Think your anti-virus is working? Think again!

March 2011

Think Your Anti-Virus Software Is Working? Think Again. As attacks proliferate, anti-virus software can’t keep up.

Fortunately, there’s a better way.

We’ve been so bombarded by computer viruses, worms, Trojan horses and other malware

that we’ve become acclimated to their presence. We subscribe to an anti-virus (AV)

offering and hope for the best. Trouble is, AV hasn’t been keeping up. Studies

show that even though most organizations use AV, more and more are

succumbing to attacks. It’s time to shift from the status quo to a new,

more effective endpoint security approach, called intelligent

whitelisting, which affords greater protection, productivity,

and efficiency.

WP-EN-03-11-11

Think Your Anti-Virus Software Is Working? Think Again.

1

IntroductionWe’ve been so bombarded by computer viruses,

worms, Trojan horses and other malware that we’ve

become acclimated to their presence. We accept that

they’re always going to be a threat. So we subscribe

to an anti-virus (AV) offering and hope for the best.

Trouble is, AV hasn’t been keeping up. Studies show

that even though most organizations use AV, more

and more are succumbing to attacks. Even the lead-

ing anti-virus purveyors have admitted as much:

“Looking at the sheer volume of infect-ed systems in the world, one thing is re-soundingly clear: basic security protec-tion is not good enough.” Rowan Trollope Senior Vice President, Symantec

In particular, organizations are falling prey to “zero-

day” attacks – viruses that haven’t yet been identi-

fied by AV providers and therefore simply cannot

be protected against.

The problem is fundamental to AV’s design. AV is

built upon a “blacklisting” approach where the no-

tion is to let all traffic in and then, hopefully identify

and remedy whatever your AV provider has been

able to define as being “bad”. It’s like leaving your

front door wide open and allowing anyone to simply

wander into your home, hoping you’ll recognize the

criminals before they do any damage.

Clearly a more effective way would be to let in only

the applications you’ve approved, and block ev-

erything else. This is a process known as applica-

tion control, or “whitelisting” – the opposite of AV’s

blacklisting approach.

Application whitelisting is a mature, proven securi-

ty strategy, but it was never designed with the flex-

ibility to accept much change, such as constantly

updating applications, frequent patch updates,

etc. Traditionally, application whitelisting has been

more widely adopted for “locked down” systems for

which change is minimally introduced - systems

such as point of sale terminals, e-commerce serv-

ers, and ATM machines - that is, up until now.

Today, application whitelisting has evolved to be-

come more flexible and easier-to-use, while still

maintaining its robust security enforcement. How-

»

»

A View into the Blacklisting Security ModelIn this security model you’re at the whim of your

AV vendor’s ability to digest new malware from the

world at large, analyze it, write a new AV signature

and syndicate it down to you as a new definition file.

From here you must ensure that every endpoint has

the latest file. But what if there are machines that

are offline and not connected to the network? How

long will it take to make sure the new definition file is

on every machine? How much IT bandwidth will be

required to make this happen in a timely fashion and

what’s the performance hit to the network and each

endpoint? A blacklist approach is no longer effective

as a stand-alone defense against today’s threats.


2

ever, relying on any one solution to defend your endpoints will leave you exposed and vulnerable. That’s why

many organizations have implemented multiple layers of stand-alone, security technologies. But in doing so,

organizations have created a much more complex and burdensome endpoint environment to manage with limited

visibility, inefficient performance, increasing TCO, and a losing battle against increasing IT security threats.

It’s time to shift from the status quo to a new, more effective endpoint security approach, called intelligent

whitelisting, which affords greater protection, productivity, and efficiency.

Putting AV in Its PlaceFirst, let ’s be clear: AV is a still a relevant technology within the endpoint security arsenal, and one

that should be used consistently across the enterprise to help manage fast-spreading and widely

known malware.

1. Secunia Yearly Report, 2010

However, relying on AV as your primary defense against malware locks you into an arms race that

you will never be able to win. There are a number of reasons for this:

1. The exponential growth in malware and the exploitation of application vulnerabilitiesAV vendors typically report finding millions of new pieces of malware every year – some as many as 60,000

per day. What’s more, this malware is exploiting a rising volume of software application vulnerabilities. In

2010, the vulnerability count exceeded 8,000, and users saw about four times more vulnerabilities in third-

party software than in Microsoft applications1.

