The True Cost of Anti-Virus: How to Ensure More Effective and Efficient Endpoint Security
-
Upload
lumension -
Category
Technology
-
view
2.067 -
download
3
description
Transcript of The True Cost of Anti-Virus: How to Ensure More Effective and Efficient Endpoint Security
The True Cost of Anti-Virus: How to Ensure More Effective and Efficient Endpoint Security
Today’s Speakers
Chris MerrittDirector of Solution MarketingLumension
Paul HenrySecurity & Forensics AnalystMCP+I, MCSE, CCSA, CCSE, CFSA, CFSO, CISSP,-ISSAP, CISM, CISA, CIFI, CCESANS Institute Instructor
Today’s Agenda
Decreasing Effectiveness of Anti-Virus
Cost Impact of Ineffective Anti-Virus
In-Depth View of Application Whitelisting
Q&A
Decreasing Effectiveness of Anti-Virus
Malware By The Numbers in 2010
• 1/3 of all malware ever recorded historically were produced
• One vendor found 60,000,000 malicious files out of 134,000,000 unique files submitted (~45%)
• The average number of unique new malware instances / threats increased by 63,000 per day
• 52% of new malware exists for only 24 hours
»Gone before a signature is ever created?
• An astounding 53% of computers with current AV signatures experienced a malware infection
5
Malware Detection Rates Day 1
Source: Cyveillance, Malware Detection Rates for Leading AV Solutions (August 2010)
AVERAGE detection rate upon initial discovery = 19%
6
Source: Cyveillance, Malware Detection Rates for Leading AV Solutions (August 2010)
AVERAGE detection rate after 30 days = 62%
Malware Detection Rates Day 30
7
AV - Nothing Innovative Here
•“Current generation” AV is using Heuristics and Reputations to bolster signatures
» Heuristics have been around for over a decade and have not worked
» Reputation lasts only as long as the DHCP lease on the IP address
• Change the address and get a new reputation
• Better yet just spoof an IP address with a good reputation
•AV vendors are moving the signatures to the Cloud to solve the problem…
» This doesn’t solve anything. It simply moves the issue.
» The age old problem remains: you can’t keep up with the bad guys…..
8
Stuck in a Never-Ending Cycle
1. Vulnerability discovered
2. Hacker writes exploit
3. Someone infected provides sample to AV company
4. AV company creates signature and distributes to community
5. Hacker changes a few bytes so signature no longer matches
6. Go to step 3 and repeat
9
Anyway You Look At It – It’s Ugly
10
Fake AV Is Overtaking Real AV
• There are about 1,500 new / unique instances of Fake AV per day
» AV detection of Fake AV is less then 20%
• There are an estimated 500,000 unique Fake AV binaries on the Internet today
» http://www.techjaws.com/fake-antivirus-outpaces-real-antivirus/
• Fake AV companies are making more money than security vendors
» http://www.infosecurity-us.com/view/16010/rsa-fake-av-companies-making-more-money-than-security-vendors/
11
Hard To Tell Fake AV From Real AV
12
Cost Impact of Ineffective Anti-Virus
Your Endpoint TCO Reality
2007: 250K Monthly
Malware Signatures Identified
2011: 2M Monthly
Malware Signatures Identified
Malware Signatures
Endpoint TCO
Current Endpoint Security
Effectiveness
Increasing malware
Costly point technologies
Fractured visibility
14
True Cost of Malware
• Acquisition Costs» Licensing
(license cost, maintenance, support)» Installation
(HW / SW, roll-out, other)
• Operational Costs» System Managemenet» Incident Management
(help desk, escalation, re-imaging)» Lost Productivity
• Extraordinary Costs» Data Breach
Operational(60~80%)
Acquistion(20~40%)
15
True Cost of MalwareMalware Cost Framework
Malware Cost Variables
Malware Cost Information
Security Infrastructure
• Cost of AV license• Hardware overhead costs• Maintenance and upgrade
costs• Cost of endpoint security
management staff
• 20 hrs/wk avg. time to manage endpoint security***• Licensing represents 20% of the TCO for endpoint security
software***• Average cost of network infrastructure engineer / IT security
escalation team = $82K
Malware Remediation
• Help desk costs related to malware
• IT staff cost related to malware
• Cost for an IT manager to be informed of/take action/virus incident $500*
• Cost for one workstation to be stopped, scanned, and cleaned of virus $1000*
• Cost for one workstation to detect and clean a virus infection $100*
• Average no. attempts at cracking network by hacker is 2x month*• Average cost of security related help desk call: $18.75***
Lost Productivity
• Network downtime• Workstation unavailable
• Median server downtime due to malware 21 hrs**• 15 min/user/wk in average lost downtime due to scanning***• Average company has one incident affecting 10 users with
downtime of 6 hours due to malware***
Data Loss
• Loss of sensitive data • Cost of lost data records• Cost of remediation• Litigation/compliance fine risk• Loss customers
