of attacks steadily increase, the amount of Plan A tools deployed at any given site has gone up proportionately.  Every year brings out a new “it” Plan A product and another layer of shields.

In spite of all of this Plan A activity, the number of successful infiltrations is on the rise.  Malware detection rates vary from study to study, but if you are RSA, NASDAQ, Sony, or any of the scores of recent breaches you realize that the bickering over the numbers on these studies is meaningless once you are attacked.  Add targeted attacks and the Advanced Persistent Threat to the mix, and the picture is less than rosy.

You need a Plan B.  Plan B is not a difficult concept to grasp or justify.  It simply says that there are no 100% shields, no fool-proof Plan A.  It accepts the hard truth that motivated, well-funded attackers will infiltrate your systems.  Therefore, you need a Plan B to detect the attacks that evade your Plan A software and so you can take informed action based on that knowledge.

The “Verizon Business 2011 Data Breach Investigations Report”, Published May 2011 had two interesting facts that scream for the need for a Plan B:

  • 60% of the breaches they studied went undetected for over a month.  The bad guys had free access to internal systems for extended periods.
  • 86% of the breaches were discovered by an external party.  The organizations would have never known they had been breached if someone from the outside had not told them.

Don’t take for granted that you have not been infiltrated because your Plan A software has not detected the presence of an attack.  That is self-deceiving logic.  If the attack gets past the protection of Plan A it has already evaded the detection capabilities of Plan A.

Here is something else to consider:  most of the Plan A software are shields to defend the increasingly porous perimeter.  Successful infiltrations are obviously at the endpoint.  Furthermore, the shields are often concerned with the attack vector and not the payload.  Once an attack makes it to the machine, it is all about the payload.  So again, we are back to the need for a Plan B that has a different focus and methodology than Plan A.

Having a Plan B is not an admittance of failure or running up a white flag on the idea of prevention.  It is a prudent, pragmatic and necessary response to the current threat environment.  You need a Plan B that focuses on detecting successful attacks and provides the analysis necessary to take immediate and informed action.  You need a Plan B that is not tied to traditional techniques that rely on prior knowledge such as signatures.  Finally, you need a Plan B that lives where the attacks happen – the endpoint.

It all goes back to the opening line: You need a Plan B.

Filed under Endpoint Security Tagged with , , , , ,

Time to Take an Open Minded Plunge

August 31, 2011 by Leave a comment

This blog entry is unique because it is the first one written on my new Apple MacBook Pro that I put into service yesterday. The move to the Mac is one of two personal paradigm shifts I have experienced recently, and the process speaks to the changes the IT security industry is experiencing today.

The second paradigm shift was the move from a BlackBerry to a Droid. As near as I can remember, I have had a BlackBerry device of some form for at least the past 10 years. It was an extension of my everyday activity, and that connection only deepened when the PIM device was merged to a phone. As other SmartPhone platforms grew smarter I was able to reconcile my BB loyalty based on my belief that the BB was a better e-mail platform, which of course had long ago became a myth. When the trackball on my BlackBerry stopped working and I was forced to change devices, I finally acquiesced and grabbed a Droid device.

Not only do I not miss my BlackBerry, I never looked back for a second. No misty eyed nostalgia, no frustration that I had somehow lost productivity or functionality. Only the periodic “What took you so long?” self-flagellation as I realized how much I had been missing by clinging to the past in the face of all evidence to the contrary.

I am less that 24 hours into my Mac ownership and I am feeling the same. The transition has been as painless as my departure from the BlackBerry world, and equally pleasing from a business perspective and from a personal perspective. What really surprised me is just how little I brought from my Windows PC to the Mac. Part of that is easy to explain: the world has shifted from host-based applications to web-based applications. The world has changed.

Much of what frustrates me in the security space is the irrational insistence to cling to the tools and techniques of the past. When it comes to attacks and attackers, the world has changed dramatically in the past five years, yet organizations doggedly cling to the security technologies and tools of the past. Headlines scream to the need to change, but new ideas seem to be viewed with enormous skepticism. And the large IT security companies that have traditionally dominated the space are allowed to wield incredible influence and drive the market based more on what they offer versus what the customer needs. I see heated arguments over the definition of the Advanced Persistent Threat, but little to help organizations detect APT attacks.

Funny, but Windows and BlackBerry both promised me that they could step up and give me everything that the new technologies offered, and I bought it for a time. I had to really take an open-minded plunge to really see the folly of that line of thinking. I would encourage the decision makers in IT security to do the same.

