MARCH 2014 INFORMATION

EDITOR’S DESK: AS MALWARE ADVANCES, SO MUST ECURITY ANTIMALWARE S Insider Edition DEFENSE PLANS

FEATURE: PROTECTION FROM ADVANCED MALWARE: WHAT ANTIMALWARE WORKS BEST? TO THE RESCUE InfoSec pros know they must detect and repel advanced FEATURE: HOW malware—but TO PUMP UP YOUR do they know ANTIMALWARE how? DEFENSES EDITOR’S DESK

As Malware Advances, So Must HOME

EDITOR’S DESK Antimalware Defense Plans

WHY YOU MUST Stomping out malware would be lots easier if it just sat still. This Insider REVAMP YOUR BY BRENDA L. HORRIGAN ANTIMALWARE Edition helps make the fight against it more fair. STRATEGY

WHAT ADVANCED MALWARE PROTECTION WORKS BEST?

PUMPING UP YOUR ANTIMALWARE DEFENSE T’S GETTING HARDER for IT security pros to identify, offers insights on how to best assess the antimalware much less stop, the bad stuff trying to break into products currently on the market, which must include their enterprise. Modern malware is a shape-shifter, a careful weighing of costs and benefits. Finally, Spyro continually changing as it tries to squeeze past the Malaspinas demonstrates how to pump up your antimal- malware protection an enterprise already has in ware arsenal with supplemental products and tactics. place. Lately it’s even grown octopus legs, reaching up to It’s a sad fact of the modern world that, even as more Ithe highest levels of corporate networks but also down enterprises come to depend on antimalware products, into the smartphone of the newest entry-level employee. that protection’s effectiveness is steadily declining. But Advanced malware and its hacker-creators are prob- this doesn’t mean antimalware efforts are for naught: ing your system defenses right now; a revamp of your en- Rather, like modern malware, your efforts must shift and terprise’s antimalware strategies and systems can’t wait. stretch to keep your enterprise security intact. n That’s the message of this Insider Edition, which opens with emerging-technology expert Lisa Phifer on why we must think and strategize differently in order to defeat BRENDA L. HORRIGAN is the associate managing editor for the malware. In part two, Pete Lindstrom of Spire Security Security Media Group.

2 INFORMATION SECURITY INSIDER EDITION / ANTIMALWARE n MARCH 2014 COVER STORY: REVAMP STRATEGY

HOME REQUIRED: EDITOR’S DESK

WHY YOU MUST A REVAMPED REVAMP YOUR ANTIMALWARE STRATEGY ANTIMALWARE WHAT ADVANCED WHILE IT CONTINUES to fight increasingly clever attacks MALWARE PROTECTION against on-site enterprise infrastructure, new malware is WORKS BEST? STRATEGY taking aim at lower-hanging fruit: under-secured smart- PUMPING UP YOUR Increasingly sophisticated phones, mobile applications, social media and other cloud ANTIMALWARE services. As workers make more extensive use of such DEFENSE malware can divert the perimeter-less platforms, they create rich targets that re- attention of IT departments quire new antimalware protection strategies to mitigate from low-level security gaps. these multifaceted new malware threats. Here’s why you need a Enterprises can defend themselves by understanding these new malware vectors, enforcing application poli- strategy that works on cies, implementing new device-resident and cloud-based all levels. antimalware techniques, and leveraging other security tools.

FOLLOWING THE MONEY Far more than fame or hacktivism, the malware industry is driven by financial gain and drawn to low-cost, high- profit attacks. This has been repeatedly proven, as mal- ware migrated from floppy to USB drives, email to Web, By Lisa Phifer browser to PDF, abandoning old haunts to seek out more vulnerable monocultures.

3 INFORMATION SECURITY INSIDER EDITION / ANTIMALWARE n MARCH 2014 COVER STORY: REVAMP STRATEGY

“As technology trends such as Web and mobile come development. Attackers are experimenting with what HOME to the forefront, that’s where malware refocuses,” says In- they can do, inside and outside the enterprise. We haven’t

EDITOR’S DESK trepidus Group Principal Consultant Zach Lanier. “Mo- yet seen massive self-replicating mobile malware, but we bile convergence creates an interesting opportunity: one think that’s mostly because nobody has hit on a business WHY YOU MUST device that delivers [non-stop] network, Web, media and model for untargeted attacks, beyond toll fraud,” he says. REVAMP YOUR ANTIMALWARE application access. Because there are only so many play- Symantec tracked mobile malware monetization, in- STRATEGY ers—Apple, Google, the WebKit browser engine—a sin- cluding premium-rate SMS trojans, tracking spyware,