• Average organizational cost of a data breach is $7.2M****• Average cost of data record lost $214****• 20% loss of customer after a publicly disclosed data breach*****
* Trend Micro** ICSA*** Hobson & Company**** Ponemon Institute***** Unsecured Economies Report
16
A Look at Application Whitelisting
A New Approach Is Needed
•With traditional AV Reputations and Heuristics did not work before and no signs point to them magically working now
•No one can dispute that whitelisting is a better approach in the current environment
» You’re already using a whitelist
» What people argue about is how it is implemented
» Automating whitelisting with a Trust Model is key
•Today’s Trust Models give a real edge to Whitelisting
» Now that is something new and innovative
18
Anti-VirusBlacklist
Application ControlWhitelist
Malware Signatures30 Million and growing @ xxx / Month
DLoader.AMHZW \ Exploit_Gen.HOW \ Hacktool.KDY \ INF/AutoRun.HK \ JS/BomOrkut.A \ JS/Exploit.GX \ JS/FakeCodec.B \ JS/Iframe.BZ \ JS/Redirector.AH \ KillAV.MPK \ LNK/CplLnk.K
Hash of Approved Application As defined by IT
SecurityWord.exe \ Excel.exe \ Winnet.dll \ Mozilla.exe
Run as a Service
CPU Usage: Intensive
Reactive
Ineffective on:Zero Day, Polymorphic
Run in the Kernel
CPU Usage: Low
Proactive
Effective for:Zero day, Polymorphic
How Application Control Security Works
95% 13%
Impact of AV and Application Control
AntivirusBlacklist
Application Control Whitelist
Unwanted Software
(iTunes, Games, IM, etc.)Not supported
Only trusted, authorized
applications are permitted
Updates Weekly, daily, hourly Automated by trust engine
Zero Day ProtectionNew malware is always
one step aheadImplicit
Operational
Performance
File filter slows system down
Huge pattern file comparison
Kernel based (=fast), no pattern
comparison required
ScalabilityToday (avg): 3,666,872 sigs.
Tomorrow? Next Year?
Average PC has 66 applications
with ~25,000 executables
21
Don’t Just Listen To Us – Listen To Them!
Antivirus, firewalls and intrusion detection are a start… But "whitelisting" offers a stronger defense. … McAfee believes "that's where the future is going.”
-- George Kurtz, Worldwide CTO, McAfee
“Effective threat prevention today requires a more proactive combination of approaches that take various infection vectors into consideration.”-- Raimund Genes, CTO, Trend Micro Inc.
“[Signatures are] completely ineffective as the only layer [of endpoint security], but as one of the layers, [they're] effective.”
-- Nikolay Grebennikov, CTO, Kaspersky
22
Lumension® Intelligent Whitelisting™
DiscoverSnapshot endpoints to identify and catalog all executables currently running on individual endpoints
DiscoverSnapshot endpoints to identify and catalog all executables currently running on individual endpoints
DefineDefine policies that automate trust decisions for endpoint applications
DefineDefine policies that automate trust decisions for endpoint applications
EnforceAdjust and transition
endpoints to final lockdown policy
EnforceAdjust and transition
endpoints to final lockdown policy
CleanEliminate known malware from production endpoints
CleanEliminate known malware from production endpoints
ManageReporting and
Integrated systems management to update patches, configurations
and deploy software
ManageReporting and
Integrated systems management to update patches, configurations
and deploy software
MonitorLog all execution attempts
and introduced changes to assess policy completeness
and impact to current IT environment
MonitorLog all execution attempts
and introduced changes to assess policy completeness
and impact to current IT environment
23
Defense-in-Depth Endpoint Security
Known Malware
Unknown Malware
Unwanted, Unlicensed,
Unsupported Applications
Application Vulnerabilities
Configuration Vulnerabilities
AntiVirusX X
ApplicationControl X X
Patch & Remediation X X
Security Configuration Management
X
24
Intelligent Whitelisting Value Proposition
Malware Signatures
Malware Related Costs
More Effective Endpoint Security
ROI of Intelligent Whitelisting
2011:Introducing
Intelligent Whitelisting™
25
Next Steps
26
•Overview of Lumension® Intelligent Whitelisting™
» http://www.lumension.com/Resources/Demo-Center/Overview-Endpoint-Protection.aspx
•Application Scanner Tool» http://www.lumension.com/Resources/Security-Tools/Application-Scanner-
Tool-2-0.aspx
•Whitepapers» Think Your Anti-Virus Software is Working? Think Again.
• http://www.lumension.com/Resources/WhitePapers/Think-Your-AntiVirus-Software-Is-Working-Think-Again.aspx
» Intelligent Whitelisting: An Introduction to More Effective and Efficient Security• http://www.lumension.com/Resources/Whitepapers/Intelligent-Whitelisting-An-
Introduction-to-More-Effective-and-Efficient-Endpoint-Security.aspx
Global Headquarters8660 East Hartford Drive
Suite 300
Scottsdale, AZ 85255
1.888.725.7828