2005 2006 2007 2008 2009 20104000

5500

7000

8500

10000

11500

Number of Vulnerabilities

source: Secunia Yearly Report, 2010

2. The growing sophistication of malware. The motivation for producing

malware increasingly is to

steal data and make money.

So the attacks are becoming

more targeted, and the mal-

ware involved is getting hard-

er to detect. For example,

so-called polymorphic and

metamorphic malware can

automatically mutate in an at-


3

tempt to avoid detection by anti-virus technology.

In addition, malware is maturing as an industry

unto itself - the proliferation of malware exploitation

kits and malware as-a-service (MAAS) are effec-

tively automating the distribution of new malware

at unprecedented rates.

3. The declining effectiveness of AV. Consider the numbers. AV software detects only

19 percent of new attacks, according to cyber-in-

telligence firm Cyveillance. That number increases

to just 62 percent after 30 days. Overall, AV misses

10.2 percent of all malware, according to a recent

study by AV-Test and PC World – or about 6,100 of

the 60,000 new pieces of malware reported each

day. That’s roughly one breach every 14 seconds.

In short, AV is necessary but not sufficient. Today

there are simply too many attacks, vulnerabilities

and connections for AV to remain the safeguard it

once was.

Average No. of New MalwareDiscovered per Minute

2007 2008 2009 20100

10

20

30

40

50

11.1

20.1

31.9

41.7

Extrapolated from McAfee Labs, McAfee Threats-Report: Third Quarter 2010.

»

»

Just How Effective is AV?The numbers are bleak. Here’s what the Computer

Security Institute, which publishes an annual com-

puter security survey, found on AV usage and suc-

cess rates over the past 10 years:

Between 96 percent and 99 percent of organizations

were using AV. But their success against malware

didn’t match their usage rates. From 2001 to 2008,

malware issues steadily improved. But in the past

two years that trend has reversed, and malware is-

sues have been increasing. Even in the best year,

2008, fully one-half of organizations had prob-

lems with malware.

Year

2001

2002

2003

2004

2005

2006

2007

2008

2009

2010

Organizations

Using AV

98%

98%

99%

99%

96%

97%

98%

97%

98%

97%

Organizations With

Malware Issues

94%

85%

82%

78%

74%

65%

52%

50%

64%

67%


4

Mounting Endpoint CostsAll that malware results in additional costs. In

fact, 48 percent of organizations reported an in-

crease in their IT operating expenses, accord-

ing to a 2010 Ponemon Institute study commis-

sioned by Lumension. Significantly, 50 percent

said a main driver of that cost increase was

malware. Such costs include:

1. The cost for deploying, managing and updat-

ing AV software. All for software that isn’t doing a

particularly good job of protecting your endpoints.

2. The performance hit against computer

servers and networks for running AV that

has to monitor a growing amount of network

traffic and malware signatures. Some ven-

dors are touting cloud-based AV solutions that

place the malware signature database in the

cloud. But whether the bandwidth crunch is at

your endpoints or in between you and the cloud,

it’s a performance hit nonetheless.

3. There’s also the cost for helpdesk calls and

time spent cleaning up and reimaging employee

laptops and other infected endpoints. And increas-

ingly, those helpdesk calls involve more Tier 2 and

Tier 3 escalations.

4. Then there’s the cost of lost data – from indi-

vidual files to entire disk drives to entire databases.

And increasingly sophisticated attacks target sen-

sitive and proprietary data such as personal infor-

mation and intellectual property.

5. Finally is the cost of network downtime and

the resulting loss in productivity. IT loses pro-

ductivity by having to address problems caused

by malware rather than focusing on more strategic

activities. Your users lose productivity as they sit

around waiting for their laptops or desktops to be

reimaged or for the network to come back up. Such

losses can be difficult to measure but are clearly

very real – and damaging to your bottom line.

2007: 250K Monthly Malware Signatures Identified

2011: 1.8M Monthly Malware Signatures Identified

Malware Signatures

Malware Related Costs

Malware as a Business Exponential Growth

Increasing Sophistication Ineffectiveness of AV

Traditional EndpointSecurity Effectiveness

As malware increases, your cost of endpoint operations will undoubtedly continue to rise as well.


5

Application Whitelisting: A More Effective DefenseWhitelisting is by its very nature a more effective de-

fense against malware. It prevents any unknown or

unwanted software – including known and unknown

malware – from executing on your computers.