WHAT ADVANCED gle bug can be leveraged to attack millions of users.” search engine poisoning, pay-per-install/click schemes, MALWARE PROTECTION In fact, cloud services like Google Apps “are a very repackaged adware, and identity theft. According to Prod- WORKS BEST? large data repository for a wide range of companies and uct Manager John Engels, “We used to see these for Sym- PUMPING UP YOUR people,” Cisco Senior Threat Researcher Mary Landes- bian. When iOS changed the landscape, Apple did a good ANTIMALWARE man says. “Rather than trying to penetrate one [business] job of building in [malware deterrents] such as sandbox- DEFENSE at a time, cloud is an avenue of attack to penetrate many. ing and AppStore review. Now Android is picking up Increased return on investment means making money where Symbian left off because it’s open, with alternative with less effort—cloud attacks are a natural progression distribution paths that are a recipe for more challenging of that.” malware.” Similar trends have been seen in malicious activity on LOOKING FOR LOOPHOLES: social networks such as Facebook. “[Social media] mal- MOBILE MALWARE AND SOCIAL MEDIA ware tends to be user-focused: looking to gain access to Size and popularity are not the only draws. Commingled the user’s account or credentials,” Cisco’s Landesman personal and business use, real-time communication, says. “Today’s biggest enterprise threats don’t evolve from bring-your-own consumerization, and little or no IT con- social networks, but at some point, those could morph trol combine to make any discovered vulnerabilities more into more targeted attacks.” readily exploitable. For now, social media attacks tend to be untargeted. Lookout Principal Engineer Tim Wyatt has examined M86 Security Labs reports that Facebook scams surged in thousands of mobile applications from Apple’s AppStore, recent years as attackers searched for new ways to con- Google’s Android market and unofficial markets. “We’re vince thousands to click on malicious links. From “like- still seeing the start-up phase of smartphone malware jacking” and “comment-jacking” to photo tagging and

4 INFORMATION SECURITY INSIDER EDITION / ANTIMALWARE n MARCH 2014 COVER STORY: REVAMP STRATEGY

rogue applications, social engineering tricks snared users thousands of victims. Shortened links, trend tags, and HOME into pay-per-click or pay-per-install scams—some lead- direct messaging further increase the odds of following

EDITOR’S DESK ing to malware like the Koobface botnet Trojan. Facebook tweets to malware. itself scans over a trillion clicks per day, blocking more As more businesses use Twitter to track industry WHY YOU MUST than 200 million posts and messages carrying malicious news and communicate with customers, associated risk is REVAMP YOUR ANTIMALWARE links. growing. Not only do less than one-quarter of enterprises STRATEGY block Twitter, but “companies cannot assume they don’t

WHAT ADVANCED SOCIAL MEDIA SECURITY RISKS have a social networking presence,” Cisco’s Landesman MALWARE PROTECTION For IT groups scrambling to stop malware on so many says. “Nothing from a technology standpoint will solve WORKS BEST? different fronts, deciding which threats to tackle can be this. You’re better off having practices in place to deter- PUMPING UP YOUR a challenge. The best place to begin is by understanding mine what’s being said about your company and your ANTIMALWARE emerging malware: targeted platforms, exploited vulner- tone and action plan should a social networking crisis DEFENSE abilities, and jeopardized business assets. develop.” Such practices might involve rapidly detecting “Recently, the biggest threats have not attacked com- and reporting tweets that reference your brand but carry puters—they’ve attacked people,” says Symantec Security links leading to malware. Response Director Kevin Haley. “We’re seeing [email] Facebook too has been plagued by phishing attacks. spam drop as attackers move to social media. Factors in- However, Facebook tends to be more personal, result- clude shutdown of major botnets, growing ineffectiveness ing in individual rather than business risk. But millennial of spam, and natural migration to new vectors. Technol- expect to use Facebook and other social networks 24/7: ogy itself hasn’t changed that much; social engineering Over half of surveyed college students said they would not got better and toolkits made malware easier.” even consider taking a job with an employer that banned To date, social media malware has gotten the big- access. Rampant password reuse and bring-your-own de- gest bang by aiming at Facebook, Twitter, and YouTube. vices also mean credentials gleaned by Facebook malware For example, Twitter’s brevity, anonymity, and real-time could well play a role in corporate account break-ins. communication have fostered many hacks since 2007— some involving account compromise, others malware WORKFORCE AND MALWARE MOBILITY dissemination. The two are intertwined, as legitimate In fact, consumer mobile network attack rates are sky- and fraudulent top-followed accounts are used to phish rocketing, driven largely by employee-owned devices.

