An Old Dog Had Better Learn Some New Tricks

Transcription

1 ANALYST BRIEF An Old Dog Had Better Learn Some New Tricks PART 2: ANTIVIRUS EVOLUTION AND TECHNOLOGY ADOPTION Author Randy Abrams Overview Endpoint protection (EPP) products are ineffective against many modern attacks. Information technology (IT) professionals have realized that even layered defenses cannot prevent the successful intrusion of advanced persistent threats (APTs), targeted persistent attacks (TPAs), and malicious hackers exploiting zero- day vulnerabilities. As a result, enterprises are concluding that they must assume they have been, or will be, breached. The realization of compromise is driving rapid growth in the breach detection system (BDS) market. Expeditious breach detection and remediation has taken center stage, as discussed in a November 2013 article in Forbes: Why Do Tech Execs Lack Confidence In Security? 1 Modern attacks continue to evade all layers of defense, and enterprises are looking to BDS to augment their current defenses. Security vendors that offer a complete portfolio including protection, containment, and remediation, will displace entrenched vendors with incomplete offerings. The relevance of EPP products in the enterprise space will become predicated upon their inclusion of a BDS offering. 1 do- tech- execs- lack- confidence- in- security/

2 NSS Labs Findings Effective security strategies must have in place a contingency plan for the inevitable breach. Targeted attacks are succeeding even in the face of sophisticated, layered defenses. EPP vendors have a short time during which they can exploit their areas of competence with respect to designing a BDS before they lose their advantage. EPP vendors without a BDS offering will soon lose relevance in the enterprise space. NSS Labs Recommendations Implement a BDS where risk tolerance mandates rapid response to breaches. Utilize empirical test data when evaluating a BDS. Formulate a security and incident response policy that assumes the network has been breached, or will be breached. If current BDS offerings are cost prohibitive, closely monitor the BDS space, as competition will drive down costs. Test proprietary line- of- business applications thoroughly for compatibility and false positives when evaluating a BDS. 2

3 Table of Contents Overview... 1 NSS Labs Findings... 2 NSS Labs Recommendations... 2 Analysis... 4 Defense in Depth Doesn t Always Work... 4 Porous Defenses... 4 The Element of Surprise... 5 Necessity Is the Mother of Invention... 5 BDS Basics... 6 The Future of EPP... 7 EPP Advantages... 7 The Window of Opportunity... 7 Pitfalls and Risks... 8 The Race Is On... 8 Reading List... 9 Contact Information

4 Analysis EPP products have proven ineffective at blocking threats created by determined attackers. Additionally, firewalls, next generation firewalls (NGFW), intrusion prevention systems (IPS), and every combination of layered security products fail to prevent breaches. A BDS must identify and report a breach within 48 hours to be effective. Rapid detection of breaches limits the amount of data an attacker can obtain. The intrusion detection system (IDS) may not be responsive enough to prevent the attacker from collecting all desired data. The concept of assume the breach has been gaining traction in the enterprise space. The BDS market is experiencing growth as enterprises increasingly recognize that successful breaches are inevitable. EPP products, formerly known as antivirus (AV) products, are beginning to enter this lucrative market space. EPP vendors that fail to add a BDS to their portfolio will soon lose relevance in the enterprise market space. Defense in Depth Doesn t Always Work Early defense- in- depth strategies included using one AV product on the gateway and exchange servers, and a different AV product on the endpoints. This practice is still in use today but is problematic because EPP products have a poor track record of blocking exploits. The attack landscape has evolved from one where malware directly confronts EPP to malware being delivered through the exploitation of vulnerable applications. EPP engines initially were not designed to protect against exploits. It took significant redesign of the existing engines to adapt to the dynamic differences between malware detection and exploit protection. Modern payloads created by cyber criminals often undergo extensive quality control to ensure EPP products do not detect them on release. The EPP industry is improving its exploit detection and protection; however, many EPP products are not keeping pace with the market leaders. In an attempt to layer security, enterprises deploy EPPs and then add firewalls, or even NGFWs, as well as IPS, only to find that the perimeter defenses have failed to prevent breaches. Porous Defenses NSS Labs Stefan Frei, PhD, analyzed hundreds of layered pairs of security devices and documented his findings in the analyst brief Correlation of Detection Failures. 2 Dr. Frei s research correlated an extensive data set and found the average single EPP product s failure rate for exploit detection is 45 percent. When two EPP products were deployed, the rate dropped to 26 percent, which is significantly better but still allows for an unacceptable level of risk. For NGFW/IPS devices, the average single device failure rate is 5.8 percent, and the average joint rate is 0.8 percent. Averages, however, can be deceiving: Of 606 unique paired security product combinations, only 3 percent were able to detect all of the tested exploits. Dr. Frei and Francisco Artes, Chief Technology Architect at NSS, published Modeling Exploit Evasions in Layered Security, 3 a research paper that employs modeling to graphically display the relationships and correlations of unblocked exploits through a layered security stack of hardware and software tools. 2 See Reading List 3 See Reading List 4

