Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
March 2011
Think Your Anti-Virus Software Is Working? Think Again. As attacks proliferate, anti-virus software can’t keep up.
Fortunately, there’s a better way.
We’ve been so bombarded by computer viruses, worms, Trojan horses and other malware
that we’ve become acclimated to their presence. We subscribe to an anti-virus (AV)
offering and hope for the best. Trouble is, AV hasn’t been keeping up. Studies
show that even though most organizations use AV, more and more are
succumbing to attacks. It’s time to shift from the status quo to a new,
more effective endpoint security approach, called intelligent
whitelisting, which affords greater protection, productivity,
and efficiency.
WP-EN-03-11-11
Think Your Anti-Virus Software Is Working? Think Again.
1
IntroductionWe’ve been so bombarded by computer viruses,
worms, Trojan horses and other malware that we’ve
become acclimated to their presence. We accept that
they’re always going to be a threat. So we subscribe
to an anti-virus (AV) offering and hope for the best.
Trouble is, AV hasn’t been keeping up. Studies show
that even though most organizations use AV, more
and more are succumbing to attacks. Even the lead-
ing anti-virus purveyors have admitted as much:
“Looking at the sheer volume of infect-ed systems in the world, one thing is re-soundingly clear: basic security protec-tion is not good enough.” Rowan Trollope Senior Vice President, Symantec
In particular, organizations are falling prey to “zero-
day” attacks – viruses that haven’t yet been identi-
fied by AV providers and therefore simply cannot
be protected against.
The problem is fundamental to AV’s design. AV is
built upon a “blacklisting” approach where the no-
tion is to let all traffic in and then, hopefully identify
and remedy whatever your AV provider has been
able to define as being “bad”. It’s like leaving your
front door wide open and allowing anyone to simply
wander into your home, hoping you’ll recognize the
criminals before they do any damage.
Clearly a more effective way would be to let in only
the applications you’ve approved, and block ev-
erything else. This is a process known as applica-
tion control, or “whitelisting” – the opposite of AV’s
blacklisting approach.
Application whitelisting is a mature, proven securi-
ty strategy, but it was never designed with the flex-
ibility to accept much change, such as constantly
updating applications, frequent patch updates,
etc. Traditionally, application whitelisting has been
more widely adopted for “locked down” systems for
which change is minimally introduced - systems
such as point of sale terminals, e-commerce serv-
ers, and ATM machines - that is, up until now.
Today, application whitelisting has evolved to be-
come more flexible and easier-to-use, while still
maintaining its robust security enforcement. How-
»
»
A View into the Blacklisting Security ModelIn this security model you’re at the whim of your
AV vendor’s ability to digest new malware from the
world at large, analyze it, write a new AV signature
and syndicate it down to you as a new definition file.
From here you must ensure that every endpoint has
the latest file. But what if there are machines that
are offline and not connected to the network? How
long will it take to make sure the new definition file is
on every machine? How much IT bandwidth will be
required to make this happen in a timely fashion and
what’s the performance hit to the network and each
endpoint? A blacklist approach is no longer effective
as a stand-alone defense against today’s threats.
Think Your Anti-Virus Software Is Working? Think Again.
2
ever, relying on any one solution to defend your endpoints will leave you exposed and vulnerable. That’s why
many organizations have implemented multiple layers of stand-alone, security technologies. But in doing so,
organizations have created a much more complex and burdensome endpoint environment to manage with limited
visibility, inefficient performance, increasing TCO, and a losing battle against increasing IT security threats.
It’s time to shift from the status quo to a new, more effective endpoint security approach, called intelligent
whitelisting, which affords greater protection, productivity, and efficiency.
Putting AV in Its PlaceFirst, let ’s be clear: AV is a still a relevant technology within the endpoint security arsenal, and one
that should be used consistently across the enterprise to help manage fast-spreading and widely
known malware.
1. Secunia Yearly Report, 2010
However, relying on AV as your primary defense against malware locks you into an arms race that
you will never be able to win. There are a number of reasons for this:
1. The exponential growth in malware and the exploitation of application vulnerabilitiesAV vendors typically report finding millions of new pieces of malware every year – some as many as 60,000
per day. What’s more, this malware is exploiting a rising volume of software application vulnerabilities. In
2010, the vulnerability count exceeded 8,000, and users saw about four times more vulnerabilities in third-
party software than in Microsoft applications1.