5 INFORMATION SECURITY INSIDER EDITION / ANTIMALWARE n MARCH 2014 COVER STORY: REVAMP STRATEGY

According McAfee Senior Architect Igor Muttik, these four percent, compared to risk of clicking on a phishing HOME unmanaged smartphones and tablets pose real enterprise link at 36 percent.

EDITOR’S DESK risk. Tim Armstrong, a researcher for Kaspersky, believes “Mobile devices are no longer just phones; they are a tipping point has been reached for Android malware. WHY YOU MUST now full computing devices. For example, they can record “We’re still seeing SMS as a vector, but we’ve seen rapid REVAMP YOUR ANTIMALWARE audio and video for blackmail or industrial espionage,” growth in sophistication since FakePlayer [the first An- STRATEGY he says. “If somebody brings their device into the office, droid SMS Trojan in late 2009]. We’re seeing malware

WHAT ADVANCED IT has no idea what’s on it. A blanket ban on personal de- like DroidDream exploit phones to gain [root] permis- MALWARE PROTECTION vices isn’t going to succeed, so measurement of security is sions, and Trojans like GGTracker download code,” he WORKS BEST? essential before allowing devices in or rejecting them.” says. PUMPING UP YOUR According to Muttik, market-leading devices— ANTIMALWARE iPhones, iPads, and their Android counterparts—have DETERRING MALWARE THROUGH GOVERNANCE DEFENSE similar OS security models. The latest incarnations of CheckPoint Researcher Tomer Teller attributes this surge each deter malware through sandboxing, code signing, to unwise app downloads. “We can clearly see a big mo- permissions, and hardware encryption. The biggest differ- bile malware shift from the Web to apps, using markets ence in malware risk, he says, lies in software sourcing. to bypass review, get distributed, and [solicit] installation “Apple has done a better job. Non-jailbroken iPhones through social engineering,” he says. have been pretty safe—to date we’ve seen only proof-of- “The app review process is what makes Android less concept malware in the AppStore—but it will not stay secure. There is no validation of the person distributing clean forever,” says Muttik. “The fact that Apple devices apps through the market. Open policies are good for de- can be jailbroken illustrates there are vulnerabilities. velopers, but a bad thing for users. Enterprises need to Wherever you have both a browser and a kernel exploit, get involved with their [device] manufacturers and car- you can remotely own the device.” riers to understand these threats, vulnerabilities, and Unfortunately, Android has not been so fortunate. risks,” Teller says. Trend Micro estimated the malicious and high-risk An- While many would like Google to tighten Android droid apps in circulation at 1 million at the end of 2013; Market policies, others see a need for IT to step in. “If en- in-the-wild malware spiked last year. The firm now pegs terprises can control apps, they can control their malware annual risk of an Android user encountering malware at exposure,” Kaspersky’s Armstrong says. “Application

6 INFORMATION SECURITY INSIDER EDITION / ANTIMALWARE n MARCH 2014 COVER STORY: REVAMP STRATEGY

management has potential to stop a lot of mobile mal- still applicable if not directly, then from a practices stand- HOME ware from entering networks.” point,” Lookout’s Wyatt says. “With the emergence of

EDITOR’S DESK Symantec’s Engels suggests using mobile device man- native and third-party MDM solutions, there are now en- agement (MDM) to enforce whitelists and control mo- terprise-friendly ways to bolt security onto mobile devices WHY YOU MUST bile apps in some use cases, for example iPads used for that don’t have antimalware baked in.” REVAMP YOUR ANTIMALWARE retail, logistics or health care. But Teller says whitelisting Specifically, MDM can not only mandate passwords STRATEGY is problematic for employees who use their own devices. and invoke remote wipe; it can also remotely install (or

WHAT ADVANCED “Enterprises don’t have time to review [public] apps pub- direct users to) mobile antimalware apps. Such scan- MALWARE PROTECTION lished on a daily basis. I think we’ll see [list providers] ners are readily available for Android, but not effective on WORKS BEST? emerge to do second tier review and certification, helping iPhones or iPads due to OS restrictions. PUMPING UP YOUR enterprises [use blacklists] to make sure user-downloaded Ultimately, many antimalware vendors recommend ANTIMALWARE apps don’t have malware.” embedding antimalware “in the cloud.” For example, DEFENSE Enterprises must rely on carriers to patch vulnerabili- some carriers already deploy antimalware to deliver SMS ties exploited by malware. But Lookout’s Wyatt suggests filters and anti-phishing to subscribers. A growing num- auditing installed apps, correlated to known vulnerabili- ber of Software as a Service providers apply internal anti- ties. For enterprise-developed mobile apps, Wyatt rec- malware measures like email attachment virus scanning, ommends code review. “We often encounter apps that phishing URL filters and domain reputation systems, do not leverage OS security, send identities in the clear, blocking malicious content before it can be delivered. En- or expose vulnerabilities in back-end apps. [Looking for terprises can follow suit by embedding in-the-cloud anti- these mistakes] would eliminate fundamental problems malware as they deploy private clouds. that we see [exploited] time and again,” he says. Beyond in-the-cloud antimalware, cloud threat intelli- gence services can help to rapidly update malware signa- ROLLING OUT NEW ANTIMALWARE PROTECTION tures and deliver real-time threat analysis, detecting links Additional strategies are needed to mitigate business-af- that lead to social media malware and malicious applica- fecting malware delivered and executed outside corporate tions, thereby reducing enterprise dependence on inevita- networks. New device-resident and in-the-cloud anti- bly diverse website or market governance. malware approaches can complement existing defenses. For example, McAfee analyzes events gathered “Even with bring-your-own devices, some policies are from all over the Internet at over 100 million endpoints

