An Old Dog Had Better Learn Some New Tricks



Similar documents
Breach Found. Did It Hurt?

Evolutions in Browser Security

Can Consumer AV Products Protect Against Critical Microsoft Vulnerabilities?

DATA CENTER IPS COMPARATIVE ANALYSIS

Internet Advertising: Is Your Browser Putting You at Risk?

ENTERPRISE EPP COMPARATIVE REPORT

SSL Performance Problems

DATA CENTER IPS COMPARATIVE ANALYSIS

CORPORATE AV / EPP COMPARATIVE ANALYSIS

Internet Explorer Exploit Protection ENTERPRISE BRIEFING REPORT

Mobile App Containers: Product Or Feature?

Multiple Drivers For Cyber Security Insurance

2013 Thomas Skybakmoen, Francisco Artes, Bob Walder, Ryan Liles

How To Sell Security Products To A Network Security Company

2013 Thomas Skybakmoen, Francisco Artes, Bob Walder, Ryan Liles

NEXT GENERATION FIREWALL COMPARATIVE ANALYSIS

Achieve Deeper Network Security

How to Protect against the Threat of Spearphishing Attacks

The CISO s Guide to the Importance of Testing Security Devices

Integrating MSS, SEP and NGFW to catch targeted APTs

By John Pirc. THREAT DETECTION HAS moved beyond signature-based firewalls EDITOR S DESK SECURITY 7 AWARD WINNERS ENHANCED THREAT DETECTION

Types of cyber-attacks. And how to prevent them

Why Is DDoS Prevention a Challenge?

WEB APPLICATION FIREWALL COMPARATIVE ANALYSIS

BROWSER SECURITY COMPARATIVE ANALYSIS

Unified Security, ATP and more

TEST METHODOLOGY. Endpoint Protection Evasion and Exploit. v4.0

Achieve Deeper Network Security and Application Control

The Hillstone and Trend Micro Joint Solution

White Paper. Why Next-Generation Firewalls Don t Stop Advanced Malware and Targeted APT Attacks

TEST METHODOLOGY. Hypervisors For x86 Virtualization. v1.0

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

Defending Against Cyber Attacks with SessionLevel Network Security

Cisco Advanced Malware Protection for Endpoints

Protection Against Advanced Persistent Threats

Applying machine learning techniques to achieve resilient, accurate, high-speed malware detection

Requirements When Considering a Next- Generation Firewall

The Business Case for Security Information Management

When attackers have reached this stage, it is not a big issue for them to transfer data out. Spencer Hsieh Trend Micro threat researcher

you us MSSP are a Managed Security Service Provider looking to offer Advanced Malware Protection Services

WAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales

Introduction to Runtime Application Self Protection (RASP) Making Applications Self Protecting, Self Diagnosing and Self Testing

Beyond the Hype: Advanced Persistent Threats

Retail Security: Enabling Retail Business Innovation with Threat-Centric Security.

Analyzing HTTP/HTTPS Traffic Logs

Solving the Security Puzzle

Cyber Advanced Warning System

Getting Ahead of Malware

NEXT GENERATION FIREWALL COMPARATIVE ANALYSIS

Cisco Advanced Malware Protection for Endpoints

End to End Security do Endpoint ao Datacenter

WEB APPLICATION FIREWALL PRODUCT ANALYSIS

The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

Payment Card Industry Data Security Standard

Cloud Based Secure Web Gateway

How To Buy Nitro Security

Securing Cloud-Based

TEST METHODOLOGY. Network Firewall Data Center. v1.0

Database Security in Virtualization and Cloud Computing Environments

The SIEM Evaluator s Guide

EXTENDING NETWORK SECURITY: TAKING A THREAT CENTRIC APPROACH TO SECURITY

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Database Security, Virtualization and Cloud Computing

Cyber Governance Preparing for the Inevitable Perimeter Breach

Statement for the Record. Martin Casado, Senior Vice President. Networking and Security Business Unit. VMware, Inc. Before the

How To Protect Your Network From Intrusions From A Malicious Computer (Malware) With A Microsoft Network Security Platform)

overview Enterprise Security Solutions

Symantec Advanced Threat Protection: Network

WHITE PAPER Cloud-Based, Automated Breach Detection. The Seculert Platform

The Advanced Attack Challenge. Creating a Government Private Threat Intelligence Cloud

The Fortinet Advanced Threat Protection Framework

SPEAR PHISHING AN ENTRY POINT FOR APTS

ESG Brief. Overview by The Enterprise Strategy Group, Inc. All Rights Reserved.

