Traditional Anti-Virus - Information Security Group
advertisement
Abatis Security Innovations and Technologies Ultimate Protection for your Information assets Traditional Anti-Virus – A Busted Flush! by Kerry Davies Commercial Director, Abatis (UK) Ltd. 10-09-11 © Abatis 2004-2011 HDF - the new approach in malware protection Patent Pending Worldwide 1 Abatis Security Innovations and Technologies Background Ultimate Protection for your Information assets Computer Science degree in early ‘80s Security field since 1986 Security Evaluator – Consultant – Manager – Company Founder – Director in Big 4 – Business Partner MSc in Information Security at Royal Holloway 2007-8 (Graduate 2009) Why is traditional A/V a “Busted Flush”? What is malware? How does malware work? How does traditional A/V work? An alternative approach (that works!) © Abatis 2004-2011 HDF - the new approach in malware protection Patent Pending Worldwide 2 Abatis Security Innovations and Technologies WHAT IS MALWARE ? Ultimate Protection for your Information assets Virus, Worm, Trojan Horse, Key-Logger, Root-Kit, Logic Bomb, etc. Malware is a value judgement Malware is BIG BUSINESS for cyber criminals, cyber terrorists and hostile state actors - APTs Traditional anti-virus (A/V) is reactive not proactive – infections have to occur in order for the A/V vendors to collect samples to generate A/V signatures and the antidote Symantec’s 2010 report announced that they had found 286 million pieces of new malware that year – traditional A/V vendors can’t keep up with this volume and the user community can’t keep taking the megabytes of signature updates that the vendors push out daily © Abatis 2004-2011 HDF - the new approach in malware protection Patent Pending Worldwide 3 Abatis Security Innovations and Technologies How does Malware work? Ultimate Protection for your Information assets Elements of a worm (as an example) Scanning Engine: scanning across the network Target Selection Algorithm: looking for potential new victims to attack Payload: implementation of specific actions such as opening backdoors, Botnet, spyware, keylogger, rootkit … Warhead: gains access to the victim’s machine Propagation Engine: transfers the body to the victim From: “Malware – Fighting Malicious Code“, p. 79; Ed Skoudis, Prentice Hall 2004 © Abatis 2004-2011 HDF - the new approach in malware protection Patent Pending Worldwide 4 Abatis Security Innovations and Technologies Assessing the Threatscape Ultimate Protection for your Information assets Malware is everywhere and easily spread – nothing is safe any more As smart-phone use rockets and social networking explodes, we struggle to balance the need for security versus the need to share information Connection between the Hoover Dam and Natanz Nuclear facility in Iran? Consumerisation of IT - the blurring between professional and personal use of technology, mobile platforms and social networking pose serious threats Email spam, phishing, pharming and spear-phishing on increase So far in 2011, McAfee has identified 150,000 malware samples every day. One unique file almost every half second, and a 60% increase over 2010 19,000 new malicious URLs each day in the first half of this year. And, 80% of those URLs are legitimate websites that were hacked or compromised © Abatis 2004-2011 HDF - the new approach in malware protection Patent Pending Worldwide 5 Abatis Security Innovations and Technologies Consensus in the A/V Industry “anti-virus technology can't stop targeted attacks....Anti-virus is dead because it is unable to detect attacks properly and is incapable of working on mobile devices” Symantec recorded that in 2010 it saw 286 Million pieces of new malware Nir Zuk, founder and CTO of Palo Alto Networks to SC Magazine, September 9th 2011 In 2007 ‘....there were about 200 malware threats for mobile phones and more than 250,000 viruses for Windows. “Back in the 80s, computer experts were quick to dismiss PC viruses as harmless. We need to learn from this mistake and start taking the mobile malware threat seriously. Only by taking pre-emptive measures can we equip ourselves against this pernicious and escalating menace…” Davey Winder: Security Journalist and Consultant “The security industry has ‘done a miserable job of protecting customers and industry. More than half of malware is not blocked by anti-virus, as vendors can only deal with known malware........the approach taken by most antivirus vendors is not good enough, as most claim to block 99 per cent of known malware, but most cyber criminals use unknown variants. M86 Security CEO John Vigouroux Speaking to SC Magazine Graham Cluley, senior technology consultant at Sophos According to Ken Silva, CTO of Verisign: ‘….Criminals will go where the money is," Silva told CNET News. "If you start