7 INFORMATION SECURITY INSIDER EDITION / ANTIMALWARE n MARCH 2014 COVER STORY: REVAMP STRATEGY

(including mobile devices) and 60 million gateways. utilize that device’s native VPN client to route traffic HOME According to CTO for Public Sector Phyllis Schneck, through enterprise Web security.”

EDITOR’S DESK McAfee uses these events to create a real-time reputation CheckPoint’s Teller recommends enterprises log mo- weather map that shows storms forming on the Internet. bile traffic to detect potential threats. “Using network be- WHY YOU MUST Reputation data can then be delivered to human network havior analysis can help you understand when something REVAMP YOUR ANTIMALWARE operators and fed back into reputation-aware systems malicious starts. This didn’t work well for desktops due STRATEGY (e.g., secure Web gateways). to false positives, but on the mobile side, I think NBA can

WHAT ADVANCED “This global threat intelligence enables the network detect when an infected smartphone starts side-loading MALWARE PROTECTION to respond automatically, stopping attacks never seen be- apps or communicating with a [command-and-control] WORKS BEST? fore,” Schneck says. “If ISPs can use this to filter out a lot server,” he says. PUMPING UP YOUR of [malicious] traffic before it reaches the enterprise, we In fact, Landesman says employers should use NBA ANTIMALWARE can lower the profit model for botnets. The same meth- to establish “new normal” baselines, including common DEFENSE odology applies to cloud services—the cloud just changes malware traffic. “Social media worms like Koobface will where the bits and bytes are processed.” always circulate. They still need to be mitigated, but their noise can cause IT to react to the wrong things, distract- STOPPING MALWARE INSIDE ing from [higher risk] threats,” she says. NBA filters can THE CORPORATE NETWORK help IT better hone in on emergent malware. Even experts with vested interest in new antimalware ap- Malware is an ongoing battle; we can be certain that proaches recommend leveraging other types of security attackers will continue to develop new malicious code tools to battle malware, such as next-generation firewalls, and target new technology trends. But by raising aware- secure Web gateways, data loss prevention and network ness of new vulnerabilities and threats, and mitigating behavior analysis (NBA). This strategy may not stop ex- them through a multi-pronged antimalware strategy, en- ternal infection, but it can reduce business impact, espe- terprises arm themselves with a fighting chance against cially if platforms are reputation-aware. evolving threats. n “When users connect to corporate Wi-Fi, enterprises can easily send traffic through a secure Web gateway to LISA PHIFER owns Core Competence, a consulting firm specializing kill off infected content,” Symantec’s Engels says. “When in business use of emerging network and security technology. Send that same device connects to a home or mobile network, comments on this article to [email protected].

8 INFORMATION SECURITY INSIDER EDITION / ANTIMALWARE n MARCH 2014 WHAT WORKS?

HOME PROTECTION EDITOR’S DESK

WHY YOU MUST FROM ADVANCED REVAMP YOUR ANTIMALWARE STRATEGY MALWARE: WHAT ADVANCED IT SEEMS EVERY security vendor claims it has the unique MALWARE PROTECTION capability to find and stop (or at least minimize the im- WORKS BEST? WHAT WORKS pact of) advanced malware, which can be loosely defined PUMPING UP YOUR as “anything your existing antimalware product doesn’t ANTIMALWARE BEST? catch, but probably not including old viruses and worms DEFENSE Malware continues to that we don’t really care about.” In spite of these claims, it also seems like there is hit enterprise systems. plenty of problem-space left—notable malware infections What are your best take place in enterprises as frequently as several per week defense options now? to several per day. It causes one to question whether any investment in an antimalware product can pay dividends. “Organizations are still getting infected by malware. They are purchasing blinking boxes promising solutions, but still suffer the same problems we saw 10 years ago,” said Lance James, head of cyberintelligence for Deloitte and Touche LLP. “The risks for the bad guys have hardly changed, and the rewards only seem to continue. It is probably time to consider another approach.” No antimalware product will ever be 100% effective, By Pete Lindstrom yet there are many solid products that, for the right price, are good investments. But there are many variables to