Filed under Endpoint Security Tagged with , , , ,

USB Drives – Cool Tool or Malware Delivery Device

May 17, 2011 by 1 Comment

Behold the USB drive. Simple. Functional. Efficient. The USB device is also a symbol of all that makes IT security so difficult. But take heart, because the USB device is also illustrative of the functions and benefits of Triumfant.

Why does the USB key represent the difficulties with IT security? Because a USB device
is an infiltration and exfiltration method wrapped into one tidy package. The bad guys are using USB devices to deliver malicious payload to host machines because this vector readily evades perimeter network defenses that use techniques like deep packet inspection and sandboxing. Unfortunately, techniques require that the attack come across the wire to work, so the attacks delivered by a USB device easily fly under their radar. The USB device has become a very effective mechanism for delivering the targeted and sophisticated zero day attacks and advanced persistent threats that are becoming increasingly difficult to detect.For an example, start with Stuxnet, the malicious attack that grabbed more headlines than a Britney Spears midnight trip for a haircut. Stuxnet evaded protection by using USB drives for transport to the host machines from which the attack spawned.

In regards to exfiltration, there is no simpler tool for offloading data than a USB device. While this has great utility, it is a major problem in the context of data loss prevention (DLP) activities, as once data is loaded onto a device there is absolutely no control of where that data may land. All bets are off.

You would think that USB devices would be the bane of every IT security person on the planet, yet security vendors give them away at industry tradeshows. Most people will pop in a USB key with little thought of the risk, so a “just say no” approach is not effective. Our CTO was at a customer recently and was told that USB devices were not allowed at the site. Minutes later he produced a report that showed that USB devices had been used in over 20% of the machines in the past two weeks. So much for strongly worded guidelines.

The problems surrounding USB devices are useful in pointing out the value of Triumfant:

Malware detection and remediation. Triumfant will detect attacks that are delivered to a machine via a USB device, analyze the attack, and build a remediation to stop the attack and repair all of the damage to the machine. Infection to remediation in minutes. Remember, Triumfant detects attacks by identifying and analyzing changes to the machine, and is therefore attack vector agnostic.

Continuous enforcement of policies and configurations. With Triumfant you can build and enforce policies that disables the use of removable media like USB devices. Triumfant will set the policy and remediate any machine found to be out of compliance.

Continuous monitoring/situational awareness. Your organization may choose to not disable USB devices. Triumfant can provide information about what machines have had a USB device inserted and can identify machines with unusually high levels of data movement. Alternately, if you do disable the devices you may also have users with Admin rights to their machines, enabling them to change the configuration of the machine to override the policies. Triumfant can provide information about what machines have had a USB device inserted and identify those machines where the policy has been altered. Triumfant is not a data loss prevention (DLP) tool and therefore cannot tell you what, if any, data was exfiltrated, but we can tell you that such an exfiltration was possible.

In summary, Triumfant is able to protect machines from attacks delivered by USB devices,
is able to enforce configurations that disable the use of USB devices, and provide insight into usage patterns of USB devices.

If only Triumfant could help me find the numerous USB devices my teenagers borrow and never return. Of course, once they have them, perhaps it is best I don’t plug them into my machine.

Filed under Configuration and Compliance Management, Continuous Monitoring, Endpoint Security Tagged with , , , , , , ,

Needle in a Haystack? How to Find an Unknown in an Ill-Defined, Shifting Maelstrom

March 18, 2011 by Leave a comment

In the March 17,2011, post, I demolished the “Finding a Needle in a Haystack” analogy by pointing out that in IT Security we don’t know what we are looking for (the needle) and our haystack is not a homogonous pile of hay but is instead a continuously changing, utterly non-homogenous population of one-off configurations and application combinations.  We went from “Finding a Needle in a Haystack” to “Finding an <unknown> in a <ill-defined, shifting maelstrom>”.

I ended by promising you a solution and that is where I begin.

The first step toward a solution is getting your hands around the “ill-defined, shifting maelstrom” that is your endpoint population.  To find what is unwanted or anomalous in that population, you first need a way to establish what is normal for that population.  You could build and dictate normal, and then enforce that normal in a total lockdown.  That is expensive and hard to do, and in my many travels, I have seen exactly two such environments.  The alternative is to monitor the machines in that population, and accurately create a baseline learned from the environment itself.  One that captures all of the exceptions and disparity in all of its glory.  The end result is a normalized, well defined representation of your ill-defined, shifting maelstrom.  A normalized haystack, as it were.

Easy, right?  Not really.  You have to remember that your target is unknown, so you have no idea where it will appear and in what form.  You must also consider that whoever is putting the unknown in your haystack does not want it to be found, and will so design the unknown to evade detection.  Zero day attacks don’t show up as shiny needles.  You can assume nothing; therefore, you must monitor everything as part of your normalized haystack.  You must also remember that the population shifts (wanted change) and drifts (unwanted change) by the moment, so you will need to keep it current.