2005 2006 2007 2008 2009 20104000
5500
7000
8500
10000
11500
Number of Vulnerabilities
source: Secunia Yearly Report, 2010
2. The growing sophistication of malware. The motivation for producing
malware increasingly is to
steal data and make money.
So the attacks are becoming
more targeted, and the mal-
ware involved is getting hard-
er to detect. For example,
so-called polymorphic and
metamorphic malware can
automatically mutate in an at-
Think Your Anti-Virus Software Is Working? Think Again.
3
tempt to avoid detection by anti-virus technology.
In addition, malware is maturing as an industry
unto itself - the proliferation of malware exploitation
kits and malware as-a-service (MAAS) are effec-
tively automating the distribution of new malware
at unprecedented rates.
3. The declining effectiveness of AV. Consider the numbers. AV software detects only
19 percent of new attacks, according to cyber-in-
telligence firm Cyveillance. That number increases
to just 62 percent after 30 days. Overall, AV misses
10.2 percent of all malware, according to a recent
study by AV-Test and PC World – or about 6,100 of
the 60,000 new pieces of malware reported each
day. That’s roughly one breach every 14 seconds.
In short, AV is necessary but not sufficient. Today
there are simply too many attacks, vulnerabilities
and connections for AV to remain the safeguard it
once was.
Average No. of New MalwareDiscovered per Minute
2007 2008 2009 20100
10
20
30
40
50
11.1
20.1
31.9
41.7
Extrapolated from McAfee Labs, McAfee Threats-Report: Third Quarter 2010.
»
»
Just How Effective is AV?The numbers are bleak. Here’s what the Computer
Security Institute, which publishes an annual com-
puter security survey, found on AV usage and suc-
cess rates over the past 10 years:
Between 96 percent and 99 percent of organizations
were using AV. But their success against malware
didn’t match their usage rates. From 2001 to 2008,
malware issues steadily improved. But in the past
two years that trend has reversed, and malware is-
sues have been increasing. Even in the best year,
2008, fully one-half of organizations had prob-
lems with malware.
Year
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
Organizations
Using AV
98%
98%
99%
99%
96%
97%
98%
97%
98%
97%
Organizations With
Malware Issues
94%
85%
82%
78%
74%
65%
52%
50%
64%
67%
Think Your Anti-Virus Software Is Working? Think Again.
4
Mounting Endpoint CostsAll that malware results in additional costs. In
fact, 48 percent of organizations reported an in-
crease in their IT operating expenses, accord-
ing to a 2010 Ponemon Institute study commis-
sioned by Lumension. Significantly, 50 percent
said a main driver of that cost increase was
malware. Such costs include:
1. The cost for deploying, managing and updat-
ing AV software. All for software that isn’t doing a
particularly good job of protecting your endpoints.
2. The performance hit against computer
servers and networks for running AV that
has to monitor a growing amount of network
traffic and malware signatures. Some ven-
dors are touting cloud-based AV solutions that
place the malware signature database in the
cloud. But whether the bandwidth crunch is at
your endpoints or in between you and the cloud,
it’s a performance hit nonetheless.
3. There’s also the cost for helpdesk calls and
time spent cleaning up and reimaging employee
laptops and other infected endpoints. And increas-
ingly, those helpdesk calls involve more Tier 2 and
Tier 3 escalations.
4. Then there’s the cost of lost data – from indi-
vidual files to entire disk drives to entire databases.
And increasingly sophisticated attacks target sen-
sitive and proprietary data such as personal infor-
mation and intellectual property.
5. Finally is the cost of network downtime and
the resulting loss in productivity. IT loses pro-
ductivity by having to address problems caused
by malware rather than focusing on more strategic
activities. Your users lose productivity as they sit
around waiting for their laptops or desktops to be
reimaged or for the network to come back up. Such
losses can be difficult to measure but are clearly
very real – and damaging to your bottom line.
2007: 250K Monthly Malware Signatures Identified
2011: 1.8M Monthly Malware Signatures Identified
Malware Signatures
Malware Related Costs
Malware as a Business Exponential Growth
Increasing Sophistication Ineffectiveness of AV
Traditional EndpointSecurity Effectiveness
As malware increases, your cost of endpoint operations will undoubtedly continue to rise as well.
Think Your Anti-Virus Software Is Working? Think Again.
5
Application Whitelisting: A More Effective DefenseWhitelisting is by its very nature a more effective de-
fense against malware. It prevents any unknown or
unwanted software – including known and unknown
malware – from executing on your computers.