9 INFORMATION SECURITY INSIDER EDITION / ANTIMALWARE n MARCH 2014 WHAT WORKS?

evaluate in selecting an appropriate and effective enter- ■■Prevents damage by restricting access to sensitive HOME prise antimalware product. resources. Some products contain an infection in a way

EDITOR’S DESK that requires further exploitation to get at sensitive data CHOOSING ANTIMALWARE: or otherwise affect an environment. Ultimately, simply WHY YOU MUST TCO VS. RISK REDUCTION closing the container may eliminate these infections. REVAMP YOUR ANTIMALWARE The key to choosing any new product is to compare its STRATEGY projected total cost of ownership to the anticipated reduc- ■■Increases speed of response. Some antimalware of-

WHAT ADVANCED tion in risk. In order to make this comparison, the enter- ferings employ a “fast-follower” approach by simultane- MALWARE PROTECTION prise must understand the key characteristics of the new ously evaluating binaries and alerting responders of an WORKS BEST? product and determine the impact on cost. infection so they may take further action. Others may PUMPING UP YOUR In conducting this evaluation, it is important to cover be able to quickly issue an alert and also provide foren- ANTIMALWARE all the costs. “I think a tragic mistake we make in IT is sic information for real-time response. DEFENSE that we forget the tremendous burden antimalware some- times puts on a system,” says Stu Berman, security ar- ■■Increases speed of recovery for malware incidents. chitect for Steelcase. “It is a cost we ignore at our peril Even post-infection, products that capture more infor- because the user feels it in longer boot times, slower pro- mation about state (e.g., registry settings) and activity cessing, weird messages and other ways.” history (e.g., executables launched, network connec- An advanced malware-protection product sells itself if tions made) reduce the amount of time required to it can show how it accomplishes the following: completely recover from an incident.

■■Prevents infections by blocking the infection process. From a practical perspective, there are a number of Some products detect malware prior to it becoming product characteristics that must be evaluated, aside from resident on a system. Yet contemporary advanced anti- the viability of the vendor, platform dependencies, inte- malware products augment traditional signature-based gration with existing technology, and manageability, all of technology with heuristic and reputation-based tech- which should be standard in any evaluation exercise. niques. Sometimes, it means allowing an initial infec- tion but blocking ones downstream—a small price to APPROACH pay if it identifies dangerous malware. Given the four options, it is useful to consider what type

10 INFORMATION SECURITY INSIDER EDITION / ANTIMALWARE n MARCH 2014 WHAT WORKS?

of product may provide the best protection against ad- but may miss some traffic, especially in a highly mobile HOME vanced malware for the cost. Today there are a surprising environment. In addition, it may actually find malware

EDITOR’S DESK variety of products tackling the problem using different that didn’t infect an endpoint because it had dependen- approaches. Network sandboxes run binaries looking for cies that were not present (like unpatched systems). WHY YOU MUST malware within a self-contained environment. Endpoint- An endpoint-based solution can be challenging to REVAMP YOUR ANTIMALWARE containment products isolate processes and keep them implement and manage, never mind that the orga- STRATEGY away from sensitive data. Endpoint monitoring or fo- nizational politics of selling key stakeholders on the

WHAT ADVANCED rensics offerings provide state and activity information. product may be challenging in the face of Windows up- MALWARE PROTECTION Even traditional antimalware may provide these or other grades, bring your own device initiatives and VDI proj- WORKS BEST? capabilities. ects. But endpoint-based products frequently provide PUMPING UP YOUR Each of these product categories, and others, address more comprehensive coverage and have more flexibility ANTIMALWARE malware-related risk in some way, though none provide a in response. DEFENSE guarantee of success. Enterprise security architects must consider the characteristics of their environment to as- ■■Cloud integration: Almost all of today’s advanced sess the likely effectiveness of any given technology. malware protection products provide some cloud capability, not only to aggregate threat intelligence or IMPLEMENTATION AND assess reputation, but also to make the malware de- MANAGEMENT CONSIDERATIONS termination. With the rapidly evolving nature of the An advanced malware-prevention product’s features are malware threat, it is pretty clear that aggregated data critical in determining its value and effectiveness, but the provides a better opportunity for success than the way a product is implemented and managed plays a sig- standalone deployment. That said, some products don’t nificant role as well. Below are several factors to consider. need a cloud component, and some organizations are simply against both sharing their data and using cloud ■■Implementation location (network or endpoint): The resources. most obvious decision-point for an advanced malware- prevention product is to determine whether it should ■■Threat intelligence and attribution: Some products reside on the network or on applicable endpoints. A work hard to monitor online “gangs” known to be at network-based product is typically easier to implement work in China, Eastern Europe and other locations