TEST METHODOLOGY. Distributed Denial-of-Service (DDoS) Prevention. v2.0

Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform

Whitepaper. Advanced Threat Hunting with Carbon Black

OVERVIEW. Enterprise Security Solutions

Next Generation Security Strategies. Marc Sarrias Regional Sales Manager

Reference Architecture: Enterprise Security For The Cloud

ORGANIZADOR: APOIANTE PRINCIPAL:

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

SECURITY REIMAGINED SPEAR PHISHING ATTACKS WHY THEY ARE SUCCESSFUL AND HOW TO STOP THEM. Why Automated Analysis Tools are not Created Equal

Sourcefire Solutions Overview Security for the Real World. SEE everything in your environment. LEARN by applying security intelligence to data

Introducing IBM s Advanced Threat Protection Platform

October Application Control: The PowerBroker for Windows Difference

CA Host-Based Intrusion Prevention System r8.1

Symantec Global Intelligence Network 2.0 Architecture: Staying Ahead of the Evolving Threat Landscape

Malware, Phishing, and Cybercrime Dangerous Threats Facing the SMB State of Cybercrime

Securing Amazon It s a Jungle Out There

10 easy steps to secure your retail network

Technology Blueprint. Protect Your Servers. Guard the data and availability that enable business-critical communications

Next Generation Firewalls and Sandboxing

Transcription:

ANALYST BRIEF An Old Dog Had Better Learn Some New Tricks PART 2: ANTIVIRUS EVOLUTION AND TECHNOLOGY ADOPTION Author Randy Abrams Overview Endpoint protection (EPP) products are ineffective against many modern attacks. Information technology (IT) professionals have realized that even layered defenses cannot prevent the successful intrusion of advanced persistent threats (APTs), targeted persistent attacks (TPAs), and malicious hackers exploiting zero- day vulnerabilities. As a result, enterprises are concluding that they must assume they have been, or will be, breached. The realization of compromise is driving rapid growth in the breach detection system (BDS) market. Expeditious breach detection and remediation has taken center stage, as discussed in a November 2013 article in Forbes: Why Do Tech Execs Lack Confidence In Security? 1 Modern attacks continue to evade all layers of defense, and enterprises are looking to BDS to augment their current defenses. Security vendors that offer a complete portfolio including protection, containment, and remediation, will displace entrenched vendors with incomplete offerings. The relevance of EPP products in the enterprise space will become predicated upon their inclusion of a BDS offering. 1 http://www.forbes.com/sites/emc/2013/11/19/why- do- tech- execs- lack- confidence- in- security/

NSS Labs Findings Effective security strategies must have in place a contingency plan for the inevitable breach. Targeted attacks are succeeding even in the face of sophisticated, layered defenses. EPP vendors have a short time during which they can exploit their areas of competence with respect to designing a BDS before they lose their advantage. EPP vendors without a BDS offering will soon lose relevance in the enterprise space. NSS Labs Recommendations Implement a BDS where risk tolerance mandates rapid response to breaches. Utilize empirical test data when evaluating a BDS. Formulate a security and incident response policy that assumes the network has been breached, or will be breached. If current BDS offerings are cost prohibitive, closely monitor the BDS space, as competition will drive down costs. Test proprietary line- of- business applications thoroughly for compatibility and false positives when evaluating a BDS. 2

Table of Contents Overview... 1 NSS Labs Findings... 2 NSS Labs Recommendations... 2 Analysis... 4 Defense in Depth Doesn t Always Work... 4 Porous Defenses... 4 The Element of Surprise... 5 Necessity Is the Mother of Invention... 5 BDS Basics... 6 The Future of EPP... 7 EPP Advantages... 7 The Window of Opportunity... 7 Pitfalls and Risks... 8 The Race Is On... 8 Reading List... 9 Contact Information... 10 3

