Think Your Anti-Virus Software Is Working? Think Again. As attacks proliferate, anti-virus software can’t keep up. Fortunately, there’s a better way. We’ve been so bombarded by computer viruses, worms, Trojan horses and other malware that we’ve become acclimated to their presence. We subscribe to an anti-virus (AV) offering and hope for the best. Trouble is, AV hasn’t been keeping up. Studies show that even though most organizations use AV, more and more are succumbing to attacks. It’s time to shift from the status quo to a new, more effective endpoint security approach, called intelligent whitelisting, which affords greater protection, productivity, and efficiency.
March 2011 WP-EN-03-11-11
Think Your Anti-Virus Software Is Working? Think Again.
Introduction We’ve been so bombarded by computer viruses, worms, Trojan horses and other malware that we’ve become acclimated to their presence. We accept that they’re always going to be a threat. So we subscribe to an anti-virus (AV) offering and hope for the best. Trouble is, AV hasn’t been keeping up. Studies show that even though most organizations use AV, more and more are succumbing to attacks. Even the leading anti-virus purveyors have admitted as much:
“Looking at the sheer volume of infected systems in the world, one thing is resoundingly clear: basic security protection is not good enough.” Rowan Trollope Senior Vice President, Symantec
»
A View into the Blacklisting Security Model In this security model you’re at the whim of your AV vendor’s ability to digest new malware from the world at large, analyze it, write a new AV signature and syndicate it down to you as a new definition file. From here you must ensure that every endpoint has the latest file. But what if there are machines that are offline and not connected to the network? How long will it take to make sure the new definition file is on every machine? How much IT bandwidth will be required to make this happen in a timely fashion and what’s the performance hit to the network and each
»
endpoint? A blacklist approach is no longer effective as a stand-alone defense against today’s threats.
In particular, organizations are falling prey to “zeroday” attacks – viruses that haven’t yet been identi-
tion control, or “whitelisting” – the opposite of AV’s
fied by AV providers and therefore simply cannot
blacklisting approach.
be protected against. Application whitelisting is a mature, proven securiThe problem is fundamental to AV’s design. AV is
ty strategy, but it was never designed with the flex-
built upon a “blacklisting” approach where the no-
ibility to accept much change, such as constantly
tion is to let all traffic in and then, hopefully identify
updating applications, frequent patch updates,
and remedy whatever your AV provider has been
etc. Traditionally, application whitelisting has been
able to define as being “bad”. It’s like leaving your
more widely adopted for “locked down” systems for
front door wide open and allowing anyone to simply
which change is minimally introduced - systems
wander into your home, hoping you’ll recognize the
such as point of sale terminals, e-commerce serv-
criminals before they do any damage.
ers, and ATM machines - that is, up until now.
Clearly a more effective way would be to let in only
Today, application whitelisting has evolved to be-
the applications you’ve approved, and block ev-
come more flexible and easier-to-use, while still
erything else. This is a process known as applica-
maintaining its robust security enforcement. How-
1
Think Your Anti-Virus Software Is Working? Think Again. ever, relying on any one solution to defend your endpoints will leave you exposed and vulnerable. That’s why many organizations have implemented multiple layers of stand-alone, security technologies. But in doing so, organizations have created a much more complex and burdensome endpoint environment to manage with limited visibility, inefficient performance, increasing TCO, and a losing battle against increasing IT security threats. It’s time to shift from the status quo to a new, more effective endpoint security approach, called intelligent whitelisting, which affords greater protection, productivity, and efficiency.
Putting AV in Its Place First, let’s be clear: AV is a still a relevant technology within the endpoint security arsenal, and one that should be used consistently across the enterprise to help manage fast-spreading and widely known malware. However, relying on AV as your primar y defense against malware locks you into an arms race that you will never be able to win. There are a number of reasons for this:
1. The exponential growth in malware and the exploitation of application vulnerabilities AV vendors typically report finding millions of new pieces of malware every year – some as many as 60,000 per day. What’s more, this malware is exploiting a rising volume of software application vulnerabilities. In 2010, the vulnerability count exceeded 8,000, and users saw about four times more vulnerabilities in thirdparty software than in Microsoft applications1.
2. The growing sophistication of malware.
Number of Vulnerabilities 11500
The motivation for producing
10000
malware increasingly is to steal data and make money.