11 INFORMATION SECURITY INSIDER EDITION / ANTIMALWARE n MARCH 2014 WHAT WORKS?

around the world. Some organizations want the ability with the project. HOME for attribution for different attacks. Conversely, many The key expenses that may be reduced by a new ad-

EDITOR’S DESK organizations don’t have resources or desire to pursue vanced malware-protection product revolve around re- the many attackers out there and simply want protec- covery from existing infections. If, for example, the WHY YOU MUST tion from presumed opportunistic threats. average infection is estimated to cost the organization REVAMP YOUR ANTIMALWARE $1,000 in help desk and desktop support, and lost pro- STRATEGY ■■Evasion, false negatives and false positives: Perhaps ductivity, then an organization can break even with a

WHAT ADVANCED the most important question for any advanced mal- product that costs $100,000 if it reduces the number of MALWARE PROTECTION ware-protection product lays in its ability to actually calls by 100. WORKS BEST? find the bad stuff with a minimal amount of noise. And Aside from the run-of-the-mill virus infection, these PUMPING UP YOUR unfortunately there is no way for an absolute determi- solutions aim to protect against particularly nasty attacks ANTIMALWARE nation. There is simply too much variability in activity, that result in much larger incidents. These types of in- DEFENSE environments and implementations. Suffice it to say ev- cidents are (thankfully) less frequent and require some ery technology can be evaded, and almost every product measured guesswork. Regardless of the challenge, an or- misses some malware and catches some legitimate soft- ganization again can use a break-even analysis, comparing ware. It is up to the organization to rely on references total costs to expected risk reduction. and reports at a minimum, and where possible to set up Ultimately, all of the products providing advanced their own test beds to evaluate solutions in a manner malware protection have a value proposition that satisfies that matches the organization’s objectives. some subset of the marketplace. It is up to the organiza- tions to determine whether the features of a given prod- COST JUSTIFICATION uct fit into their environments the best, but applying the The best way to identify the appropriate advanced mal- principles discussed here will help ensure the cost of a ware-protection product for your organization is to deter- product is in line with its true value. n mine whether you really need one. At the very least, the cost justification requires a comparison of total costs for PETE LINDSTROM is vice president of research for Spire Security, the new product to the anticipated reduction in two ar- an industry analyst firm providing analysis and research in the eas: existing costs of purchasing, implementing and man- information security field. He has held similar industry analyst aging the product, and anticipated risk of not proceeding positions at the Burton Group and Hurwitz Group.

12 INFORMATION SECURITY INSIDER EDITION / ANTIMALWARE n MARCH 2014 PUMP IT UP

HOME HOW TO EDITOR’S DESK

WHY YOU MUST PUMP UP YOUR REVAMP YOUR ANTIMALWARE STRATEGY ANTIMALWARE WHAT ADVANCED ANITMALWARE HAS BEEN steadily losing its effectiveness MALWARE PROTECTION over the last few years, yet it remains a security staple WORKS BEST? DEFENSES among CISOs. The choice to stick with antimalware as a PUMPING UP YOUR The antimalware technology component of an enterprise endpoint protection program ANTIMALWARE usually hinges on the need to satisfy compliance and reg- DEFENSE now at work in the average ulatory mandates like PCI DSS and HIPAA, the continued enterprise is steadily becoming inclusion of antimalware on security best practices lists, less effective. Here are ways or the uncertainty of how to replace the legacy endpoint to pump up your defenses. security tool of choice for the last three decades. The top-performing antivirus product was only able to detect 25% of the malicious code. Regardless of the reason, it’s becoming increasingly evident that adversaries have been successful in crafting malware to avoid detection by the leading antimalware products, particularly Web-based malware defenses. Some staggering facts:

n According to a Sophos Ltd. report, 85% of all malware (viruses, worms, spyware, adware and Trojans) comes By Spyro Malaspinas from the Web; drive-by downloads are considered to the largest Web threat.