Analysis EPP products have proven ineffective at blocking threats created by determined attackers. Additionally, firewalls, next generation firewalls (NGFW), intrusion prevention systems (IPS), and every combination of layered security products fail to prevent breaches. A BDS must identify and report a breach within 48 hours to be effective. Rapid detection of breaches limits the amount of data an attacker can obtain. The intrusion detection system (IDS) may not be responsive enough to prevent the attacker from collecting all desired data. The concept of assume the breach has been gaining traction in the enterprise space. The BDS market is experiencing growth as enterprises increasingly recognize that successful breaches are inevitable. EPP products, formerly known as antivirus (AV) products, are beginning to enter this lucrative market space. EPP vendors that fail to add a BDS to their portfolio will soon lose relevance in the enterprise market space. Defense in Depth Doesn t Always Work Early defense- in- depth strategies included using one AV product on the gateway and exchange servers, and a different AV product on the endpoints. This practice is still in use today but is problematic because EPP products have a poor track record of blocking exploits. The attack landscape has evolved from one where malware directly confronts EPP to malware being delivered through the exploitation of vulnerable applications. EPP engines initially were not designed to protect against exploits. It took significant redesign of the existing engines to adapt to the dynamic differences between malware detection and exploit protection. Modern payloads created by cyber criminals often undergo extensive quality control to ensure EPP products do not detect them on release. The EPP industry is improving its exploit detection and protection; however, many EPP products are not keeping pace with the market leaders. In an attempt to layer security, enterprises deploy EPPs and then add firewalls, or even NGFWs, as well as IPS, only to find that the perimeter defenses have failed to prevent breaches. Porous Defenses NSS Labs Stefan Frei, PhD, analyzed hundreds of layered pairs of security devices and documented his findings in the analyst brief Correlation of Detection Failures. 2 Dr. Frei s research correlated an extensive data set and found the average single EPP product s failure rate for exploit detection is 45 percent. When two EPP products were deployed, the rate dropped to 26 percent, which is significantly better but still allows for an unacceptable level of risk. For NGFW/IPS devices, the average single device failure rate is 5.8 percent, and the average joint rate is 0.8 percent. Averages, however, can be deceiving: Of 606 unique paired security product combinations, only 3 percent were able to detect all of the tested exploits. Dr. Frei and Francisco Artes, Chief Technology Architect at NSS, published Modeling Exploit Evasions in Layered Security, 3 a research paper that employs modeling to graphically display the relationships and correlations of unblocked exploits through a layered security stack of hardware and software tools. 2 See Reading List 3 See Reading List 4

Figure 1 High- Level Unrecognized Exploit Correlation The green dots displayed in Figure 1 are the devices under test (DUT): an EPP product, an NGFW, and an IPS. The blue dots next to each DUT represent exploits that evade the DUT. The blue dots between the DUTs are the exploits that evade the combination of DUTs. The blue dots in the middle represent exploits that evade all three DUTs that form a layered defense. The Element of Surprise By using signatures and heuristics, EPP products are able to perform quite well against known threats and unknown threats. However, determined attackers have sufficient time to refine their malware as many times as is required in order to evade EPP detection. EPPs are inexpensive and are easily tested offline, and cyber criminals exploit these attributes in order to evade detection by EPP offerings across the board. Targeted attacks do not have to evade every combination of security product; therefore, a test matrix for a target typically is manageable and cost effective. There are no complete defenses against these attacks. Targeted persistent attacks (TPAs) are a significant threat to the modern enterprise. The TPA often uses well- known technologies, publically known exploits, and social engineering to breach the targeted enterprise. Necessity Is the Mother of Invention In 2011, RSA and TechAmerica held a closed- door summit that reportedly included more than 100 cyber security leaders from think tanks, industry associations, defense, and law enforcement. Participants represented aerospace 5

