Presentation is loading. Please wait.

Presentation is loading. Please wait.

Traditional Anti-Virus – A Busted Flush!

Similar presentations

Presentation on theme: "Traditional Anti-Virus – A Busted Flush!"— Presentation transcript:

1 Traditional Anti-Virus – A Busted Flush!
Definition: A Busted Flush: Anything which ends up worthless despite having shown great potential Apologies to all A/V companies – I am a charm school dropout.  So lets give you some background to me and what I’m going to talk about. Traditional Anti-Virus – A Busted Flush! by Kerry Davies Commercial Director, Abatis (UK) Ltd. 1

2 Computer Science degree in early ‘80s Security field since 1986
2 ME: Comp Sci in early 80s – before PCs – when computers were mainframes and minis in secure computer rooms guarded by white-coat technicians More secure because of lack of access and had to program using Hollerith cards –Pre CMA1990 so can say I still managed to learn how to hack. Legitimate security field since 1986 – evaluator in first EF (now called CLEFs) – co-authored UK Evaluation Methodology and did E5 evaluations Became a security consultant for a software house and worked on various MLS military Command & Control systems, and had various project and business management positions. Eventually left to form my own security and safety company: Echelon Consulting. Sold in 2006, affording me the opportunity to do an MSc in After that I became a director running security practice for public sector in KPMG for 2 yrs then recently joined William Rothwell, another alumnus of RHUL based at the Enterprise Centre on campus as his business partner to bring a disruptive new anti-malware technology to market. So my talk is to justify my claim that traditional, signature based anti-virus is a busted flush – a technology that was pretty good but is no longer good enough. To do this I intend to take you through what / how / how / alt So WHAT IS MALWARE Background Computer Science degree in early ‘80s Security field since 1986 Security Evaluator – Consultant – Manager – Company Founder – Director in Big 4 – Business Partner MSc in Information Security at Royal Holloway (Graduate 2009) Why is traditional A/V a “Busted Flush”? What is malware? How does malware work? How does traditional A/V work? An alternative approach (that works!)

3 Virus, Worm, Trojan Horse, Key-Logger, Root-Kit, Logic Bomb, etc.
3 Malware is a shorthand term for More esoterically, malware is a value judgement – it is anything you don’t want running on your machine – an executable piece of code of some kind These bad guys are all well resourced and funded - use stealth techniques to avoid detection – no longer the spotty teenager in his bedroom showing the world how clever his is by defacing a webpage – these people want to get in low, stay low and undetected for as long as possible – hence the term Advanced Persistent Threat (Advanced – it beat your A/V Persistent – it’s still beating your A/V  Remember STUXNET lay undiscovered for over a year) Malware can allow the bad guys to steal money, intellectual property, identities, state secrets OR close down nuclear processing facilities, water treatment plants, the national grid, the telephone system Have I convinced you traditional A/V is a busted flush yet? SO HOW DOES MALWARE WORK? WHAT IS MALWARE ? Virus, Worm, Trojan Horse, Key-Logger, Root-Kit, Logic Bomb, etc. Malware is a value judgement Malware is BIG BUSINESS for cyber criminals, cyber terrorists and hostile state actors - APTs Traditional anti-virus (A/V) is reactive not proactive – infections have to occur in order for the A/V vendors to collect samples to generate A/V signatures and the antidote Symantec’s 2010 report announced that they had found 286 million pieces of new malware that year – traditional A/V vendors can’t keep up with this volume and the user community can’t keep taking the megabytes of signature updates that the vendors push out daily

4 HDF’s approach – blocking writing of executables.
How does Malware work? Elements of a worm (as an example) Payload: implementation of specific actions such as opening backdoors, Botnet, spyware, keylogger, rootkit … Scanning Engine: scanning across the network Target Selection Algorithm: looking for potential new victims to attack Warhead: gains access to the victim’s machine HDF’s approach – blocking writing of executables. Once we block write, malware cannot spread! In another words, we stop any malware at the second phase of ‘Propagation’. So, just how serious is the problem? Propagation Engine: transfers the body to the victim From: “Malware – Fighting Malicious Code“, p. 79; Ed Skoudis, Prentice Hall 2004