13 INFORMATION SECURITY INSIDER EDITION / ANTIMALWARE n MARCH 2014 PUMP IT UP

n Sophos also reports that 30,000 websites are infected painfully obvious, these data points illustrate just how in- HOME daily; 80% are legitimate sites that have been hacked adequate signature-based antimalware products have be-

EDITOR’S DESK so that cybercriminals can use them to host malicious come. Traditional AV products can no longer be trusted code. to detect malware, period. Yet if signature-based anti- WHY YOU MUST malware is the wrong tool, what are the right tools? Do REVAMP YOUR ANTIMALWARE n Content Agnostic Malware Protection (CAMP), a mal- they even exist? I say they do, with some caveats. STRATEGY ware-detection component that Google Inc. built into

WHAT ADVANCED its Chrome Web browser in 2013 was able to detect MALWARE DETECTION ALTERNATIVES MALWARE PROTECTION more than 5 million malware downloads per month. Like all security pickles, the solution is not a one-size-fits- WORKS BEST? CAMP was able to detect malware at a rate of 99%, all approach. There are a variety of tools and approaches PUMPING UP YOUR which decimated four leading security vendors’ Web- that can be used in concert to achieve a much higher level ANTIMALWARE based antivirus products: McAfee Inc. SiteAdvisor, of security for endpoints, both within the data center walls DEFENSE Symantec Corp. Safe Web, Trend Micro’s Site Safety and in the hands of employees. But mileage may vary Center and Google’s own Safe Browsing. In a recent based on the unique challenges each organization faces. comparison conducted by Google, collectively these products were able to detect 40% of the malicious code n Content filtering: Since 85% of all malware is distrib- they encountered; the top-performing product was only uted via the Web (with drive-by downloads being the able to detect 25% of the malicious code. biggest threat) it only makes sense to provide some level of content filtering within your enterprise. There n Following the test, Google’s CAMP Project selected are two key types of defensive tools that should be 2,200 previously unknown binaries and submitted widely deployed: them to VirusTotal, a service that facilitates the cre- ation of antivirus signatures for newly discovered mali- 1. Web proxies: The number of vendors here are in the cious code. After 10 days, 99% of the binaries detected double digits, and the technology has been around by CAMP were detected by only 20% of the antivirus for quite some time. Companies like Blue Coat Sys- products mentioned above. tems Inc. and Websense Inc. offer subscription-based services where sites can be permitted or blocked In case malware defense shortcomings weren’t already based upon policy. Additionally these services provide

14 INFORMATION SECURITY INSIDER EDITION / ANTIMALWARE n MARCH 2014 PUMP IT UP

intelligence and dynamic updates to thwart users another initiative that allows Google Chrome users to HOME from visiting known malicious sites. The caveat here take advantage of Google’s vast and dynamic knowledge

EDITOR’S DESK is that these products aren’t able to detect zero-day base about malicious sites. exploits and, as with signature-based antimalware, WHY YOU MUST there will be delays in getting the bad sites identified n Host-based anomaly/forensic tools: These are still REVAMP YOUR ANTIMALWARE and signatures pushed out. While Web proxies may be maturing in the market but offer significant new de- STRATEGY just one link in your malware defense armor, they are fensive capabilities geared toward the more prized as-

WHAT ADVANCED an important one. sets of a company: database servers, financial systems, MALWARE PROTECTION email servers, and executives’ and other high-risk users’ WORKS BEST? 2. DNS filtering: Tools like Open DNS actively prevent systems. In theory, an agent sits on each endpoint and PUMPING UP YOUR users from visiting known harmful sites by blacklist- will first develop a baseline of a system’s normal ac- ANTIMALWARE ing domains so a user can’t even browse to them. It tivities (applications run, network connections/shares DEFENSE also offers a whitelisting service. Open DNS users opened, memory calls, and files accessed while moni- benefit from millions of users collaborating to provide toring open sockets among other things). Once a base- faster intelligence about the estimated 30,000 new line is complete, these agents then continue to monitor sites that are infected with malware each day. Imple- the system, looking for irregular activity that may be mentation is straightforward and there are a number malicious. of big-name clients that use this service as a first line Some of these product vendors have partnered with of defense in protecting Web users. The best part? other vendors and service providers, like VirusTotal. These services don’t require on-premises appliances They will automatically upload suspicious or unknown of expensive hardware. binaries for analysis automatically when a user down- loads an application or binary from the Internet, an n Browser-based security: Web browser components email or even a USB drive. similar to Microsoft’s Smart Screen (a part of Internet The tools can also provide significant advantages Explorer 8 and above) have been effective in filtering in the event of a breach. In a normal breach situation, users from visiting malicious sites. According to Micro- forensic tools are installed on compromised systems soft, its product has blocked over 1 billion attempted after the breach. Some of the tool sets offered by cut- downloads of malicious code to date. Google CAMP is ting-edge vendors like Carbon Black, Mandiant and

15 INFORMATION SECURITY INSIDER EDITION / ANTIMALWARE n MARCH 2014 PUMP IT UP

Guidance Software’s Encase have been pre-installed benchmark and identify malicious behavior that can be HOME and offer visibility into what may have happened before used to fingerprint similar behavior across other sys-

