The True Cost of Anti-Virus: How to Ensure More Effective and Efficient Endpoint Security

Today’s Speakers

Chris MerrittDirector of Solution MarketingLumension

Paul HenrySecurity & Forensics AnalystMCP+I, MCSE, CCSA, CCSE, CFSA, CFSO, CISSP,-ISSAP, CISM, CISA, CIFI, CCESANS Institute Instructor

Today’s Agenda

Decreasing Effectiveness of Anti-Virus

Cost Impact of Ineffective Anti-Virus

In-Depth View of Application Whitelisting

Q&A

Decreasing Effectiveness of Anti-Virus

Malware By The Numbers in 2010

• 1/3 of all malware ever recorded historically were produced

• One vendor found 60,000,000 malicious files out of 134,000,000 unique files submitted (~45%)

• The average number of unique new malware instances / threats increased by 63,000 per day

• 52% of new malware exists for only 24 hours

»Gone before a signature is ever created?

• An astounding 53% of computers with current AV signatures experienced a malware infection

5

Malware Detection Rates Day 1

Source: Cyveillance, Malware Detection Rates for Leading AV Solutions (August 2010)

AVERAGE detection rate upon initial discovery = 19%

6

Source: Cyveillance, Malware Detection Rates for Leading AV Solutions (August 2010)

AVERAGE detection rate after 30 days = 62%

Malware Detection Rates Day 30

7

AV - Nothing Innovative Here

•“Current generation” AV is using Heuristics and Reputations to bolster signatures

» Heuristics have been around for over a decade and have not worked

» Reputation lasts only as long as the DHCP lease on the IP address

• Change the address and get a new reputation

• Better yet just spoof an IP address with a good reputation

•AV vendors are moving the signatures to the Cloud to solve the problem…

» This doesn’t solve anything. It simply moves the issue.

» The age old problem remains: you can’t keep up with the bad guys…..

8

Stuck in a Never-Ending Cycle

1. Vulnerability discovered

2. Hacker writes exploit

3. Someone infected provides sample to AV company

4. AV company creates signature and distributes to community

5. Hacker changes a few bytes so signature no longer matches

6. Go to step 3 and repeat

9

Anyway You Look At It – It’s Ugly

10

Fake AV Is Overtaking Real AV

• There are about 1,500 new / unique instances of Fake AV per day

» AV detection of Fake AV is less then 20%

• There are an estimated 500,000 unique Fake AV binaries on the Internet today

» http://www.techjaws.com/fake-antivirus-outpaces-real-antivirus/

• Fake AV companies are making more money than security vendors

» http://www.infosecurity-us.com/view/16010/rsa-fake-av-companies-making-more-money-than-security-vendors/

11

Hard To Tell Fake AV From Real AV

12

Cost Impact of Ineffective Anti-Virus

Your Endpoint TCO Reality

2007: 250K Monthly

Malware Signatures Identified

2011: 2M Monthly

Malware Signatures Identified

Malware Signatures

Endpoint TCO

Current Endpoint Security

Effectiveness

Increasing malware

Costly point technologies

Fractured visibility

14

True Cost of Malware

• Acquisition Costs» Licensing

(license cost, maintenance, support)» Installation

(HW / SW, roll-out, other)

• Operational Costs» System Managemenet» Incident Management

(help desk, escalation, re-imaging)» Lost Productivity

• Extraordinary Costs» Data Breach

Operational(60~80%)

Acquistion(20~40%)

15

True Cost of MalwareMalware Cost Framework

Malware Cost Variables

Malware Cost Information

Security Infrastructure

• Cost of AV license• Hardware overhead costs• Maintenance and upgrade

costs• Cost of endpoint security

management staff

• 20 hrs/wk avg. time to manage endpoint security***• Licensing represents 20% of the TCO for endpoint security

software***• Average cost of network infrastructure engineer / IT security

escalation team = $82K

Malware Remediation

• Help desk costs related to malware

• IT staff cost related to malware

• Cost for an IT manager to be informed of/take action/virus incident $500*

• Cost for one workstation to be stopped, scanned, and cleaned of virus $1000*

• Cost for one workstation to detect and clean a virus infection $100*

• Average no. attempts at cracking network by hacker is 2x month*• Average cost of security related help desk call: $18.75***

Lost Productivity

• Network downtime• Workstation unavailable

• Median server downtime due to malware 21 hrs**• 15 min/user/wk in average lost downtime due to scanning***• Average company has one incident affecting 10 users with

downtime of 6 hours due to malware***

Data Loss

• Loss of sensitive data • Cost of lost data records• Cost of remediation• Litigation/compliance fine risk• Loss customers

• Average organizational cost of a data breach is $7.2M****• Average cost of data record lost $214****• 20% loss of customer after a publicly disclosed data breach*****

