Features: May 1st, 2015

In this article Adam Winn argues that the internet has not become a safe place as some in the cyber security industry claim. But he has good news about how to counter the continuing threats.

Each time someone reports that antivirus is dead, a hacker gets his wings (and I get furious). With our industries becoming increasingly data-driven, the need to protect our networks, devices, and archives has become more important than ever. In a world of weaponized emails and polymorphic, self-replicating malware, entertaining the idea that endpoint antivirus protection is dead is both ignorant and dangerous.

Brian Dye, vice president of Symantec and Norton, told The Wall Street Journal that traditional antivirus software is dead because they only detect roughly 45 percent of all attacks, and that of threats detected, most are so dynamic that containing them is too difficult. Furthermore, security provider FireEye was quoted saying, “the function signature based AV serves has become more akin to ghost hunting than threat detection and prevention.” Ghost hunting? Really? – C’mon.

Yes, we are aware of the new challenges affecting those in the cybersecuity community, but neither I nor anyone at OPSWAT are as defeated as those at Symantec. We know the internet isn’t exactly a small space, and that the rate at which mass amounts of data travelling this space is increasing exponentially. This has raised the importance (along with the challenges) of having up-to-date threat detection software. David Harley, senior researcher at ESET, discussed the glory days of anti-malware protection by describing how the: “Speed of [malware] spreading was restricted by the fact that the internet was a far smaller place, and that restriction also meant that once a malicious program had been identified, an AV customer who diligently updated his anti-virus as soon as signatures were available was likely to see his signatures before he saw the malware (if at all).”- Harley (2013).

Today, even the most diligent AV customer may still fall victim to malware threats, which can be taken to support Dye’s belief that the anti-virus industry may be dead. However here at OPSWAT, we aren’t so quick to throw in the towel. We agree with Dye up to the point that traditional AV software may be out of pace to keep up with advanced persistent threats (APTs), but we have a new innovative solution- and there’s nothing “traditional” about it.

Traditional, or stand-alone AV software, lacks the multi-layered protections necessary to keep up with polymorphic threats. Harley reiterated Pierre Vandevenne’s (an ex colleague of Harleys) views on the future of AV in his article; Vandevenne says that:
“Traditional stand-alone AV (essentially the scan-detect-protect-clean paradigm) should definitely be dead. Multi-layered protections with web browsing protection, DNS monitoring, in the cloud file checks and heuristics, real time analysis of new and/or infrequent or unique executables (of all kinds) are definitely needed but won’t ever reach the near perfect protection levels the AV industry offered at very specific and short lived moments in the history of malware.”

Traditional antivirus may be dead, and Dye’s pessimism might be alluding to how the industry can no longer market itself on 100% protection, 100% of the time; because perfection is simply no longer a reality for the challenges the cyber security industry faces. However, just because no single antivirus software can offer complete perfection, does not mean there are no security solutions available. Utilizing multiple scanning engines, with layers of network check points, can offer the kind of multi-layered protections that both Harley and Vandevenne have prescribed.

Truth is, the Internet is still not a safe place (surprised? – didn’t think so). What’s worse is that it isn’t getting any safer. Criminals, as with any crime, will seek out the path of least resistance. Cyber criminals seek out your network’s weakest link, manipulate your software, and can rob you blind of highly valuable information. By infiltrating the networks of healthcare facilities or financial institutions, cyber criminals can use the sensitive personal information of your employees, patients, or customers to make themselves a fortune overnight. And with the rise of high-tech exploit kits (crimeware), the bar for being an effective cyber criminal continues to get lower. Crimeware has allowed near novices (maybe even AOL users?) the ability to become cyber criminal “masterminds”. Which is why the need to protect all of your network’s endpoints has become so important. As long as there are highly valuable sets of data and personal information, you can count on some desperate hacker trying to make a fortune off of it. Hackers of all levels believe that if there’s a will, there’s a way through your 20th-century windows defender firewall- and they’re right.