The mechanism whitelisting uses is fundamentally

different from that of AV. Instead of identifying the

millions of known pieces of malware and blocking

them, whitelisting allows only authorized programs

and associated files to execute. No other programs

are permitted to run, period.

Whitelisting establishes a policy that covers oper-

ating systems, business applications and user ex-

ecutables. It can also deflect attempts to change

this approved configuration, such as attacks that

burrow into existing files to evade AV scanners.

But while traditional whitelisting has historically

been viewed as a strong and effective security tool,

it hasn’t been perceived as operationally efficient

within a dynamic endpoint environment. That’s be-

cause at its foundation, application control is about

preventing change from occurring. That’s fine for

static environments such as mission-critical serv-

ers, which typically don’t require much change. But

in today’s complex and dynamic computing envi-

ronment, constant change is a requirement. Users

both inside and outside your organization’s walls

use a growing and changing array of applications

everyday to do their jobs and remain productive –

resulting in constantly evolving endpoint configura-

tions that are unique to each user.

So how do you leverage the rock-solid security of

whitelisting while enabling the flexibility you need

in today’s business environment? The answer lies

in intelligent whitelisting.

»

»

Endpoint Security for a Zero-Day RealityWith traditional anti-virus (AV) software, you’re

defenseless against “zero-day” malware – that

is, malware that takes advantage of a recently

discovered vulnerability where no patch yet

exists and is so new that no AV vendor has a

signature defined or deployed. With application

whitelisting, however, you’re already better pro-

tected by default – without needing to wait for the

latest vulnerability patch or anti-virus definition.

Continued »


6

Intelligent Whitelisting: A Smarter ApproachApplying an intelligent approach to application

whitelisting makes it flexible enough to serve to-

day’s dynamic endpoints. But application whitelist-

ing is intelligent only if it’s seamlessly layered into

an overall endpoint security framework that in-

cludes a spectrum of other endpoint security and

management tools, including AV, patch manage-

ment and other technologies.

Lumension® Intelligent Whitelisting™ effectively

combines application whitelisting, AV, patch man-

agement and trust-based change management into a

single, unified solution that can defend against known

and unknown malware. Yet it also delivers organiza-

tional and operational flexibility and ease of use to

ensure that business productivity is not impacted– in

even the most dynamic endpoint environments.

Lumension Intelligent Whitelisting integrates the

most effective third party security tools and tech-

niques that traditionally were siloed into one seam-

less, security platform suite. The result is more ef-

fective endpoint security, with the flexibility you need

to ensure that organizational productivity is not im-

pacted and to reduce your total cost of ownership.

Go here to learn more about how Lumension® In-

telligent Whitelisting works.

Patch Management

Anti-Virus

Application Control

Intelligent Whitelisting

Continued »

http://www.lumension.com/Solutions/Intelligent-Whitelisting.aspx

http://www.lumension.com/Solutions/Intelligent-Whitelisting.aspx


7

The Benefits of Intelligent Whitelisting AccrueIntelligent whitelisting delivers numerous benefits:

» More Effective Endpoint Security:

Intelligent Whitelisting delivers the most

effective way to prevent unwanted and

unauthorized applications and malware. And it

can prevent zero-day attacks without waiting

for an AV signature or vulnerability patch.

Plus, Lumension Intelligent Whitelisting allows

IT to better manage local admin users, by

placing limits on the kinds of software they

can install while also restricting access to

local system consoles typically used to make

system configuration changes.

» Reduced Endpoint Complexity and TCO:

By integrating anti-virus, application control

and patch management within the Lumension

Endpoint Management and Security Suite, IT

can reduce the overall complexity and cost of

managing the endpoint environment caused

by multiple, stand-alone security technologies.

Lumension Intelligent Whitelisting helps IT to:

• Reduce costs for blocking malware,

remediating infections, managing endpoints

and running your helpdesk.

• Deliver excellent performance compared

to AV. AV software has to process a list of

millions of attack signatures. Application

whitelisting checks a much shorter list of

allowed executables and modifiable system

files, without impeding response times.

»

»

Is Your Organization Best-in-Class?A recent report on endpoint security by Aberdeen

Group compared “best-in-class” and “laggard” orga-

nizations. It found that both best-in-class and lag-

gards had deployed baseline security technologies

such as anti-virus (AV). But the best-in-class orga-

nizations were far more likely to be early adopters

of best-in-class security technologies. Among those

best-in-class technologies were application controls

such as application whitelisting.