5 Assessing the Threatscape
5 Malware is a pernicious problem - even on mobile devices and Apple Mac. So called “Safe" devices aren’t any longer: you need to proactively stop the threats There are 4Bn mobiles in the world (over 60% of the world’s population has one) – more internet commerce is being done by smartphone than ever before – in developing nations, people have completely missed out the desktop and laptop phases and gone straight to smartphones to access the Internet. What have the trad A/V companies got for mobile devices? Good configurations guides, white listing, black listing, cut down scanning engines, reputation based approaches? All unreliable, a maintenance burden and simply not good enough. POP QUIZ - The Hoover Dam and Natanz? –No electronic connection! Neither was on the Internet. The man in charge of security of the Hoover Dam was getting increasingly frustrated that people were questioning him about what he was doing to stop his facility being infected by malware like STUXNET and flooding Navada. He said that his facility couldn’t be infected because “it isn’t connected to the Internet” neither was Natanz!!! STUXNET managed to get onto that facility and do enough damage to set back the Iranian nuclear enrichment programme by years. Remember, if the International Space Station can be infected by malware, anything can be!! So don’t bury your head in the sand – we need to do something. --- 19,000 new malicious URLs every day - 80% legitimate sites. But 99.9% of the corporates running these sites will have A/V so how is this happening to them? Busted Flush anyone? S o , i f I s t i l l h a v e n ’ t y e t c o n v i n c e d y o u t r a d A / V i s a b u s t e d f l u s h , w h a t d o e s t h e i n d u s t r y s a y a b o u t i t s e l f ? Assessing the Threatscape Malware is everywhere and easily spread – nothing is safe any more As smart-phone use rockets and social networking explodes, we struggle to balance the need for security versus the need to share information Connection between the Hoover Dam and Natanz Nuclear facility in Iran? Consumerisation of IT - the blurring between professional and personal use of technology, mobile platforms and social networking pose serious threats spam, phishing, pharming and spear-phishing on increase So far in 2011, McAfee has identified 150,000 malware samples every day. One unique file almost every half second, and a 60% increase over 2010 19,000 new malicious URLs each day in the first half of this year. And, 80% of those URLs are legitimate websites that were hacked or compromised

6 Consensus in the A/V Industry
Read each click So, the industry itself thinks it is in trouble. How many in the room agree? Show of hands. I have some more statistics to back up my claim.... 6 Consensus in the A/V Industry “Back in the 80s, computer experts were quick to dismiss PC viruses as harmless. We need to learn from this mistake and start taking the mobile malware threat seriously. Only by taking pre-emptive measures can we equip ourselves against this pernicious and escalating menace…” Davey Winder: Security Journalist and Consultant Symantec recorded that in 2010 it saw 286 Million pieces of new malware “anti-virus technology can't stop targeted attacks....Anti-virus is dead because it is unable to detect attacks properly and is incapable of working on mobile devices” Nir Zuk, founder and CTO of Palo Alto Networks to SC Magazine, September 9th 2011 “The security industry has ‘done a miserable job of protecting customers and industry. More than half of malware is not blocked by anti-virus, as vendors can only deal with known malware the approach taken by most anti- virus vendors is not good enough, as most claim to block 99 per cent of known malware, but most cyber criminals use unknown variants. M86 Security CEO John Vigouroux Speaking to SC Magazine In 2007 ‘....there were about 200 malware threats for mobile phones and more than 250,000 viruses for Windows. Graham Cluley, senior technology consultant at Sophos ‘….With mobile menaces steadily on the rise, we can only anticipate how virulently worms can multiply, especially with the explosion of Bluetooth and the increase in workforce mobility in organisations like the NHS’ Leslie Forbes, Technical Manager, F-Secure: According to Ken Silva, CTO of Verisign: ‘….Criminals will go where the money is," Silva told CNET News. "If you start doing things of financial interest with your mobile phone, they will find a way to get your money."

7 Effectiveness of Anti-malware solutions
This is an independent study done just over a year ago – new one hopefully out soon but I don’t expect it to be any better – in fact probably much worse..... OK so if traditional signature based anti-virus is dead, what can we do instead? 7 Effectiveness of Anti-malware solutions Popular AV signature-based solutions detect on average less than 19% of malware threats. That detection rate increases to only 61.7% after 30 days Malware Detection Rates for Leading AV Solutions: A Cyveillance Analysis 04/08/10 Recent malware infection tactics: Drive-by download infection Fake security tool and free scanning services Social engineering – social networks, e.g. Facebook Embed malicious link in – phishing, pharming and spear phishing type attacks Cracked PDF and document files – embedded link/payload