5 Figure 1 High- Level Unrecognized Exploit Correlation The green dots displayed in Figure 1 are the devices under test (DUT): an EPP product, an NGFW, and an IPS. The blue dots next to each DUT represent exploits that evade the DUT. The blue dots between the DUTs are the exploits that evade the combination of DUTs. The blue dots in the middle represent exploits that evade all three DUTs that form a layered defense. The Element of Surprise By using signatures and heuristics, EPP products are able to perform quite well against known threats and unknown threats. However, determined attackers have sufficient time to refine their malware as many times as is required in order to evade EPP detection. EPPs are inexpensive and are easily tested offline, and cyber criminals exploit these attributes in order to evade detection by EPP offerings across the board. Targeted attacks do not have to evade every combination of security product; therefore, a test matrix for a target typically is manageable and cost effective. There are no complete defenses against these attacks. Targeted persistent attacks (TPAs) are a significant threat to the modern enterprise. The TPA often uses well- known technologies, publically known exploits, and social engineering to breach the targeted enterprise. Necessity Is the Mother of Invention In 2011, RSA and TechAmerica held a closed- door summit that reportedly included more than 100 cyber security leaders from think tanks, industry associations, defense, and law enforcement. Participants represented aerospace 5

6 and defense, critical infrastructure, legal, finance, energy, technology and manufacturing. 4 Some of the key findings that were reported include: Organizations must learn to live in a state of compromise Supply chain poisoning is on the rise Customization the TPA s calling card defies traditional signature- based approaches Today s attackers are better at real- time intelligence sharing than are their targets Correcting this is a top priority Focus on early detection of breaches to minimize the window of vulnerability 5 The focus on rapid detection of breaches brought about the BDS industry and is driving growth in this market will see significantly more vendors with new BDS products, and NSS predicts BDS sales will reach USD $1 billion by BDS Basics NSS defines BDS as systems that are implemented to identify and report actual breaches as well as attempted breaches. Figure 2 displays the minimum requirements of a BDS. Centralized management is an essential component of an enterprise BDS and includes client configuration, mitigation response, reporting, and other management functionality. Application awareness signifies that the BDS can monitor application traffic across a variety of common protocols. While machine identification is required for remediation, user/group identification provides contextual information for mitigation and for potential further forensics. Malware identification may not name a specific sample but rather provides an analysis of behaviors and action performed by the malware. Performance measurements are related to the nature of the BDS implementation. Common metrics would include traffic capacity; the number of concurrent TCP connections the BDS is capable of supporting; HTTP capacity (both with and without transaction delays); stability; and other capabilities of- cyber/rsa%20- %20APT%20Summit%20Findings% pdf 6

7 NSS Labs Analyst Brief An Old Dog Had Better Learn Some New Tricks Figure 2 BDS Taxonomy The Future of EPP EPP Advantages EPP products that quickly bring to market robust BDS offerings enjoy some inherent advantages over pure- play vendors. BDS require sensor nodes throughout the network. Most of the systems that require sensors already have traditional EPP products installed. Thousands of clients may require sensors that must provide telemetry to a BDS management system. EPP products are already collecting client telemetry in massive global enterprise deployments. A BDS must have a response mechanism. This is a feature that is already present in EPP products; however, it should be noted that the triggers for responses are currently different than those for a BDS. The use of the cloud is integral to BDS offerings. Several EPP products utilize cloud technologies and have done so for a few years. EPP products already have extensive experience in remediation. Some BDS players are lacking this feature. The Window of Opportunity Several traditional EPP vendors are beginning to enter the BDS space; for example, AhnLab, which was the only EPP vendor offering a BDS that NSS tested in However, NSS 2014 testing of BDS will include offerings from several entrenched EPP vendors. Consumer- focused EPP offerings will not need to offer BDS in the near future; however, enterprises that purchase EPP- based BDS are likely to mandate the corporate EPP solutions for workers that use their own devices. 7