In short, you will need continuous monitoring that is comprehensive and granular.  Not the kind the scanner vendors sell you that sees some of the machines in weekly or monthly increment, or the kind the AV vendors sell you that sees parts of the machine and not the entire picture.  You will need comprehensive and truly continuous monitoring.

In yesterday’s post, I noted that if you had a homogonous haystack you could remove everything that was hay and what is left should be the thing you are looking for, even if you do not know what that thing was.  Our haystack is not homogonous, but now we have created a baseline that provides the next best thing.  We can’t throw out the hay, so we need a slightly modified approach that uses changes to the machines as our potential indicators to compliance issues and malicious attacks.

If we are smart, we can use this approach to our advantage because once we establish our normative haystack we can continuously monitor the machines and identify changes.  This fuels our detection process and drives efficiency in managing the shift (we want to control the drift, but that is another post) in the population.  By capturing changes, we can keep the image of the population current with minimal drag on the endpoints and the network by moving changes across the wire.  No need to move large images when incrementally smaller change captures will do.

Once we identify the changes, we will need analytics that assess the impact of those changes to the associated machine.  These analytics will leverage the context provided the normalized model of the haystack to identify those changes that are anomalous.  Changes identified as anomalous are further analyzed to gauge their effect on the state of the machine and identify those changes believed to be malicious.  We can use the context and other analytic processes to group changes so that we see the malicious code and all of the damage done to the machine by the malware.

We have successfully identified the unknown in our ill-defined, shifting maelstrom, which, like I said yesterday, is infinitely harder than finding a needle in a haystack.  We did not just find the unknown, we have detailed its composition, analyzed the effect to the machine, and identified its path of destruction.

I think we are onto something here.  This could revolutionize malware detection, creating a detection capability that is agnostic to attack type, vector, and delivery.

But wait, there is more

Filed under Continuous Monitoring, Endpoint Security Tagged with , , , , ,

Cisco Study Shows the Basic Flaw in Whitelisting Solutions

November 10, 2010 by 2 Comments

Some days you wake up and the world hands you a completely unexpected gift.  This morning I found an article on the SC Magazine site that provided statistics from a Cisco survey about employees and IT security policies.  Some stats from the article:

  • 24% of employees are unaware that IT policies exist.
  • 10% said that IT policies are never communicated.
  • 32% of employees said that the policy was only communicated once per year.
  • 35% of employees that are aware of IT policy said IT does not provide an explanation or rationale for why it exists.
  • 20% of employees make a conscious decision to break IT policy because they believe these policies are not enforced.

These statistics do not paint a picture of a well informed user community.  Users do not know the policies, don’t understand the policies, or don’t understand why there are policies.  The few that seem to understand often choose to willingly ignore them.

The most telling statistic indicated that 40% of the employees break IT policy because ”they need restricted programs and applications to get their job done”.  In other words, they know they are breaking policy but make the decision to willingly do so and feel justified because they feel it is critical to their jobs.

So why is this study a gift for me?  I am frequently asked to contrast and compare Triumfant and our capabilities against whitelisting tools.  I have a good answer, and while I normally become extremely animated about the subject and speak in authoritative tones, I did not have hard evidence to fully back up my position.  Until now.

You see, whitelisting sounds really smart and effective in explanation, and are often cited as an alternative to signature based tools and falling malware detection rates.  There are animated claims about its effectiveness aginst zero day attacks, the advanced persistent threat, rootkits, and the cough due to cold.

If you dig deeply past all of the hype, you will find that whitelisting tools work in three modes:

  • Notify mode will notify the appropriate IT staff if a user installs an application not on the white list.
  • Warn mode will notify the user that they are installing an unauthorized application and provide them the option to stop the install or proceed.
  • Block mode will automatically block the installation of any unauthorized application.

These are not my descriptions – they are from the literature and documentation of the whitelist vendors.  They just don’t surface in the sales presentations.

The documentation clearly states that block mode is only available if the environment is locked down.  For those environments that have even small degrees of flexibility and some personal use capabilities, whitelist solutions only work in warn mode.  Their words, not mine.

Therefore, the efficacy of the whitelist solution now rests in the hands of the user of the machine.  Yes – the very same users statistically characterized by the Cisco study.  The user who likely made a conscious decision to install the program, has a one in four chance of being completely unaware of IT policies, and, if aware of the policies, either does not understand them or is willing to break them.  Hardly sounds like a recipe for closing gaps in endpoint security.