8500
So the attacks are becoming more targeted, and the mal-
7000
ware involved is getting harder to detect. For example,
5500 source: Secunia Yearly Report, 2010
4000
2005
2006
1. Secunia Yearly Report, 2010
2007
2008
2009
2010
so-called
polymorphic
metamorphic
malware
and can
automatically mutate in an at-
2
Think Your Anti-Virus Software Is Working? Think Again. tempt to avoid detection by anti-virus technology.
In short, AV is necessary but not sufficient. Today
In addition, malware is maturing as an industry
there are simply too many attacks, vulnerabilities
unto itself - the proliferation of malware exploitation
and connections for AV to remain the safeguard it
kits and malware as-a-service (MAAS) are effec-
once was.
tively automating the distribution of new malware at unprecedented rates.
3. The declining effectiveness of AV.
»
Just How Effective is AV?
Consider the numbers. AV software detects only
The numbers are bleak. Here’s what the Computer
19 percent of new attacks, according to cyber-in-
Security Institute, which publishes an annual com-
telligence firm Cyveillance. That number increases
puter security survey, found on AV usage and suc-
to just 62 percent after 30 days. Overall, AV misses
cess rates over the past 10 years:
10.2 percent of all malware, according to a recent study by AV-Test and PC World – or about 6,100 of the 60,000 new pieces of malware reported each day. That’s roughly one breach every 14 seconds.
Average No. of New Malware Discovered per Minute 50
41.7
40
31.9
30
Year
Organizations
Organizations With
Using AV
Malware Issues
2001
98%
94%
2002
98%
85%
2003
99%
82%
2004
99%
78%
2005
96%
74%
2006
97%
65%
2007
98%
52%
2008
97%
50%
2009
98%
64%
2010
97%
67%
Between 96 percent and 99 percent of organizations were using AV. But their success against malware
20.1
20
didn’t match their usage rates. From 2001 to 2008, malware issues steadily improved. But in the past
10
two years that trend has reversed, and malware is-
11.1
sues have been increasing. Even in the best year, 2008, fully one-half of organizations had problems with malware.
0
2007
2008
2009
2010
Extrapolated from McAfee Labs, McAfee Threats-Report: Third Quarter 2010.
» 3
Think Your Anti-Virus Software Is Working? Think Again.
Mounting Endpoint Costs All that malware results in additional costs. In fact, 48 percent of organizations reported an increase in their IT operating expenses, according to a 2010 Ponemon Institute study commissioned by Lumension. Significantly, 50 percent said a main driver of that cost increase was malware. Such costs include: 1. The cost for deploying, managing and updating AV software. All for software that isn’t doing a particularly good job of protecting your endpoints. 2.
The performance hit against computer
servers and networks for running AV that has to monitor a growing amount of network traffic and malware signatures. Some vendors are touting cloud-based AV solutions that place the malware signature database in the cloud. But whether the bandwidth crunch is at your endpoints or in between you and the cloud,
3. There’s also the cost for helpdesk calls and time spent cleaning up and reimaging employee laptops and other infected endpoints. And increasingly, those helpdesk calls involve more Tier 2 and Tier 3 escalations. 4. Then there’s the cost of lost data – from individual files to entire disk drives to entire databases. And increasingly sophisticated attacks target sensitive and proprietary data such as personal information and intellectual property. 5. Finally is the cost of network downtime and the resulting loss in productivity. IT loses productivity by having to address problems caused by malware rather than focusing on more strategic activities. Your users lose productivity as they sit around waiting for their laptops or desktops to be reimaged or for the network to come back up. Such losses can be difficult to measure but are clearly very real – and damaging to your bottom line.
it’s a performance hit nonetheless. Malware Signatures Malware Related Costs
Malware as a Business Exponential Growth Increasing Sophistication Ineffectiveness of AV
Traditional Endpoint Security Effectiveness 2007: 250K Monthly Malware Signatures Identified
2011: 1.8M Monthly Malware Signatures Identified
As malware increases, your cost of endpoint operations will undoubtedly continue to rise as well.
4
Think Your Anti-Virus Software Is Working? Think Again.
