Malware protection must innovation beyond signatures, says IBM expert
Is anti-virus software dead? Experts have declared its demise in the past – most notably Symantec, which declared it so in a Wall Street Journal interview last year. But some think there’s life in the old dog yet.
As malware evolves, the software to detect and neutralise it has a challenge on its hands, and anti-virus tools must be complemented by a range of new products to cope with emerging threats. That’s the message from John Beal, IBM Canada’s national security SaaS leader, who delivered a talk at SecTor 2015 on how to better protect the endpoint.
“A typical anti-virus product will cover you for 70-80% of what’s out there,” he asserted. “The bad guys know there’s that 20% window and that’s what they’re trying to jump through.”
Beal worries that anti-virus products often rely heavily on signature scanning, which looks for particular malware binaries. Users may indeed be protected against a particular piece of malware when a signature scanner knows what the malware’s binary file looks like. Static signature analysis doesn’t account for zero day malware attacks that haven’t yet been found in the wild, though, or even for particularly devious forms of malware using techniques like polymorphism, where a binary will change its footprint continuously.
“Static detection alone is not enough to keep up with modern threats,” agreed Maik Morgenstern, CTO of AV-Test, which measures the effectiveness of anti-malware products. “But it is still an essential part of the product when protecting customers. It is easy and fast, and once you have seen and analyzed a binary, detection can be added and protection is available for all your users via the cloud.”
Anti-virus software vendors have had to evolve their techniques over time, explained Greg Wasson, endpoint security program manager at ICSA Labs. “Signature-only antivirus products haven’t existed for quite a while, so they are a thing of the past. Signatures are just one layer of protection that anti-malware products use to protect an endpoint,” he said.
Defence in depth
Why keep static detection at all, then? Computers are good at matching things, and it requires fewer cycles to identify malicious software using a binary than it does to run the other kinds of detections. This makes static scans great for low-hanging fruit. If you can catch malware that way, then you’ve freed up your resources for something else. If you don’t, then the detection software can pull out the other tools.
For truly effective protection, though, make it part of a broader, defence in depth approach, said Chris Doggett, managing director of Kaspersky Lab North America.
“Cyberattacks will continue to grow in number and complexity, and AV software will always be a part of a ‘layered’ security solution that is fighting against these nefarious actors,” he said.
Beal explains that behavioural malware analysis is a key technology to help bridge the gap left by signature-based protection. This looks for particular program behaviours that may be suspicious. If an unrecognized program starts tinkering with your registry, for example, that could be cause for concern, and might throw up a red flag in a properly-tooled anti-malware tool.
There are also several technologies that go beyond behavioural protection. These include:
- Endpoint agents that set and enforce policy, such as IBM’s Bigfix Security.
- Sandboxed corporate environments for mobile and desktop users, which can be particularly useful for BYOD users.
- Application whitelisting to stop enterprise users polluting corporate desktops with malware, potentially unwanted programs (PUPs) and other crud.
- Cloud-based web protection solutions that monitor and block access to suspicious links, which can be especially helpful in quashing phishing attacks.
- Micro-virtualization techniques that isolate a browser from the underlying operating system, stopping zero-day attacks from reaching it.
Protecting the ecosystem
In the future, a more comprehensive set of protections by operating system vendors may be beneficial, hinted AV-Test’s Morgenstern. “What is more important in future is protecting the ecosystem, similar to what Apple and Android are doing,” he said. He points to their app stores, which use automated scanning tools to protect users by trying to catch applications before they are made available.
Apple and Microsoft already have app stores for their laptop/desktop operating systems, in addition to their mobile ones. They don’t restrict users to these apps, but use the app store to showcase known legitimate ones and provide a form of comfort and convenience for users. It’s like a walled garden with the gate left open, but still won’t stop a determined user without an enterprise application whitelisting policy.
What else could be done? Simply be sensible, continued Morgenstern. “The hardening of client systems can help. Don’t work with an admin account, keep the OS and other software up-to-date, and use application control/whitelisting.”
Anti-virus software will be around as long as viruses are. But perhaps it’s time to call it something else. Just as the term malware or potentially unwanted program (PUP) encompasses a whole array of sins, so anti-malware, too, now suggests a broader approach than mere static scans.
Whatever solution a company chooses, it should be unified, so that all of the protections are aware of each other and interoperate, said Beal.
“What ends up happening is that there are 7-9 different endpoint tools with 7-9 different agents on our endpoint, and none of them communicate with each other,” he said, arguing that it is better to replace it all with a single agent that does everything and integrates with other forms of security software such as network protection.
Layered defences designed to work together will help to prevent more problems on the endpoint before they happen. As always, though, the most important security tool is the one between your ears. Keep that in administrative mode, at least.