This is not my first rodeo and I have been dealing with the user community since I helped support a quaint old notion called the “Information Center” back in the early 80’s.  Since then, every shred of evidence and experience tells me that most users presented with a warning screen from the whitelist tool will blithely blow right past it.  Now I have the statistics to back that up.

My contention is that only a small number of organizations are locked down, and therefore implementation of a whitelist tool can only be done in warn mode, therefore putting critical protection decisions into the hands of the general user population.  The population that may not know, may not care, and will likely be perturbed that they get a warning screen.  These statistics clearly indicate that there will be more than a trivial amount of users that will circumvent the protection either through ignorance, apathy or choice.

So excuse me if I do not jump on the “whitelisting will cure all of your problems” bandwagon.  And BTW, the same warning process is employed by the prevalence based technologies such as Symantec Quorum that Symantec and McAfee are touting so highly.  The reliance on the user as part of the protection mechanism is equally flawed.

Triumfant does not rely on the user to make evaluations or give them the option to violate policies.  We enforce configurations and policies on a daily basis, and it is an informed administrator that evaluates potential malicious activity and makes the decision to remediate such problems.

So now I have some statistics to support my animated hand waving. Amazing what a little gift like some statistics will do for your day.

Filed under Endpoint Security Tagged with , , , , ,

As Antivirus Performance Declines, Organizations Must Reconsider Endpoint Security

November 9, 2010 by Leave a comment

There has been some interesting response to the previous blog post entitled “Time to Put Your Antivirus Software on a Diet”.  In the short time since the posting there has been some interesting news that intersects nicely with the conversation.

Microsoft announced (ZDNet article here) that it has finished the Release Candidate test build for its Forefront Protection software.  Forefront is Microsoft’s endpoint protection offering for business of all sizes for Windows based machines, but is based on the Microsoft Essentials AV engine that tested comparably in a recent group test report by NSS Labs on anti-malware products.  Microsoft literature and third party evaluations indicate that the Forefront offering will have the centralized command and control that an enterprise would require to administer the product across an organization.

Microsoft is also making waves (CNet article here) by adding a feature to their OS update service to offer home users the option of providing Microsoft Essentials to machines when the update service senses there is no AV software running on the machine.  This is not an automatic download – the user must opt in.  This change to the update process started on November 1 in the U.S. and is raising the ire of other AV vendors who focus on the home/consumer market.  These vendors believe that MS is using the unfair competitive advantage of their OS update process to plant non-OS software on machines.  The fact that MS Essentials is free and could significantly cut into the consumer revenue for these vendors may also be a factor.

While neither of these news items are earth shattering I think they are indicators of a trend: AV software is on the track toward commoditization and that track is gaining speed and momentum daily.  You simply cannot ignore the evidence – I can assure you the adversary has not and will gladly exploit those organizations that are slow to see the signals.

My point in the previous blog post was that organizations might want to take a fallback position on AV software and look for options that place less of a burden on the endpoint machines and less of a burden on the IT security budget.  I made that recommendation based on two facts: 1) Attacks get past AV at a steadily increasing rate 2) The layers the AV companies have put on top of AV are not slowing down the decline and are costing your organization money and slowing down the machines.  The new math of endpoint protection has to include prevention (such as AV) and detection.  Apply the money saved by putting your AV on a diet toward a solution that does not require signatures or any other form of prior knowledge.  Your organization becomes better protected, the end user gets better performance, and you get both of these benefits for the same or less investment.

Now for the disclaimers.  I am not an industry analyst and Triumfant is one of those no signatures, no prior knowledge type of alternatives, so the recommendation is definitely not from a neutral source as I would clearly like for Triumfant to be the alternative of choice.  Triumfant did not perform the broad testing on the AV software, and I personally have not done testing of either MS Essentials or MS Forefront.  Triumfant is not an MS partner and we have absolutely no vested interest in the adoption of their products.

These disclaimers may color my opinions, but they do not change the evidence around you.  For example, the MSS study is one of many that show declining malware detection rates.  At the very least, it is time to start the conversation and coming into a new year’s budget cycle is great time to start.  Examine your protection strategy and get comfortable about adding detection capabilities.  Evaluate the spend on prevention and determine if you are getting real value for that spend.

And please, don’t look toward the AV vendors for advice, as the results there will be highly predictable.  The AV market has been a lucrative cash cow for some time and it is not one they are looking to give up without a fight.

Filed under Endpoint Security Tagged with , , , , ,

Study on Malware Detection Rates Makes the Point(s)

October 26, 2010 by 1 Comment

Last week I was pointed to a recent group test report by NSS Labs on anti-malware products by a blog entry by Andy Greenberg on the Forbes web site.  Triumfant does not have a massive research group so I rely on data such as this report to back up many of the things written on this blog.  The NSS labs study is done independently and without sponsorship, so it is a good source of supporting data.

