Hitting the ‘Up-To-Date ’ VB2009 – Steven Ginn Bull’s eye.
-
Upload
aubrey-saylor -
Category
Documents
-
view
218 -
download
2
Transcript of Hitting the ‘Up-To-Date ’ VB2009 – Steven Ginn Bull’s eye.
![Page 1: Hitting the ‘Up-To-Date ’ VB2009 – Steven Ginn Bull’s eye.](https://reader033.fdocuments.in/reader033/viewer/2022051819/551c0cef550346a34f8b51dd/html5/thumbnails/1.jpg)
Hitting the ‘Up-To-Date’
VB2009 – Steven Ginn
Bull’s eye
![Page 2: Hitting the ‘Up-To-Date ’ VB2009 – Steven Ginn Bull’s eye.](https://reader033.fdocuments.in/reader033/viewer/2022051819/551c0cef550346a34f8b51dd/html5/thumbnails/2.jpg)
• Signature based anti-malware requires updates to stay ahead
• More and more updates are released every day
• Need to provide technology for users to identify their “up-to-date” status
OverviewDefining and tracking “Up-to-Date”
![Page 3: Hitting the ‘Up-To-Date ’ VB2009 – Steven Ginn Bull’s eye.](https://reader033.fdocuments.in/reader033/viewer/2022051819/551c0cef550346a34f8b51dd/html5/thumbnails/3.jpg)
• Recognizes malware based on an identity
• Content is pattern matched against signatures
• New Malware = New Signatures needed
Signature Based ProtectionBackground
![Page 4: Hitting the ‘Up-To-Date ’ VB2009 – Steven Ginn Bull’s eye.](https://reader033.fdocuments.in/reader033/viewer/2022051819/551c0cef550346a34f8b51dd/html5/thumbnails/4.jpg)
• The point where a product has the latest and greatest definitions
The ‘Up-to-Date’ Bull’s eyeWhat is it?
![Page 5: Hitting the ‘Up-To-Date ’ VB2009 – Steven Ginn Bull’s eye.](https://reader033.fdocuments.in/reader033/viewer/2022051819/551c0cef550346a34f8b51dd/html5/thumbnails/5.jpg)
• Staying current maximizes protection• Important to know when to update
The ‘Up-To-Date’ Bull’s EyeWhy should we care?
![Page 6: Hitting the ‘Up-To-Date ’ VB2009 – Steven Ginn Bull’s eye.](https://reader033.fdocuments.in/reader033/viewer/2022051819/551c0cef550346a34f8b51dd/html5/thumbnails/6.jpg)
• Malware is more and more pervasive• Constantly being created• Anti-malware vendors react with new
updates to keep up• User’s need to constantly update to
keep up
Hitting a moving target?
![Page 7: Hitting the ‘Up-To-Date ’ VB2009 – Steven Ginn Bull’s eye.](https://reader033.fdocuments.in/reader033/viewer/2022051819/551c0cef550346a34f8b51dd/html5/thumbnails/7.jpg)
• Monitors Anti-malware products and online material
• Records any update available• Used to Find the bull’s eye
Identifying TrendsOESIS Monitor
![Page 8: Hitting the ‘Up-To-Date ’ VB2009 – Steven Ginn Bull’s eye.](https://reader033.fdocuments.in/reader033/viewer/2022051819/551c0cef550346a34f8b51dd/html5/thumbnails/8.jpg)
• Number of updates per day has increased
• Number of vendors and Signature formats has increased
• Update frequency by day of the week varies
Trends and Observations
![Page 9: Hitting the ‘Up-To-Date ’ VB2009 – Steven Ginn Bull’s eye.](https://reader033.fdocuments.in/reader033/viewer/2022051819/551c0cef550346a34f8b51dd/html5/thumbnails/9.jpg)
Total Updates per year
![Page 10: Hitting the ‘Up-To-Date ’ VB2009 – Steven Ginn Bull’s eye.](https://reader033.fdocuments.in/reader033/viewer/2022051819/551c0cef550346a34f8b51dd/html5/thumbnails/10.jpg)
Number of Vendors identified
![Page 11: Hitting the ‘Up-To-Date ’ VB2009 – Steven Ginn Bull’s eye.](https://reader033.fdocuments.in/reader033/viewer/2022051819/551c0cef550346a34f8b51dd/html5/thumbnails/11.jpg)
Updates by Day of Week
![Page 12: Hitting the ‘Up-To-Date ’ VB2009 – Steven Ginn Bull’s eye.](https://reader033.fdocuments.in/reader033/viewer/2022051819/551c0cef550346a34f8b51dd/html5/thumbnails/12.jpg)
Average Number of Updates by dayFor the average vendor
![Page 13: Hitting the ‘Up-To-Date ’ VB2009 – Steven Ginn Bull’s eye.](https://reader033.fdocuments.in/reader033/viewer/2022051819/551c0cef550346a34f8b51dd/html5/thumbnails/13.jpg)
Average Updates per day by yearFor selected vendors
![Page 14: Hitting the ‘Up-To-Date ’ VB2009 – Steven Ginn Bull’s eye.](https://reader033.fdocuments.in/reader033/viewer/2022051819/551c0cef550346a34f8b51dd/html5/thumbnails/14.jpg)
Average Updates per day by yearFor selected vendors
![Page 15: Hitting the ‘Up-To-Date ’ VB2009 – Steven Ginn Bull’s eye.](https://reader033.fdocuments.in/reader033/viewer/2022051819/551c0cef550346a34f8b51dd/html5/thumbnails/15.jpg)
• Data for 2009 was scaled• New Vendors introduced midyear• New Definition Formats introduced
mid-year
Caveats to DataThe “fine-print”
![Page 16: Hitting the ‘Up-To-Date ’ VB2009 – Steven Ginn Bull’s eye.](https://reader033.fdocuments.in/reader033/viewer/2022051819/551c0cef550346a34f8b51dd/html5/thumbnails/16.jpg)
• Anti-malware vendors have tools to tell user’s whether or not they are up to date
• Each make sense under different scenarios
Finding the Bull’s EyeCommunication tools
![Page 17: Hitting the ‘Up-To-Date ’ VB2009 – Steven Ginn Bull’s eye.](https://reader033.fdocuments.in/reader033/viewer/2022051819/551c0cef550346a34f8b51dd/html5/thumbnails/17.jpg)
• Every Update is stamped with an expiration
• Projected to last until next target delivery
• Allows client software to make educated guess about where the up-to-date mark will be next
Blacklist date“Use by tomorrow”
![Page 18: Hitting the ‘Up-To-Date ’ VB2009 – Steven Ginn Bull’s eye.](https://reader033.fdocuments.in/reader033/viewer/2022051819/551c0cef550346a34f8b51dd/html5/thumbnails/18.jpg)
Pros• Easy to answer “Am I
Up to date?”