Now, attacks targeted at big corporations with APTs may make the headlines (Target, Home Depot, Sony and Anthem breaches to name a few), but there’s still a vast array of ‘everyday’ malware out there infecting personal computers. These infections have been spreading, and overall data-theft incidences have increased year by year. IBM just released a study that estimated that over 1 billion data records were leaked in 2014 alone; a significant jump from 2013. An article in Security Week also reported that of those attacks, “the most commonly attacked industries were computer services (28.7%), retail (13%), government (10.7%), education (8%), and financial markets (7.3%).” These type of infections have continued to spread throughout our home, banking, and healthcare networks, rendering our personal information exposed and up for grabs. The CERT/CC is still tracking these malware breaches for PUAs, which is expected to raise the 2014 infection toll from 8,000 to 30,000. Techtarget attributed this increase in reach, source, and damage to their ability to lay dormant within your network and self-replicate to any desktop, server, mobile device, or printer (yes, even your printer). This has made detecting advanced threats both a high priority and a complex task for any serious network security administrator. In order to detect advanced threats, you need to utilize all of the resources you have at hand. Maintaining control of all devices in your network in order to prevent PUAs from being downloaded is your first line of defense. Our GEARS software utilizes advanced multi-scanning technology, and strict endpoint configurations to detect and protect your devices from being another IBM statistic. Our January market share report shows how OPSWAT GEARS found that 3.3% of devices contained previously undetected malware and PUAs. Based on this data, it is safe to assume that no single antivirus software can provide complete and comprehensive network security (Okay, so maybe Dye was kind of right). In order to prevent the unwanted spread of malware, all network devices should utilize our multi-scanning technology and endpoint management system to secure each device entering their network.

APT protection is good and necessary for enterprise-level companies, but it shouldn’t come at the cost of a well-managed and enforced endpoint security policy. Think of it this way, a brand new luxury car may come with a fancy high-tech alarm that disables the ignition, has GPS tracking, etc. all to deter theft – but the owner will still lock the doors and roll up the windows as a general best practice. APT protection is like the high-tech alarm, while endpoint anti-malware protection is the less-sexy but equally important door locks. I would even argue that locking your doors and rolling up your windows is the most important line of defense against theft. OPSWAT provides these “door locks” for free with our GEARS software for up to 25 devices.

Anti-malware is much more than just antivirus. Spyware, greyware, exploit kits, and all manner of PUA/PUP can be just as dangerous to an organization. These types of malware seek to phish out valuable user data for their own monetary gain. That is why protecting against viruses alone is only a fraction of what good endpoint anti-malware software can do. Think of it this way, if you went to the doctor for a terrible sinus infection, and you were only given Dayquil, you would only be addressing the surface symptoms and not the problem (problem is you also have a terrible doctor). With anti-malware software, you can zero in on the source of the infections, and protect yourself from future phishing scams by managing your devices in the same way you would enforce your immune system with proper diet and exercise.

Anti-phishing precautions across the industry are growing in importance as a response to how advanced malware have become. Phishing scams have often operated under the guise of a fully functional website, with their sole purpose being to extract sensitive personal information such as passwords, usernames, and banking information for monetary gain. This has lead web browsers like IE, Firefox, and Chrome to take these security threats into consideration, as it was leaving their customers completely vulnerable. Today, Google Chrome users will definitely notice the new built-in security features. Chrome has essentially made it so that any known phishing sites are completely blocked unless the user actively goes through and disables the security features altogether (why anyone would do this is completely beyond me).

These features are intended to add an additional layer of defense against endpoint infections from untrustworthy websites, but the fact that a user can disable these functions can be disconcerting for IT admins. With Gears, an IT admin can require that each and every device uses a browser with anti-phishing features enabled. Thereby making the browsers themselves another “door lock”.
Door locks and medicine may sound simple enough, but how do you secure a car or immune system that isn’t yours? Now things get tricky. BYOD policies that allow employees to bring their personal devices like phones, tablets, or laptops to work typically come with a vast array of different anti-malware products installed, in varying states of configuration (as if things weren’t tough enough). The more devices and software running through your networks means more variables to control, and this can make it hard for IT admins to secure their network with confidence. With certain endpoint management tools, admins will be able to configure security policies that must be met by any visiting device.

Providing comprehensive, real-time protection for your private office or public network is imperative. 90% of the devices included in our market share report had antivirus software that had not run a full system scan within the past week, while 15.1% of that same group had out-of-date virus definitions. Clearly, relying on one antivirus software’s scanning features or virus definitions is unwise since no single AV software is capable of detecting all threats. GEARS utilizes multiple antivirus and anti-malware services into one cohesive and comprehensive security solution. For IT and security departments that have implemented (or plan to implement) network access control or SSL-VPN endpoint posture controls, they may find that some products on the market lack comprehensive detection of endpoint security software, give vague or incomplete remediation instructions to users, make debugging a hassle for admins, and also lack quality coverage of Mac antivirus products.

Adam Winn is senior product manager, OPSWAT