Application Whitelisting: A More Effective Defense
»
fense against malware. It prevents any unknown or
Endpoint Security for a ZeroDay Reality
unwanted software – including known and unknown
With traditional anti-virus (AV) software, you’re
malware – from executing on your computers.
defenseless against “zero-day” malware – that
Whitelisting is by its very nature a more effective de-
is, malware that takes advantage of a recently The mechanism whitelisting uses is fundamentally
discovered vulnerability where no patch yet
different from that of AV. Instead of identifying the
exists and is so new that no AV vendor has a
millions of known pieces of malware and blocking
signature defined or deployed. With application
them, whitelisting allows only authorized programs
whitelisting, however, you’re already better pro-
and associated files to execute. No other programs
tected by default – without needing to wait for the
are permitted to run, period.
latest vulnerability patch or anti-virus definition.
»
Whitelisting establishes a policy that covers operating systems, business applications and user executables. It can also deflect attempts to change
in today’s complex and dynamic computing envi-
this approved configuration, such as attacks that
ronment, constant change is a requirement. Users
burrow into existing files to evade AV scanners.
both inside and outside your organization’s walls use a growing and changing array of applications
But while traditional whitelisting has historically
everyday to do their jobs and remain productive –
been viewed as a strong and effective security tool,
resulting in constantly evolving endpoint configura-
it hasn’t been perceived as operationally efficient
tions that are unique to each user.
within a dynamic endpoint environment. That’s because at its foundation, application control is about
So how do you leverage the rock-solid security of
preventing change from occurring. That’s fine for
whitelisting while enabling the flexibility you need
static environments such as mission-critical serv-
in today’s business environment? The answer lies
ers, which typically don’t require much change. But
in intelligent whitelisting.
Continued » 5
Think Your Anti-Virus Software Is Working? Think Again.
Intelligent Whitelisting: A Smarter Approach Anti-Virus
Applying an intelligent approach to application whitelisting makes it flexible enough to serve today’s dynamic endpoints. But application whitelisting is intelligent only if it’s seamlessly layered into
Patch Management
an overall endpoint security framework that includes a spectrum of other endpoint security and management tools, including AV, patch manage-
Application Control
ment and other technologies. Lumension® Intelligent Whitelisting™ effectively combines application whitelisting, AV, patch management and trust-based change management into a
Intelligent Whitelisting
single, unified solution that can defend against known and unknown malware. Yet it also delivers organizational and operational flexibility and ease of use to
Go here to learn more about how Lumension® In-
ensure that business productivity is not impacted– in
telligent Whitelisting works.
even the most dynamic endpoint environments. Lumension Intelligent Whitelisting integrates the most effective third party security tools and techniques that traditionally were siloed into one seamless, security platform suite. The result is more effective endpoint security, with the flexibility you need to ensure that organizational productivity is not impacted and to reduce your total cost of ownership.
Continued » 6
Think Your Anti-Virus Software Is Working? Think Again.
»
Is Your Organization Best-in-Class? A recent report on endpoint security by Aberdeen Group compared “best-in-class” and “laggard” organizations. It found that both best-in-class and laggards had deployed baseline security technologies such as anti-virus (AV). But the best-in-class organizations were far more likely to be early adopters of best-in-class security technologies. Among those best-in-class technologies were application controls such as application whitelisting.
The Benefits of Intelligent Whitelisting Accrue Intelligent whitelisting delivers numerous benefits:
»» More Effective Endpoint Security: Intelligent Whitelisting delivers the most effective way to prevent unwanted and unauthorized applications and malware. And it can prevent zero-day attacks without waiting for an AV signature or vulnerability patch. Plus, Lumension Intelligent Whitelisting allows
One benefit achieved by best-in-class organizations was a year-over-year reduction in costs. They achieved this by decreasing the number of endpoint security incidents, as well as the average time to identify and address them:
IT to better manage local admin users, by placing limits on the kinds of software they can install while also restricting access to local system consoles typically used to make system configuration changes.
»» Reduced Endpoint Complexity and TCO:
Key Performance
Year-Over-Year
Indicator
Advantage
By integrating anti-virus, application control
Number of endpoint security incidents
13.5%
and patch management within the Lumension
Time to identify incidents
3.2%
Endpoint Management and Security Suite, IT
Time to address incidents
6.8%
can reduce the overall complexity and cost of
Total cost of addressing incidents
9.3%
managing the endpoint environment caused
Number of endpoint helpdesk calls
9.3%
by multiple, stand-alone security technologies.
