Closing the Antivirus Protection Gap

Transcription

1 A comparative study on effective endpoint protection strategies May 2012 WP-EN

2 Introduction Corporate economic concerns have put increased pressure on already limited IT resources in recent years as the onslaught of malware and sophistication of cyber attacks continues to grow at exponential rates. As a result, 50% of endpoint operating costs are directly attributable to malware, 1 yet, corporate IT budgets are still focused on maintaining stand alone antivirus as the keystone in endpoint security. In this paper, we will benchmark the effectiveness of standalone AV and O/S resident patching solution versus newer technologies and a defense-in-depth of approach of layering multiple endpoint security and operational technologies together. Methodology Defining the Average Corporate Endpoint In order to conduct comparative malware testing, a model of the Average Corporate Endpoint was defined. The Average Corporate Endpoint was chosen to be representative of a business oriented end-user computer in terms of Operating System, installed applications and average IT operational and security practices. A Microsoft Windows 7 Enterprise (64-bit) machine, part of an Active Directory domain, was chosen as the best representative of an average enterprise desktop endpoint. The Average Corporate Endpoint test (ACE) system was loaded with Microsoft Forefront Endpoint Protection 2010 to represent an average 3rd party antivirus provided solution. Forefront was configured to provide maximum protection. This configuration is shown in Figure 1 and archive (.zip,.cab) and removable media scanning were also enabled. When trying to represent the ACE, it is also of value to consider the level of patching support in place as most malware still seeks to exploit known vulnerabilities within existing applications or within the OS. It was assumed that the OS and all Microsoft applications would be fully patched with the current Patch Tuesday update available, as patch mechanisms (e.g. Windows Updater, WSUS) are widely used to ensure timely patching. 1. Ponemon Institute, 2011 State of Endpoint Risk, December

3 Figure 1: Forefront Configuration There are numerous studies indicating that patch lags exist, are problematic for smaller organizations 2 or represent a significant and all too real exposure. 3 Update mechanisms such as Windows Update or WSUS do not natively extend their support to 3rd party applications, which in reality represent a significant portion of the applications found on any desktop endpoint. For third party applications, patches were applied, however, it was assumed that these applications might suffer from patch lag. To represent the real world exposure of average corporate desktops, a maximum patch lag of 3 months was chosen. The assumptions made about patching concurrency may indeed by optimistic as there are numerous examples of exploit that utilized aged vulnerabilities for which a patch had long been available (e.g. Conficker). 4 The Average Corporate Endpoint software is summarized in the tables below. 2. Derek E. Brink, To Patch or Not to Patch (Not If, But How) October 2011, Aberdeen Group 3. Derek E. Brink, Is Your Vulnerability Management Program Leaving You at Risk (Most Likely, Yes) June 2011, Aberdeen Group

4 Microsoft Application Software Microsoft Forefront Endpoint Protection 2010 Microsoft Office 2007 Microsoft Internet Explorer 9 Version at Time of Test Up-to-date with current signatures Up-to-date Up-to-date Table 1: Average Endpoint Software - Microsoft Applications Application Software Mozilla Firefox Google Chrome Google Chrome Adobe Flash Player Adobe Acrobat Reader Adobe Shockwave Player Apple QuickTime Java Runtime Environment Real Network RealPlayer Version at Time of Test Patch Up-to-date (Latest patch older than 3 months) Patch Up-to-date (Latest patch older than 3 months) Table 2: Average Endpoint Software - 3rd Party Applications Intelligent Whitelisting and Timely Patch Management To explore the malware prevention efficacies of technologies beyond standard antivirus and Microsoft patching, an additional test configuration was defined. The well known exponential growth of novel malware 5 represents a very real challenge for antivirus, which must continue to incorporate the ever increasing known bad (malware signatures). Heuristics, site blocking and increased rapidity of malware identification (often provided through cloud-based signatures and/or reputation) have been some of the techniques introduced by vendors to keep up with malware growth and decrease infection rates. Alternatively, application whitelisting aims to allow only the known good applications. This trades the problem of tracking of an explosive amount of malware to the more pragmatic management of a limited number of desired applications. 5. Frost and Sullivan, Cybersecurity Market: Malware Historical Growth Patterns and Future Projections, Global,