EDITOR’S DESK the breach, what led to the breach and what happened tems and networks. as a result of the breach. WHY YOU MUST Because malware is constantly evolving, relying on a REVAMP YOUR ANTIMALWARE n Virtualization protections: Yet another technology singular malware defense system or even the same combi- STRATEGY that has been gaining momentum during the last sev- nation of defenses for an extended period of time is often

WHAT ADVANCED eral years is security through virtualization or isolation. a foolish choice. We cannot assume that the tools we used MALWARE PROTECTION These technologies don’t rest on their laurels for reac- to protect our most prized IT assets today can be used five WORKS BEST? tive detection through signatures or blacklists. years from now. So as the transition away from signature- PUMPING UP YOUR Through virtualization and isolation, vendor Bro- based antimalware and toward these new techniques be- ANTIMALWARE mium Inc. seeks to isolate each process and application gins, remember that it is essential to reevaluate the threat DEFENSE on a computer on top of its own micro virtual machine. environment on an ongoing basis and make adjustments These micro VMs operate in a cloud formation on the accordingly. n local host, thereby separating out processes such as those associated with Web browsers, office suites, email and so on. SPYRO MALASPINAS, CISSP, CISM, CISA, QSA PCI–DSS, GCIH, Alternatively, FireEye Inc. offers a virtualization CCNA, Six Sigma, is a principal at 3Factor LLC. He formerly served container that allows security professionals to evalu- as the PCI practice leader at Symantec Corp., a senior security ate suspected malware in a controlled environment, consultant at VeriSign Inc., and security architect at IBM. He has been engaged in breach response for three of the largest five thus allowing for analysis without subjecting the rest of breaches in U.S. history. He performs compliance assessments, the environment to the unknown risks of foreign code. remediation, risk and compliance program management functions Analysts can replay suspected attacks and analyze com- for some of the largest global merchants and service providers. promised virtualized systems with malware code to He can be contacted at [email protected].

16 INFORMATION SECURITY INSIDER EDITION / ANTIMALWARE n MARCH 2014 TechTarget Security Media Group

EDITORIAL DIRECTOR Robert Richardson EDITORIAL BOARD HOME FEATURES EDITOR Kathleen Richards Phil Agcaoili, Cox Communications Seth Bromberger, Energy Sector Consortium EDITOR’S DESK EXECUTIVE EDITOR Eric Parizo Mike Chapple, Notre Dame SENIOR MANAGING EDITOR Kara Gattine WHY YOU MUST Brian Engle, Health and Human Services Commission, Texas REVAMP YOUR NEWS WRITER Brandan Blevins ANTIMALWARE Mike Hamilton, MK Hamilton and Associates ASSOCIATE MANAGING EDITOR Brenda L. Horrigan STRATEGY Chris Ipsen, State of Nevada DIRECTOR OF ONLINE DESIGN Linda Koury Nick Lewis, Saint Louis University WHAT ADVANCED MALWARE PROTECTION COLUMNISTS Marcus Ranum, Gary McGraw, Peter Lindstrom Rich Mogull, Securosis WORKS BEST? CONTRIBUTING EDITORS Kevin Beaver, Crystal Bedell, Mike Chap- Tony Spinelli, Equifax ple, Michele Chubirka, Michael Cobb, Scott Crawford, Peter PUMPING UP YOUR Matthew Todd, Financial Engines Giannoulis, Francoise Gilbert, Joseph Granneman, Ernest N. ANTIMALWARE MacDonnell Ulsch, ZeroPoint Risk Research DEFENSE Hayden, David Jacobs, Nick Lewis, Kevin McDonald, Sandra Kay Miller, Ed Moyle, Lisa Phifer, Ben Rothke, Mike Rothman, VICE PRESIDENT/GROUP PUBLISHER Doug Olender Karen Scarfone, Dave Shackleford, Joel Snyder, Steven Weil, [email protected] Ravila Helen White, Lenny Zeltser

© 2014 TechTarget Inc. No part of this publication may be transmitted or reproduced in any form or byany means without written TechTarget permission from the publisher. TechTarget reprints are available through The YGS Group. 275 Grove Street, About TechTarget: TechTarget publishes media for information technology professionals. More than 100 focused websites enable Newton, MA 02466 quick access to a deep store of news, advice and analysis about the technologies, products and processes crucial to your job. Our www.techtarget.com live and virtual events give you direct access to independent expert commentary and advice. At IT Knowledge Exchange, our social community, you can get advice and share solutions with peers and experts.

COVER IMAGE AND PAGE 3: FUSE/THINKSTOCK

17 INFORMATION SECURITY INSIDER EDITION / ANTIMALWARE n MARCH 2014