One benefit achieved by best-in-class organiza-

tions was a year-over-year reduction in costs. They

achieved this by decreasing the number of endpoint

security incidents, as well as the average time to

identify and address them:

It’s interesting to note that the best-in-class saw a

3.8 percent decrease, year-over-year, in the num-

ber of endpoint-security incidents. The laggards,

meanwhile, had a 9.7 percent increase. Every year,

for support, management, security and compliance,

and reinstallation, reimaging and recovery, best-in-

class-organizations saved $24 per endpoint.

Key Performance

Indicator

Number of endpoint security incidents

Time to identify incidents

Time to address incidents

Total cost of addressing incidents

Number of endpoint helpdesk calls

User disruption from endpoint downtime

Endpoint management costs

Staff dedicated to endpoint security

Year-Over-Year

Advantage

13.5%

3.2%

6.8%

9.3%

9.3%

9.4%

10.9%

4.5%


8

Likewise, it enables you to reduce “agent

bloat” and complexity at the endpoint.

• Manage endpoint security and operational

workflows within one console as opposed to

having to work across multiple applications

and consoles. This provides IT with greater

visibility and control over endpoints while

reducing administrative burden and cost.

• Improve endpoint performance by reducing

agent bloat and ensuring only trusted

applications are allowed to run. This, combined

with the diminished need for constant AV scans

ensures that endpoint resources are optimized

and not consumed unnecessarily.

» Improved IT Operations and Productivity:

Lumension Intelligent Whitelisting simplifies

IT administration, because it automatically

associates protected applications with trusted

sources. There’s no need for constant human

intervention. And it simplifies the security

of endpoints with one view as opposed to

leveraging multiple point technologies.

• As a result, you can enable more productive

users while achieving greater visibility and control

over your endpoint-security configuration.

• Lumension Intelligent Whitelisting also allows

employees to do their jobs more effectively,

because IT can establish application policies

for users and roles affording greater flexibility

for those that require more change and

develop a more stringent policy for those

that don’t need as much flexibility in order to

perform their job responsibilities.

An Intelligent FutureThe days of just installing AV and trusting that

you’re protected are long gone. There are too many

vulnerabilities in your organization’s applications.

Too many applications being downloaded onto your

desktops and laptops. Too many new instances of

viruses, worms, Trojan horses and other malware.

And too much associated cost in lost time, resourc-

es and productivity due to malware.

Today, the best defense against malware is intel-

ligent whitelisting, with a unified security approach

using a flexible, trusted change model to afford

maximum risk mitigation and minimal administra-

tive burden. Ultimately, intelligent whitelisting can

dramatically reduce malware infection rates and

lower the total cost of protecting endpoints, all

while improving employee and IT productivity.

Before you think about simply renewing your AV

subscription, you might want to stop and think again.


9

About Lumension Security, Inc.Lumension Security, Inc., a global leader in operational end-

point management and security, develops, integrates and mar-

kets security software solutions that help businesses protect

their vital information and manage critical risk across network

and endpoint assets. Lumension enables more than 5,100 cus-

tomers worldwide to achieve optimal security and IT success

by delivering a proven and award-winning solution portfolio that

includes Vulnerability Management, Endpoint Protection, Data

Protection, and Compliance and Risk Management offerings.

Lumension is known for providing world-class customer support

and services 24x7, 365 days a year. Headquartered in Scotts-

dale, Arizona, Lumension has operations worldwide, including

Florida, Texas, Luxembourg, the United Kingdom, Germany, Ire-

land, Spain, France, Australia, and Singapore. Lumension: IT Se-

cured. Success Optimized.™ More information can be found at

www.lumension.com.

Lumension, Lumension Patch and Remediation, Lumension

Vulnerability Management Solution, “IT Secured. Success

Optimized.”, and the Lumension logo are trademarks or

registered trademarks of Lumension Security, Inc. All other

trademarks are the property of their respective owners.

Global Headquarters

8660 East Hartford Drive, Suite 300

Scottsdale, AZ 85255 USA

phone: +1.888.725.7828

fax: +1.480.970.6323

www.lumension.comVulnerability Management | Endpoint Protection | Data Protection | Compliance and IT Risk Management

http://www.lumension.com

http://www.lumension.com/

Documents

Think your anti-virus is working? Think again!