8 Consumer- centric EPPs will experience slower growth if not an outright reduction in sales. For any EPP vendor, a decrease of its consumer base results in a loss of client sensors for their cloud- based telemetry. The effectiveness of the cloud intelligence is significantly impacted by a shortage of endpoint sensors. Traditional EPP vendors have been leveraging the cloud for content- agnostic malware protection (CAMP), the same technology that has increased security against socially engineered attacks in Internet Explorer and Chrome. CAMP is the technology behind much of the Windows 8 Application Reputation (App Rep) technology; however, EPP products have a broader scope of coverage than does Microsoft s App Rep. The technologies used for CAMP are present in many BDS implementations. The advantages of experience in remediation and existing client services will not last long. Other players in the BDS space will buy or develop competitive remediation abilities and have compelling reasons to add or replace client- side software services. EPP products already have clients on endpoints and network ingress and egress points. Limiting the number of software drivers and services on the endpoint is attractive to enterprises. EPPs already have familiar consoles that collect telemetry, monitor client status, and generate reports. Unified management is highly attractive to enterprises. The need for BDS is growing rapidly enough that EPP vendors not offering a BDS in a timely manner will miss their window of opportunity and likely become acquisition or merger candidates in the BDS space. Pitfalls and Risks The EPP market has a history of low customer loyalty. Traditionally, the enterprise space has been slower to change solutions than smaller businesses, but NSS considers that EPP products with no BDS offering will endure a significantly higher loss of customers than will those with effective BDS, and they will suffer the same loss of sensors that the consumer offerings will experience. When an EPP fails to detect malware, as is increasingly the case with TPAs, it is, by definition, the BDS that reports the breach. In a hypothetical situation, an enterprise deploys Acme brand EPP on the endpoints and network, but it also deploys a standalone BDS from competing EPP vendor, Best. The Best brand EPP will appear to be a better solution since its BDS can detect and remediate intrusions that the Acme EPP fails to block. Given equivalent suitability for a specific environment, the probability of the enterprise switching to Best brand s EPP in addition to using its BDS is high. It is better for an EPP vendor to discover it s own mistakes than for a competitor to discover them; Best brand will increase its appearance of effectiveness because its BDS component detected the intrusions that its EPP component missed. In the case where a BDS with no EPP offering is catching the intrusions, the EPP solution will appear to be underperforming and runs a high risk of being replaced at the next refresh cycle. EPP products that do not have BDS offerings will no longer have relevance in many enterprise environments. The Race Is On EPP vendors already face competition from other EPP vendors within the BDS market. Any advantages in experience over BDS vendors that do not currently include remediation will be short lived. There are EPP vendors with BDS in the market; there are EPP vendors with BDS solutions that are well into development; and there are EPP vendors with plans to develop their own BDS. All other EPP vendors within the enterprise market can expect to suffer a significant loss of market share. 8

9 Reading List Breach Detection Systems (BDS): Is this the Answer for Zero- Day Malware? NSS Labs detection- systems- bds- answer- zero- day- malware Breach Detection: Don't Fall Prey to Targeted Attacks. NSS Labs detection- dont- fall- prey- targeted- attacks 2013 Corporate AV/EPP Comparative Analysis - Exploit Protection. NSS Labs corporate- avepp- comparative- analysis- exploit- protection Microsoft Takes Scammers to CAMP. NSS Labs takes- scammers- camp Correlation of Detection Failures. NSS Labs detection- failures Modeling Exploit Evasions in Layered Security. NSS Labs evasions- layered- security The Targeted Persistent Attack (TPA) The Misunderstood Security Threat Every Enterprise Faces. NSS Labs persistent- attack- tpa- misunderstood- security- threat- every- enterprise- faces 9

10 Contact Information NSS Labs, Inc. 206 Wild Basin Rd Building A, Suite 200 Austin, TX USA +1 (512) This analyst brief was produced as part of NSS Labs independent testing information services. Leading products were tested at no cost to the vendor, and NSS Labs received no vendor funding to produce this analysis brief NSS Labs, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the authors. Please note that access to or use of this report is conditioned on the following: 1. The information in this report is subject to change by NSS Labs without notice. 2. The information in this report is believed by NSS Labs to be accurate and reliable at the time of publication, but is not guaranteed. All use of and reliance on this report are at the reader s sole risk. NSS Labs is not liable or responsible for any damages, losses, or expenses arising from any error or omission in this report. 3. NO WARRANTIES, EXPRESS OR IMPLIED ARE GIVEN BY NSS LABS. ALL IMPLIED WARRANTIES, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON- INFRINGEMENT ARE DISCLAIMED AND EXCLUDED BY NSS LABS. IN NO EVENT SHALL NSS LABS BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL OR INDIRECT DAMAGES, OR FOR ANY LOSS OF PROFIT, REVENUE, DATA, COMPUTER PROGRAMS, OR OTHER ASSETS, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. 4. This report does not constitute an endorsement, recommendation, or guarantee of any of the products (hardware or software) tested or the hardware and software used in testing the products. The testing does not guarantee that there are no errors or defects in the products or that the products will meet the reader s expectations, requirements, needs, or specifications, or that they will operate without interruption. 5. This report does not imply any endorsement, sponsorship, affiliation, or verification by or with any organizations mentioned in this report. 6. All trademarks, service marks, and trade names used in this report are the trademarks, service marks, and trade names of their respective owners. 10