and defense, critical infrastructure, legal, finance, energy, technology and manufacturing. 4 Some of the key findings that were reported include: Organizations must learn to live in a state of compromise Supply chain poisoning is on the rise Customization the TPA s calling card defies traditional signature- based approaches Today s attackers are better at real- time intelligence sharing than are their targets Correcting this is a top priority Focus on early detection of breaches to minimize the window of vulnerability 5 The focus on rapid detection of breaches brought about the BDS industry and is driving growth in this market. 2014 will see significantly more vendors with new BDS products, and NSS predicts BDS sales will reach USD $1 billion by 2018. BDS Basics NSS defines BDS as systems that are implemented to identify and report actual breaches as well as attempted breaches. Figure 2 displays the minimum requirements of a BDS. Centralized management is an essential component of an enterprise BDS and includes client configuration, mitigation response, reporting, and other management functionality. Application awareness signifies that the BDS can monitor application traffic across a variety of common protocols. While machine identification is required for remediation, user/group identification provides contextual information for mitigation and for potential further forensics. Malware identification may not name a specific sample but rather provides an analysis of behaviors and action performed by the malware. Performance measurements are related to the nature of the BDS implementation. Common metrics would include traffic capacity; the number of concurrent TCP connections the BDS is capable of supporting; HTTP capacity (both with and without transaction delays); stability; and other capabilities. 4 http://www.emc.com/about/news/press/2011/20110913-01.htm 5 http://www.cyberconflict.org/repository/nature- of- cyber/rsa%20- %20APT%20Summit%20Findings%202011.pdf 6

NSS Labs Analyst Brief An Old Dog Had Better Learn Some New Tricks Figure 2 BDS Taxonomy The Future of EPP EPP Advantages EPP products that quickly bring to market robust BDS offerings enjoy some inherent advantages over pure- play vendors. BDS require sensor nodes throughout the network. Most of the systems that require sensors already have traditional EPP products installed. Thousands of clients may require sensors that must provide telemetry to a BDS management system. EPP products are already collecting client telemetry in massive global enterprise deployments. A BDS must have a response mechanism. This is a feature that is already present in EPP products; however, it should be noted that the triggers for responses are currently different than those for a BDS. The use of the cloud is integral to BDS offerings. Several EPP products utilize cloud technologies and have done so for a few years. EPP products already have extensive experience in remediation. Some BDS players are lacking this feature. The Window of Opportunity Several traditional EPP vendors are beginning to enter the BDS space; for example, AhnLab, which was the only EPP vendor offering a BDS that NSS tested in 2013. However, NSS 2014 testing of BDS will include offerings from several entrenched EPP vendors. Consumer- focused EPP offerings will not need to offer BDS in the near future; however, enterprises that purchase EPP- based BDS are likely to mandate the corporate EPP solutions for workers that use their own devices. 7

Consumer- centric EPPs will experience slower growth if not an outright reduction in sales. For any EPP vendor, a decrease of its consumer base results in a loss of client sensors for their cloud- based telemetry. The effectiveness of the cloud intelligence is significantly impacted by a shortage of endpoint sensors. Traditional EPP vendors have been leveraging the cloud for content- agnostic malware protection (CAMP), the same technology that has increased security against socially engineered attacks in Internet Explorer and Chrome. CAMP is the technology behind much of the Windows 8 Application Reputation (App Rep) technology; however, EPP products have a broader scope of coverage than does Microsoft s App Rep. The technologies used for CAMP are present in many BDS implementations. The advantages of experience in remediation and existing client services will not last long. Other players in the BDS space will buy or develop competitive remediation abilities and have compelling reasons to add or replace client- side software services. EPP products already have clients on endpoints and network ingress and egress points. Limiting the number of software drivers and services on the endpoint is attractive to enterprises. EPPs already have familiar consoles that collect telemetry, monitor client status, and generate reports. Unified management is highly attractive to enterprises. The need for BDS is growing rapidly enough that EPP vendors not offering a BDS in a timely manner will miss their window of opportunity and likely become acquisition or merger candidates in the BDS space. Pitfalls and Risks The EPP market has a history of low customer loyalty. Traditionally, the enterprise space has been slower to change solutions than smaller businesses, but NSS considers that EPP products with no BDS offering will endure a significantly higher loss of customers than will those with effective BDS, and they will suffer the same loss of sensors that the consumer offerings will experience. When an EPP fails to detect malware, as is increasingly the case with TPAs, it is, by definition, the BDS that reports the breach. In a hypothetical situation, an enterprise deploys Acme brand EPP on the endpoints and network, but it also deploys a standalone BDS from competing EPP vendor, Best. The Best brand EPP will appear to be a better solution since its BDS can detect and remediate intrusions that the Acme EPP fails to block. Given equivalent suitability for a specific environment, the probability of the enterprise switching to Best brand s EPP in addition to using its BDS is high. It is better for an EPP vendor to discover it s own mistakes than for a competitor to discover them; Best brand will increase its appearance of effectiveness because its BDS component detected the intrusions that its EPP component missed. In the case where a BDS with no EPP offering is catching the intrusions, the EPP solution will appear to be underperforming and runs a high risk of being replaced at the next refresh cycle. EPP products that do not have BDS offerings will no longer have relevance in many enterprise environments. The Race Is On EPP vendors already face competition from other EPP vendors within the BDS market. Any advantages in experience over BDS vendors that do not currently include remediation will be short lived. There are EPP vendors with BDS in the market; there are EPP vendors with BDS solutions that are well into development; and there are EPP vendors with plans to develop their own BDS. All other EPP vendors within the enterprise market can expect to suffer a significant loss of market share. 8