Cons• Bad for critical
outbreaks• May expire
prematurely• Best Educated Guess
Blacklist date
![Page 19: Hitting the ‘Up-To-Date ’ VB2009 – Steven Ginn Bull’s eye.](https://reader033.fdocuments.in/reader033/viewer/2022051819/551c0cef550346a34f8b51dd/html5/thumbnails/19.jpg)
• Just go get the latest always• No need to care if up to date or not• Best when you assume that you
aren’t already up to date
Brute-Force UpdateThrowing Blind
![Page 20: Hitting the ‘Up-To-Date ’ VB2009 – Steven Ginn Bull’s eye.](https://reader033.fdocuments.in/reader033/viewer/2022051819/551c0cef550346a34f8b51dd/html5/thumbnails/20.jpg)
Pros• Never miss, if frequent
enough
Cons• Resource intensive• May interrupt user’s
workflow
Brute-Force Update
![Page 21: Hitting the ‘Up-To-Date ’ VB2009 – Steven Ginn Bull’s eye.](https://reader033.fdocuments.in/reader033/viewer/2022051819/551c0cef550346a34f8b51dd/html5/thumbnails/21.jpg)
• Open a line between user and a central server
• When update available, push it to end user
Push MechanismAlways connected?
![Page 22: Hitting the ‘Up-To-Date ’ VB2009 – Steven Ginn Bull’s eye.](https://reader033.fdocuments.in/reader033/viewer/2022051819/551c0cef550346a34f8b51dd/html5/thumbnails/22.jpg)
Pros• Minimizes outside
communication• Simpler to stay up to
date
Cons• Not good in
heterogeneous environments
• Requires constant contact
Push Mechanism
![Page 23: Hitting the ‘Up-To-Date ’ VB2009 – Steven Ginn Bull’s eye.](https://reader033.fdocuments.in/reader033/viewer/2022051819/551c0cef550346a34f8b51dd/html5/thumbnails/23.jpg)
• Monitors Update releases by vendors• Provides reference point of latest
definitions
Third Party enforcementOESIS Monitor
![Page 24: Hitting the ‘Up-To-Date ’ VB2009 – Steven Ginn Bull’s eye.](https://reader033.fdocuments.in/reader033/viewer/2022051819/551c0cef550346a34f8b51dd/html5/thumbnails/24.jpg)
Pros• Supports
heterogeneous deployments
• Reacts quickly• Reference point
updates are often smaller than signature updates
• Best of Brute-force and push mechanisms
Cons• May not catch
everything
Third Party enforcement
![Page 25: Hitting the ‘Up-To-Date ’ VB2009 – Steven Ginn Bull’s eye.](https://reader033.fdocuments.in/reader033/viewer/2022051819/551c0cef550346a34f8b51dd/html5/thumbnails/25.jpg)
• Signatures live in the cloud• Content is assessed by reputation
and scanned when necessary on external sites
Cloud-ScanningGet rid of the definitions
![Page 26: Hitting the ‘Up-To-Date ’ VB2009 – Steven Ginn Bull’s eye.](https://reader033.fdocuments.in/reader033/viewer/2022051819/551c0cef550346a34f8b51dd/html5/thumbnails/26.jpg)
Pros• Improved detection• Faster identification• Fewer systems to
update
Cons• Must always be
connected• Security concerns with
sending data out
Cloud-Scanning
![Page 27: Hitting the ‘Up-To-Date ’ VB2009 – Steven Ginn Bull’s eye.](https://reader033.fdocuments.in/reader033/viewer/2022051819/551c0cef550346a34f8b51dd/html5/thumbnails/27.jpg)
• Signature based detection isn’t scaling
• What good is providing signatures if user’s can’t keep up with them?
• Try to improve alternatives to become proactive, not reactive
What next?Continue the uphill battle, or go around?
![Page 28: Hitting the ‘Up-To-Date ’ VB2009 – Steven Ginn Bull’s eye.](https://reader033.fdocuments.in/reader033/viewer/2022051819/551c0cef550346a34f8b51dd/html5/thumbnails/28.jpg)
Questions?