doing things of financial interest with your mobile phone, they will find a way to get your money." © Abatis 2004-2011 Ultimate Protection for your Information assets HDF - the new approach in malware protection ‘….With mobile menaces steadily on the rise, we can only anticipate how virulently worms can multiply, especially with the explosion of Bluetooth and the increase in workforce mobility in organisations like the NHS’ Leslie Forbes, Technical Manager, F-Secure: Patent Pending Worldwide 6 Abatis Security Innovations and Technologies Effectiveness of Anti-malware solutions Ultimate Protection for your Information assets Popular AV signature-based solutions detect on average less than 19% of malware threats. That detection rate increases to only 61.7% after 30 days Malware Detection Rates for Leading AV Solutions: A Cyveillance Analysis 04/08/10 Recent malware infection tactics: Drive-by download infection Fake security tool and free scanning services Social engineering – social networks, e.g. Facebook Embed malicious link in email – phishing, pharming and spear phishing type attacks Cracked PDF and document files – embedded link/payload © Abatis 2004-2011 HDF - the new approach in malware protection Patent Pending Worldwide 7 Abatis Security Innovations and Technologies OTHER METHODS OF PROTECTION Ultimate Protection for your Information assets Isolation Avoid questionable sites, download software only from reputable sites, run an anti-virus scan on any downloaded material Signature Based – as last table showed, average 19% effective on day 1, max 60%, reactive Heuristic – reactive, signature based fuzzy pattern matching, false positives (achieves 19%) Reputation Based – incomplete coverage, limited, vendor specific, error prone, can be defeated Hashing – used as part of reputation based approach (hashes can be defeated) Blacklisting – seriously? Whitelisting – attractive in principle but a huge maintenance nightmare as hashes have to be recalculated and redistributed to every machine for every change Combination – what the better A/V is doing now…………. Kernel-level Control over I/O – use fundamental nature of malware as executable code and ringbased integrity mechanisms of the O/S to block storage of executable program files on the hard disk to produce a fast, reliable, non signature-based, proactive anti-malware solution © Abatis 2004-2011 HDF - the new approach in malware protection Patent Pending Worldwide 8 Abatis Security Innovations and Technologies HDF - IMPLEMENTATION Ultimate Protection for your Information assets (b) save business.doc (a) save keylog.exe Without With HDF HDF protection protection Operating system e.g. Windows (Kernel mode / Ring 0) Operating system Input and output control Block (IO Manager) keylog.exe HDF filter Applications e.g. WinWord (User Mode / Ring 3) Business.doc is not blocked Interface to hardware (NTFS, FAT etc) NTFS drive, NTFS drive, C:\C:\ © Abatis 2004-2011 HDF - the new approach in malware protection Patent Pending Worldwide 9 Abatis Security Innovations and Technologies PRODUCTS AND BENEFITS Ultimate Protection for your Information assets • HDF Workstation • HDF Server • All versions of Windows from NT to latest 64 bit • Red Hat Linux • Mobile Platforms (future), Real Time, SCADA • Enforce system integrity • Stop zero day attacks and targeted attacks • Block all unwanted software execution • No signature updates required; fit & forget – low TCO • No performance impact – potential improvement © Abatis 2004-2011 HDF - the new approach in malware protection Patent Pending Worldwide 10 Abatis Security Innovations and Technologies HARD DISK FIREWALL (HDF) Ultimate Protection for your Information assets Drive-by Keylogger Download Mobile worker Laptops eg. Sales people Protection protection incl USB Windows NT PERFROMANCE IMPROVEMENT CLAMPDOWN SECURE REAL TIME SYSTEMS Windows 2000 Windows XP Windows VISTA Android Windows 7 Mobile Linux Tablet Devices HDF Battery Life Enhancement Research Stop website defacement & secure hosted environments Security effectiveness Improvement if used with traditional A/V Mission Critical Systems including Virtualised environments CRITICAL SYSTEMS PROTECTION PROTECTION OF LEGACY EQUIPMENT SECURE MOBILE PLATFORMS Faster if used w/o A/V or on-demand only scanning Safety Critical Systems Embedded Systems © Abatis 2004-2011 CNI & SCADA HDF - the new approach in malware protection Patent Pending Worldwide 11 Abatis Security Innovations and Technologies Questions Ultimate Protection for your Information assets Kerry Davies Abatis (UK) Ltd Royal Holloway Enterprise Centre Royal Holloway University of London Egham Surrey TW20 0EX Tel: +44 (0) 7767 240799 kerry@abatis-hdf.com © Abatis 2004-2011 HDF - the new approach in malware protection Patent Pending Worldwide 12