Reading List Breach Detection Systems (BDS): Is this the Answer for Zero- Day Malware? NSS Labs https://www.nsslabs.com/blog/breach- detection- systems- bds- answer- zero- day- malware Breach Detection: Don't Fall Prey to Targeted Attacks. NSS Labs https://www.nsslabs.com/reports/breach- detection- dont- fall- prey- targeted- attacks 2013 Corporate AV/EPP Comparative Analysis - Exploit Protection. NSS Labs https://www.nsslabs.com/reports/2013- corporate- avepp- comparative- analysis- exploit- protection Microsoft Takes Scammers to CAMP. NSS Labs https://www.nsslabs.com/reports/microsoft- takes- scammers- camp Correlation of Detection Failures. NSS Labs https://www.nsslabs.com/reports/correlation- detection- failures Modeling Exploit Evasions in Layered Security. NSS Labs https://www.nsslabs.com/reports/modeling- evasions- layered- security The Targeted Persistent Attack (TPA) The Misunderstood Security Threat Every Enterprise Faces. NSS Labs https://www.nsslabs.com/reports/targeted- persistent- attack- tpa- misunderstood- security- threat- every- enterprise- faces 9

Contact Information NSS Labs, Inc. 206 Wild Basin Rd Building A, Suite 200 Austin, TX 78746 USA +1 (512) 961-5300 info@nsslabs.com www.nsslabs.com This analyst brief was produced as part of NSS Labs independent testing information services. Leading products were tested at no cost to the vendor, and NSS Labs received no vendor funding to produce this analysis brief. 2014 NSS Labs, Inc. All rights reserved. No part of this publication may be reproduced, photocopied, stored on a retrieval system, or transmitted without the express written consent of the authors. Please note that access to or use of this report is conditioned on the following: 1. The information in this report is subject to change by NSS Labs without notice. 2. The information in this report is believed by NSS Labs to be accurate and reliable at the time of publication, but is not guaranteed. All use of and reliance on this report are at the reader s sole risk. NSS Labs is not liable or responsible for any damages, losses, or expenses arising from any error or omission in this report. 3. NO WARRANTIES, EXPRESS OR IMPLIED ARE GIVEN BY NSS LABS. ALL IMPLIED WARRANTIES, INCLUDING IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON- INFRINGEMENT ARE DISCLAIMED AND EXCLUDED BY NSS LABS. IN NO EVENT SHALL NSS LABS BE LIABLE FOR ANY CONSEQUENTIAL, INCIDENTAL OR INDIRECT DAMAGES, OR FOR ANY LOSS OF PROFIT, REVENUE, DATA, COMPUTER PROGRAMS, OR OTHER ASSETS, EVEN IF ADVISED OF THE POSSIBILITY THEREOF. 4. This report does not constitute an endorsement, recommendation, or guarantee of any of the products (hardware or software) tested or the hardware and software used in testing the products. The testing does not guarantee that there are no errors or defects in the products or that the products will meet the reader s expectations, requirements, needs, or specifications, or that they will operate without interruption. 5. This report does not imply any endorsement, sponsorship, affiliation, or verification by or with any organizations mentioned in this report. 6. All trademarks, service marks, and trade names used in this report are the trademarks, service marks, and trade names of their respective owners. 10

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information