* Trend Micro** ICSA*** Hobson & Company**** Ponemon Institute***** Unsecured Economies Report

16

A Look at Application Whitelisting

A New Approach Is Needed

•With traditional AV Reputations and Heuristics did not work before and no signs point to them magically working now

•No one can dispute that whitelisting is a better approach in the current environment

» You’re already using a whitelist

» What people argue about is how it is implemented

» Automating whitelisting with a Trust Model is key

•Today’s Trust Models give a real edge to Whitelisting

» Now that is something new and innovative

18

Anti-VirusBlacklist

Application ControlWhitelist

Malware Signatures30 Million and growing @ xxx / Month

DLoader.AMHZW \ Exploit_Gen.HOW \ Hacktool.KDY \ INF/AutoRun.HK \ JS/BomOrkut.A \ JS/Exploit.GX \ JS/FakeCodec.B \ JS/Iframe.BZ \ JS/Redirector.AH \ KillAV.MPK \ LNK/CplLnk.K

Hash of Approved Application As defined by IT

SecurityWord.exe \ Excel.exe \ Winnet.dll \ Mozilla.exe

Run as a Service

CPU Usage: Intensive

Reactive

Ineffective on:Zero Day, Polymorphic

Run in the Kernel

CPU Usage: Low

Proactive

Effective for:Zero day, Polymorphic

How Application Control Security Works

95% 13%

Impact of AV and Application Control

AntivirusBlacklist

Application Control Whitelist

Unwanted Software

(iTunes, Games, IM, etc.)Not supported

Only trusted, authorized

applications are permitted

Updates Weekly, daily, hourly Automated by trust engine

Zero Day ProtectionNew malware is always

one step aheadImplicit

Operational

Performance

File filter slows system down

Huge pattern file comparison

Kernel based (=fast), no pattern

comparison required

ScalabilityToday (avg): 3,666,872 sigs.

Tomorrow? Next Year?

Average PC has 66 applications

with ~25,000 executables

21

Don’t Just Listen To Us – Listen To Them!

Antivirus, firewalls and intrusion detection are a start… But "whitelisting" offers a stronger defense. … McAfee believes "that's where the future is going.”

-- George Kurtz, Worldwide CTO, McAfee

“Effective threat prevention today requires a more proactive combination of approaches that take various infection vectors into consideration.”-- Raimund Genes, CTO, Trend Micro Inc.

“[Signatures are] completely ineffective as the only layer [of endpoint security], but as one of the layers, [they're] effective.”

-- Nikolay Grebennikov, CTO, Kaspersky

22

Lumension® Intelligent Whitelisting™

DiscoverSnapshot endpoints to identify and catalog all executables currently running on individual endpoints

DiscoverSnapshot endpoints to identify and catalog all executables currently running on individual endpoints

DefineDefine policies that automate trust decisions for endpoint applications

DefineDefine policies that automate trust decisions for endpoint applications

EnforceAdjust and transition

endpoints to final lockdown policy

EnforceAdjust and transition

endpoints to final lockdown policy

CleanEliminate known malware from production endpoints

CleanEliminate known malware from production endpoints

ManageReporting and

Integrated systems management to update patches, configurations

and deploy software

ManageReporting and

Integrated systems management to update patches, configurations

and deploy software

MonitorLog all execution attempts

and introduced changes to assess policy completeness

and impact to current IT environment

MonitorLog all execution attempts

and introduced changes to assess policy completeness

and impact to current IT environment

23

Defense-in-Depth Endpoint Security

Known Malware

Unknown Malware

Unwanted, Unlicensed,

Unsupported Applications

Application Vulnerabilities

Configuration Vulnerabilities

AntiVirusX X

ApplicationControl X X

Patch & Remediation X X

Security Configuration Management

X

24

Intelligent Whitelisting Value Proposition

Malware Signatures

Malware Related Costs

More Effective Endpoint Security

ROI of Intelligent Whitelisting

2011:Introducing

Intelligent Whitelisting™

25

Next Steps

26

•Overview of Lumension® Intelligent Whitelisting™

» http://www.lumension.com/Resources/Demo-Center/Overview-Endpoint-Protection.aspx

•Application Scanner Tool» http://www.lumension.com/Resources/Security-Tools/Application-Scanner-

Tool-2-0.aspx

•Whitepapers» Think Your Anti-Virus Software is Working? Think Again.

• http://www.lumension.com/Resources/WhitePapers/Think-Your-AntiVirus-Software-Is-Working-Think-Again.aspx

» Intelligent Whitelisting: An Introduction to More Effective and Efficient Security• http://www.lumension.com/Resources/Whitepapers/Intelligent-Whitelisting-An-

Introduction-to-More-Effective-and-Efficient-Endpoint-Security.aspx

Global Headquarters8660 East Hartford Drive

Suite 300

Scottsdale, AZ 85255

1.888.725.7828

info@lumension.com