5 The comparative system known as the Lumension Endpoint Management and Security Suite or L.E.M.S.S., incorporates application whitelisting through the Lumension Intelligent Whitelisting Solution which is an integrated solution across Lumension Antivirus, Lumension Application Control and Lumension Patch Management. This test system was configured utilizing the Easy Lockdown process which takes an automated "snapshot" of an endpoint, which is then used to create an application whitelist and begin enforcement of whitelist policies. With the addition of Lumension Patch Management Vulnerability coverage was then extended to the 3rd party applications resident on the ACE. Microsoft Forefront is not present on L.E.M.S.S. test system nor is the Microsoft (WSUS) update agent is utilized in this test configuration. Real World Malware It was decided that the most effective comparison would use real malware, found in the wild, in order to best represent the growing reality of zero day threats. To facilitate this effort, Lumension contracted with an independent malware research organization 6 with expertise in malware attack vectors. Over a sevenday period, more than 2100 individual samples were collected in the wild and directed against each of the configured test systems. The malware test set included trojans, backdoors, PUAs, ransomware, viruses, rootkits and worms. The Average Corporate Endpoint, utilizing only Microsoft Forefront Endpoint Protection 2010 and the Windows Update Agent, was found to be highly vulnerable to a significant amount of malware allowing download and execution of 23% of the malware introduced each day. A minimum of 300 malware samples were tested each day against this configuration and the number of daily misses is referenced in Figure 2. As antivirus signatures are updated frequently, the test methodology did allow time for the antivirus technology to utilize updated signatures. To measure this, any sample that executed previously (missed on the previous day) was retested on the current day. The number of samples caught on subsequent testing varied from 5 to 40 samples with an average delay of just over 2 days for the signature to catch up with the malware. The cumulative number of missed samples remained significant at the conclusion of a week s testing with 19.2% of malware successfully executing on the Average Corporate Endpoint. 6. MRG (Malware Research Group) Effitas 4

6 New Malware Samples Missed Per Day Number of Samples Test Day Figure 2: Daily Malware Samples Missed The multi-faceted security approach of the L.E.M.S.S. test provided to be highly successful throughout the life of the test. The use of the Lumension Endpoint Management and Security Suite which supplied Intelligent Whitelisting as well as Patch and Remediation blocked all malware execution attempts. Though some recent has suggested shortcomings of defense-in-depth strategies in the world of software 7, these findings support the traditional view that a layered security approach affords the best protection. 8 The aggregate malware testing results are illustrated in Figure Prescott E. Small, Defense in Depth: An Impractical Strategy for a Cyber World, November Steve Ragan, RSAC 2012: Malware growth and why layered security is still king, March 2012, Malware-growth-and-why-layered-security-is-still-king 5

7 Cumulative Malware Samples Missed Number of Samples Test Day Figure 3: Daily Malware Samples Missed The overall malware blocking effectiveness is shown in Figure 4. This clearly illustrates the growing ineffectiveness of antivirus when used in a standalone manner vs. a more robust approach that utilizes more effective security technologies such as application whitelisting combined with other solutions such as robust patch management and antivirus. 6

8 Cumulative Malware Blocking Effectiveness Blocking Percentage Test Day Figure 4: Daily Malware Samples Missed 7

9 Potential TCO Benefits Malware may have a dramatic detrimental impact on an organization originating from loss of private customer data, corporate intellectual property and reputation. Quantifying the economic loss to the enterprise stemming from a significant breach of corporate defenses is difficult as the repurcusions of reputation damage are long-lasting. Malware s more mundane but not insignificant fiscal effects include the loss of employee productivity and increased help desk costs. Lumension has developed a True Cost of Malware Calculator 9 to help organizations understand these all too real costs. The calculator allows for customization of a large number of parameters, which allows a realistic organization specific model to be developed. Figure 5 below shows the representative output modeling a 1000 endpoint enterprise. Figure 5: TCO Calculator 1000 Endpoint Deployment

10 The TCO benefit from simply reducing the number of malware incidents and endpoint reimaging to recover from severe malware infections is significant. For example, a 1000 node enterprise, where the monthly malware incidents are reduced 40 to 10, may realize over an impressive 31% reduction in overall TCO. Comparative Total Cost of Ownership 1000 Endpoint Enterprise Total Cost of Ownership (USD) Deployment Year 40 Figure 6: Enterprise TCO vs. Malware Prevalence Conclusion It is clear that the de facto security standard for malware prevention employed in the Average Corporate Endpoint, traditional antivirus coupled with native patching services, delivers significant risk along with increased cost of operations across an enterprise endpoint environment. The Pareto Principle associates 80% of effects to 20% of causes. If this principle applies to malware prevention, then the 20% exposure to malware which exists with traditional antivirus may represent a corporate loss risk four times greater than that which is being protected. Certainly no security solution is perfect; however, even economically challenged IT operations may be better served by considering a defense-in-depth approach when it comes to securing their corporate endpoints. 9

11 About Lumension Security, Inc. Lumension Security, Inc., a global leader in endpoint management and security, develops, integrates and markets security software solutions that help businesses protect their vital information and manage critical risk across network and endpoint assets. Lumension enables more than 5,100 customers worldwide to achieve optimal security and IT success by delivering a proven and award-winning solution portfolio that includes Vulnerability Management, Endpoint Protection, Data Protection, Antivirus and Reporting and Compliance offerings. Lumension is known for providing world-class customer support and services 24x7, 365 days a year. Headquartered in Scottsdale, Arizona, Lumension has operations worldwide, including Texas, Florida, Washington D.C., Ireland, Luxembourg, Singapore, the United Kingdom, and Australia. Lumension: IT Secured. Success Optimized. More information can be found at Lumension, IT Secured. Success Optimized., and the Lumension logo are trademarks or registered trademarks of Lumension Security, Inc. All other trademarks are the property of their respective owners. Global Headquarters 8660 East Hartford Drive, Suite 300 Scottsdale, AZ USA phone: fax: Vulnerability Management Endpoint Protection Data Protection Compliance and IT Risk Management 10