Allow me to step through some of the points I touch on frequently (links added for your convenience) and use the NSS data to support those points:

The odds are not in your favor. The NSS summary offers two key takeaways from the numbers:

  • Cybercriminals have between a 10% – 45% chance of getting past your AV with Web Malware (depending on the product)
  • Cybercriminals have between 25% – 97% chance of compromising your machine using exploits (depending on the product)

One of the more popular posts that addresses this issue further is “Antivirus Detection Rates – It is Clear You Need a Plan B“.

Adding more layers to your AV product will never get you to the 100% shield. In previous posts such as “Defense in Depth – There is No Perfect Shield“ , I discuss how everyone wants a 100% shield.  The NSS Labs study shows there is no 100% shield now nor is there one in sight.  You are not getting closer to a 100% shield, it is moving away from you.  The statistics show that the only AV software that actually improved their detection score from the previous test was McAfee, who went from 81.6% to 85.2% in one year.  McAfee threw the considerable weight of their very large organization at the problem, and are still missing one in every seven attacks.  One can also assume just the increased volume of attacks ate away any of the gain McAfee was able to realize.  Kudos to Mcafee, because on average…

The detection rates are decreasing. According to the NSS Labs report “products slipped by 6% on average from 2009 to 2010” in their ability to detect malware.  The press is full of claims by the AV vendors that they have either upped the capabilities of their AV products or added elements to their AV suites to close the gap.  All evidence to the contrary.  Detection reports from AV suites use volumes of detected attacks artificially inflated by the increasing number of attacks to obfuscate the declining detection rates as a percentage of attacks (“Antivirus Detection Rates – Undetected Attacks Are Still Attacks“).  And yes, the proper conclusion is that decreasing detection rates translates into more attacks reaching your endpoints.

Attempts at closing the detection gaps are negatively affecting performance. As AV vendors attempt to plug the leaks with add-ons to their AV suites, there is an effect on the performance of the machine that is not proportional to the extra protection.  If you look at the performance data on pages 13-17 of the report you will see that the Microsoft Essentials offering consistently rates low on system impact.  Given that Microsoft is not generally lauded for their efficient design, one can conclude that it is the lack of add-on capabilities that at the very least contributes to the proportionately less impact of MSE on the machines.

Exploits must factor into the equation. The NSS Labs report has a separate section on the ability of the products to protect against exploits encountered while using the World Wide Web.  The reports shows that “over half of the AV products stop less than 50% of the exploit attacks” and many of the products that score best in malware protection are the worst for exploit protection.  Exploits are just as dangerous to your organization as traditional malware and you must consider the performance against these exploits when considering the efficacy of your protections.

All of these points lead to the two most important points that you can simply no longer ignore:

Attacks are getting through to your endpoints. The best-case scenario according to the NSS Labs study is that one out of every ten malware attacks and one out of every four exploits makes it past your defenses to the endpoint.  We often address the challenges of protecting endpoints in terms of the growing number of signatures, increasing complexity of attacks, and other factors, but these numbers are right there for you to either accept or ignore.  You could spend every dollar you have on shields and it will not change this fact.  In fact, I would argue that for every additional dollar you spend on shields you are getting pennies back (“New Math of Endpoint Protection“).

The equation for endpoint protection has changed, and detection must now be added to prevention. The data in the NSS Labs study clearly supports the fact that you must have a tool in place that will use an alternative approach to detect when a malicious attack or exploit has successfully infiltrated your machines at a rate ranging from 10% – 45% (and trending downward, BTW).  The facts dictate that you revisit your endpoint protection strategy and embrace the fact that “Endpoint Protection Must Be About Prevention AND Detection“.  Better yet, you need a tool that can help you address the detected attacks quickly and efficiently to contain the attack from spreading and minimize the operational impact.

Two weeks ago an article in Information Week called “Outgunned: How Security Tech Is Failing Us” took a hard look at why organizations are losing the battle against the evolving threats.  The statistics behind this study support my response that asks the question “Is Security Tech Failing Us or Are We Failing to See the Light?“.  The numbers in the report suggest that we are the ones who are failing because we stare directly at the hard evidence and choose to ignore it.  Regardless of how we interpret the numbers and reconcile what they are telling us, the hard truth is that at least one out of every ten attacks are getting through.  No amount of denial will change that.

Filed under Endpoint Security Tagged with , , , ,

Older posts

Follow

Get every new post delivered to your Inbox.

Join 451 other followers