User disruption from endpoint downtime
9.4%
Lumension Intelligent Whitelisting helps IT to:
Endpoint management costs
10.9%
• Reduce costs for blocking malware,
Staff dedicated to endpoint security
4.5%
remediating infections, managing endpoints
It’s interesting to note that the best-in-class saw a 3.8 percent decrease, year-over-year, in the number of endpoint-security incidents. The laggards, meanwhile, had a 9.7 percent increase. Every year,
»
for support, management, security and compliance, and reinstallation, reimaging and recovery, best-inclass-organizations saved $24 per endpoint.
and running your helpdesk.
• Deliver excellent performance compared to AV. AV software has to process a list of millions of attack signatures. Application whitelisting checks a much shorter list of allowed executables and modifiable system files, without impeding response times. 7
Think Your Anti-Virus Software Is Working? Think Again. Likewise, it enables you to reduce “agent
An Intelligent Future
bloat” and complexity at the endpoint.
The days of just installing AV and trusting that
• Manage endpoint security and operational
you’re protected are long gone. There are too many
workflows within one console as opposed to
vulnerabilities in your organization’s applications.
having to work across multiple applications
Too many applications being downloaded onto your
and consoles. This provides IT with greater
desktops and laptops. Too many new instances of
visibility and control over endpoints while
viruses, worms, Trojan horses and other malware.
reducing administrative burden and cost.
And too much associated cost in lost time, resourc-
• Improve endpoint performance by reducing
es and productivity due to malware.
agent bloat and ensuring only trusted applications are allowed to run. This, combined
Today, the best defense against malware is intel-
with the diminished need for constant AV scans
ligent whitelisting, with a unified security approach
ensures that endpoint resources are optimized
using a flexible, trusted change model to afford
and not consumed unnecessarily.
maximum risk mitigation and minimal administrative burden. Ultimately, intelligent whitelisting can
»» Improved IT Operations and Productivity:
dramatically reduce malware infection rates and
Lumension Intelligent Whitelisting simplifies
lower the total cost of protecting endpoints, all
IT administration, because it automatically
while improving employee and IT productivity.
associates protected applications with trusted sources. There’s no need for constant human
Before you think about simply renewing your AV
intervention. And it simplifies the security
subscription, you might want to stop and think again.
of endpoints with one view as opposed to leveraging multiple point technologies.
• As a result, you can enable more productive users while achieving greater visibility and control over your endpoint-security configuration.
• Lumension Intelligent Whitelisting also allows employees to do their jobs more effectively, because IT can establish application policies for users and roles affording greater flexibility for those that require more change and develop a more stringent policy for those that don’t need as much flexibility in order to perform their job responsibilities.
8
Think Your Anti-Virus Software Is Working? Think Again.
About Lumension Security, Inc. Lumension Security, Inc., a global leader in operational endpoint management and security, develops, integrates and markets security software solutions that help businesses protect their vital information and manage critical risk across network and endpoint assets. Lumension enables more than 5,100 customers worldwide to achieve optimal security and IT success by delivering a proven and award-winning solution portfolio that includes Vulnerability Management, Endpoint Protection, Data Protection, and Compliance and Risk Management offerings. Lumension is known for providing world-class customer support and services 24x7, 365 days a year. Headquartered in Scottsdale, Arizona, Lumension has operations worldwide, including Florida, Texas, Luxembourg, the United Kingdom, Germany, Ireland, Spain, France, Australia, and Singapore. Lumension: IT Secured. Success Optimized.™ More information can be found at www.lumension.com.
Lumension, Lumension Patch and Remediation, Lumension Vulnerability Management Solution, “IT Secured. Success Optimized.”, and the Lumension logo are trademarks or registered trademarks of Lumension Security, Inc. All other trademarks are the property of their respective owners.
Global Headquarters 8660 East Hartford Drive, Suite 300 Scottsdale, AZ 85255 USA phone: +1.888.725.7828 fax: +1.480.970.6323
www.lumension.com Vulnerability Management | Endpoint Protection | Data Protection | Compliance and IT Risk Management
9