The mechanism whitelisting uses is fundamentally
different from that of AV. Instead of identifying the
millions of known pieces of malware and blocking
them, whitelisting allows only authorized programs
and associated files to execute. No other programs
are permitted to run, period.
Whitelisting establishes a policy that covers oper-
ating systems, business applications and user ex-
ecutables. It can also deflect attempts to change
this approved configuration, such as attacks that
burrow into existing files to evade AV scanners.
But while traditional whitelisting has historically
been viewed as a strong and effective security tool,
it hasn’t been perceived as operationally efficient
within a dynamic endpoint environment. That’s be-
cause at its foundation, application control is about
preventing change from occurring. That’s fine for
static environments such as mission-critical serv-
ers, which typically don’t require much change. But
in today’s complex and dynamic computing envi-
ronment, constant change is a requirement. Users
both inside and outside your organization’s walls
use a growing and changing array of applications
everyday to do their jobs and remain productive –
resulting in constantly evolving endpoint configura-
tions that are unique to each user.
So how do you leverage the rock-solid security of
whitelisting while enabling the flexibility you need
in today’s business environment? The answer lies
in intelligent whitelisting.
»
»
Endpoint Security for a Zero-Day RealityWith traditional anti-virus (AV) software, you’re
defenseless against “zero-day” malware – that
is, malware that takes advantage of a recently
discovered vulnerability where no patch yet
exists and is so new that no AV vendor has a
signature defined or deployed. With application
whitelisting, however, you’re already better pro-
tected by default – without needing to wait for the
latest vulnerability patch or anti-virus definition.
Continued »
Think Your Anti-Virus Software Is Working? Think Again.
6
Intelligent Whitelisting: A Smarter ApproachApplying an intelligent approach to application
whitelisting makes it flexible enough to serve to-
day’s dynamic endpoints. But application whitelist-
ing is intelligent only if it’s seamlessly layered into
an overall endpoint security framework that in-
cludes a spectrum of other endpoint security and
management tools, including AV, patch manage-
ment and other technologies.
Lumension® Intelligent Whitelisting™ effectively
combines application whitelisting, AV, patch man-
agement and trust-based change management into a
single, unified solution that can defend against known
and unknown malware. Yet it also delivers organiza-
tional and operational flexibility and ease of use to
ensure that business productivity is not impacted– in
even the most dynamic endpoint environments.
Lumension Intelligent Whitelisting integrates the
most effective third party security tools and tech-
niques that traditionally were siloed into one seam-
less, security platform suite. The result is more ef-
fective endpoint security, with the flexibility you need
to ensure that organizational productivity is not im-
pacted and to reduce your total cost of ownership.
Go here to learn more about how Lumension® In-
telligent Whitelisting works.
Patch Management
Anti-Virus
Application Control
Intelligent Whitelisting
Continued »
Think Your Anti-Virus Software Is Working? Think Again.
7
The Benefits of Intelligent Whitelisting AccrueIntelligent whitelisting delivers numerous benefits:
» More Effective Endpoint Security:
Intelligent Whitelisting delivers the most
effective way to prevent unwanted and
unauthorized applications and malware. And it
can prevent zero-day attacks without waiting
for an AV signature or vulnerability patch.
Plus, Lumension Intelligent Whitelisting allows
IT to better manage local admin users, by
placing limits on the kinds of software they
can install while also restricting access to
local system consoles typically used to make
system configuration changes.
» Reduced Endpoint Complexity and TCO:
By integrating anti-virus, application control
and patch management within the Lumension
Endpoint Management and Security Suite, IT
can reduce the overall complexity and cost of
managing the endpoint environment caused
by multiple, stand-alone security technologies.
Lumension Intelligent Whitelisting helps IT to:
• Reduce costs for blocking malware,
remediating infections, managing endpoints
and running your helpdesk.
• Deliver excellent performance compared
to AV. AV software has to process a list of
millions of attack signatures. Application
whitelisting checks a much shorter list of
allowed executables and modifiable system
files, without impeding response times.
»
»
Is Your Organization Best-in-Class?A recent report on endpoint security by Aberdeen
Group compared “best-in-class” and “laggard” orga-
nizations. It found that both best-in-class and lag-
gards had deployed baseline security technologies
such as anti-virus (AV). But the best-in-class orga-
nizations were far more likely to be early adopters
of best-in-class security technologies. Among those
best-in-class technologies were application controls
such as application whitelisting.