8 is anything ever air-gapped these days? USB / WiFi / Bluetooth drive-by downloads from legitimate sites as we saw from earlier 19K per day, 80% legitimate (esp. News, media, social networking) are biggest threat at moment The statistics show that this approach does not work effectively, is reactive and won’t stop zero day or targeted attacks Heuristic is common at moment anyway and only achieves the 19% on day 1 score Reputation based relies on hashing so can easily be defeated by tools freely available Blacklisting - could you list everything you don’t want to see hit your computer? Whitelisting – already hated by most large organisations because of the administrative burden – can’t seriously use this Combo - Oh dear! That’s what they do now and they still only achieve an average of 19% effectiveness on day 1 Kernel level, non signature based is the only sensible way to go. Good old fashioned COMPUSEC! And as you can guess, this is the approach adopted by the company I work for now. Our technology is called HDF – Hard Disk Firewall. Here’s a simple graphic of how it works.. OTHER METHODS OF PROTECTION Isolation Avoid questionable sites, download software only from reputable sites, run an anti-virus scan on any downloaded material Signature Based – as last table showed, average 19% effective on day 1, max 60%, reactive Heuristic – reactive, signature based fuzzy pattern matching, false positives (achieves 19%) Reputation Based – incomplete coverage, limited, vendor specific, error prone, can be defeated Hashing – used as part of reputation based approach (hashes can be defeated) Blacklisting – seriously? Whitelisting – attractive in principle but a huge maintenance nightmare as hashes have to be recalculated and redistributed to every machine for every change Combination – what the better A/V is doing now…………. Kernel-level Control over I/O – use fundamental nature of malware as executable code and ring- based integrity mechanisms of the O/S to block storage of executable program files on the hard disk to produce a fast, reliable, non signature-based, proactive anti-malware solution

9 Without HDF protection
How HDF filter driver blocks malware code while allowing authorized files to the system. HDF - IMPLEMENTATION Applications e.g. WinWord (User Mode / Ring 3) (b) save business.doc (a) save keylog.exe Operating system Input and output control (IO Manager) Operating system e.g. Windows (Kernel mode / Ring 0) With HDF protection Without HDF protection Block keylog.exe NTFS drive, C:\ Interface to hardware (NTFS, FAT etc) NTFS drive, C:\ Interface to hardware (NTFS, FAT etc) Business.doc is not blocked HDF filter

10 All versions of Windows from NT to latest 64 bit Red Hat Linux
1010 PRODUCTS AND BENEFITS HDF Workstation HDF Server All versions of Windows from NT to latest 64 bit Red Hat Linux Mobile Platforms (future), Real Time, SCADA Enforce system integrity Stop zero day attacks and targeted attacks Block all unwanted software execution No signature updates required; fit & forget – low TCO No performance impact – potential improvement

11 Does anyone have any questions? HARD DISK FIREWALL (HDF)
So as you can see, by rigorously controlling the I/O of the computer’s hard disk we can not just defeat malware, but also clampdown equipment, protect old/legacy equipment for which there are no longer any patches or service packs, potentially improve performance of systems, prevent website defacement, protect the Critical National Infrastructure and SCADA, and potentially be the perfect solution for mobile devices due to the very small and efficient code (30-60KB). I hope I have shown you that traditional A/V is no longer good enough to protect your computers and that our non signature based kernel technology is the way forward. If you want to talk to me afterwards about evaluating it in your companies I’d be happy to do so. Does anyone have any questions? 1111 HARD DISK FIREWALL (HDF) Mobile worker Laptops eg. Sales people Keylogger Protection incl USB Drive-by Download protection Windows NT Windows 2000 Windows XP Windows VISTA HDF CLAMPDOWN SECURE MOBILE PLATFORMS CRITICAL SYSTEMS PROTECTION SECURE REAL TIME SYSTEMS PERFROMANCE IMPROVEMENT PROTECTION OF LEGACY EQUIPMENT Android Windows 7 Mobile Linux Tablet Devices Battery Life Enhancement Research Stop website defacement & secure hosted environments Security effectiveness Improvement if used with traditional A/V Mission Critical Systems including Virtualised environments Faster if used w/o A/V or on-demand only scanning Safety Critical Systems Embedded Systems CNI & SCADA

12 Questions Kerry Davies Abatis (UK) Ltd
Royal Holloway Enterprise Centre Royal Holloway University of London Egham Surrey TW20 0EX Tel: +44 (0) 12

Download ppt "Traditional Anti-Virus – A Busted Flush!"

Similar presentations

Ads by Google