One benefit achieved by best-in-class organiza-
tions was a year-over-year reduction in costs. They
achieved this by decreasing the number of endpoint
security incidents, as well as the average time to
identify and address them:
It’s interesting to note that the best-in-class saw a
3.8 percent decrease, year-over-year, in the num-
ber of endpoint-security incidents. The laggards,
meanwhile, had a 9.7 percent increase. Every year,
for support, management, security and compliance,
and reinstallation, reimaging and recovery, best-in-
class-organizations saved $24 per endpoint.
Key Performance
Indicator
Number of endpoint security incidents
Time to identify incidents
Time to address incidents
Total cost of addressing incidents
Number of endpoint helpdesk calls
User disruption from endpoint downtime
Endpoint management costs
Staff dedicated to endpoint security
Year-Over-Year
Advantage
13.5%
3.2%
6.8%
9.3%
9.3%
9.4%
10.9%
4.5%
Think Your Anti-Virus Software Is Working? Think Again.
8
Likewise, it enables you to reduce “agent
bloat” and complexity at the endpoint.
• Manage endpoint security and operational
workflows within one console as opposed to
having to work across multiple applications
and consoles. This provides IT with greater
visibility and control over endpoints while
reducing administrative burden and cost.
• Improve endpoint performance by reducing
agent bloat and ensuring only trusted
applications are allowed to run. This, combined
with the diminished need for constant AV scans
ensures that endpoint resources are optimized
and not consumed unnecessarily.
» Improved IT Operations and Productivity:
Lumension Intelligent Whitelisting simplifies
IT administration, because it automatically
associates protected applications with trusted
sources. There’s no need for constant human
intervention. And it simplifies the security
of endpoints with one view as opposed to
leveraging multiple point technologies.
• As a result, you can enable more productive
users while achieving greater visibility and control
over your endpoint-security configuration.
• Lumension Intelligent Whitelisting also allows
employees to do their jobs more effectively,
because IT can establish application policies
for users and roles affording greater flexibility
for those that require more change and
develop a more stringent policy for those
that don’t need as much flexibility in order to
perform their job responsibilities.
An Intelligent FutureThe days of just installing AV and trusting that
you’re protected are long gone. There are too many
vulnerabilities in your organization’s applications.
Too many applications being downloaded onto your
desktops and laptops. Too many new instances of
viruses, worms, Trojan horses and other malware.
And too much associated cost in lost time, resourc-
es and productivity due to malware.
Today, the best defense against malware is intel-
ligent whitelisting, with a unified security approach
using a flexible, trusted change model to afford
maximum risk mitigation and minimal administra-
tive burden. Ultimately, intelligent whitelisting can
dramatically reduce malware infection rates and
lower the total cost of protecting endpoints, all
while improving employee and IT productivity.
Before you think about simply renewing your AV
subscription, you might want to stop and think again.
Think Your Anti-Virus Software Is Working? Think Again.
9
About Lumension Security, Inc.Lumension Security, Inc., a global leader in operational end-
point management and security, develops, integrates and mar-
kets security software solutions that help businesses protect
their vital information and manage critical risk across network
and endpoint assets. Lumension enables more than 5,100 cus-
tomers worldwide to achieve optimal security and IT success
by delivering a proven and award-winning solution portfolio that
includes Vulnerability Management, Endpoint Protection, Data
Protection, and Compliance and Risk Management offerings.
Lumension is known for providing world-class customer support
and services 24x7, 365 days a year. Headquartered in Scotts-
dale, Arizona, Lumension has operations worldwide, including
Florida, Texas, Luxembourg, the United Kingdom, Germany, Ire-
land, Spain, France, Australia, and Singapore. Lumension: IT Se-
cured. Success Optimized.™ More information can be found at
www.lumension.com.
Lumension, Lumension Patch and Remediation, Lumension
Vulnerability Management Solution, “IT Secured. Success
Optimized.”, and the Lumension logo are trademarks or
registered trademarks of Lumension Security, Inc. All other
trademarks are the property of their respective owners.
Global Headquarters
8660 East Hartford Drive, Suite 300
Scottsdale, AZ 85255 USA
phone: +1.888.725.7828
fax: +1.480.970.6323
www.lumension.comVulnerability Management | Endpoint Protection | Data Protection | Compliance and IT Risk Management