Assessing the Effectiveness of Antivirus Solutions

Assessing the Effectiveness
of Antivirus Solutions
Amichai Shulman, CTO

© 2013 Imperva, Inc. All rights reserved.

Agenda

 Modern Malware and Compromised Insider Threat
 Our Study
 Comparing Spend to Threat
 Summary and Conclusions

2 © 2012 Imperva, Inc. All rights rights reserved.
© 2013 Imperva, Inc. All reserved.

Amichai Shulman – CTO Imperva

 Speaker at industry events
+ RSA, Sybase Techwave, Info Security UK, Black Hat
 Lecturer on info security
+ Technion - Israel Institute of Technology
 Former security consultant to banks and financial services
firms
 Leads the Application Defense Center (ADC)
+ Discovered over 20 commercial application vulnerabilities
– Credited by Oracle, MS-SQL, IBM and others

Amichai Shulman one of InfoWorld’s “Top 25 CTOs”

© 2012 Imperva, Inc. All rights rights reserved.

Modern Malware and Compromised Insiders

4 © 2013 Imperva, Inc. All rights reserved.

In Recent Events …

 Saudi Aramco
+ Malicious Insider
+ 30,000 computers hacked
+ Full service disruption

 Global Payments
+ Compromised Insider
+ 1.5M payment cards
compromised


Case Study


Some APT Statistics

Malware Type Total number Operating Discovered Undetected
of infections since duration
(estimated) [years]
Stuxnet 2009 Sabotage ? June 2009 ~June 2010 1
Stuxnet 2010 Sabotage >300K March-April June 2010 0.16
2010
Duqu Espionage ~50-60 April 2011 Oct 2011 0.5
Wiper Sabotage Tens April 2012
Flame Espionage ~5000-6000 Aug 2008 May 2012 ~4
Gauss Espionage ~2500 Aug – Sep June 2012 ~1
2011
Narilam Sabotage ? 2010 Nov 2012 3
GrooveMonitor Sabotage ~10 Dec 2012
Red October Espionage ~200 May 2007 Jan 2013 5.5


Compromised Insider Defined

Compromised Insider

A 3rd party who gains access and acquires
intellectual property and/or data in excess via
client infection. The client, often employees in
government, military or private industry, are
unknowing accomplices and have no
malicious motivation.


Malware: Compromised Insiders on the Rise

2012 Verizon Data Breach Report
• Malware is on the rise: “69% of all data breaches
incorporated Malware”… a 20% increase over 2011.
• Malicious insider incidents declining: “4% of data breaches
were conducted by implicated internal employees”… a 13%
decrease compared to 2011.

Director of National Intelligence
• “Almost half of all computers in the United States have
been compromised in some manner and ~60,000 new
pieces of malware are identified per day”.


Putting Things in Perspective

“Less than 1% of your
employees may be
malicious insiders, but
100% of your employees
have the potential to be
compromised insiders.”

Source: http://edocumentsciences.com/defend-against-compromised-insiders


Anatomy of a Modern Malware Attack


Where Do They Attack?

End-user Multimillion
devices and dollar
the user datacenter

Not well Both access Well
protected the same data protected


Distribution

 Phishing / Spear Phishing
 Drive-by-download
 Malvertizement
 BlackHat SEO


Distribution – The Unbearable Ease of Targeting


Industrialized Approach

Specialized Frameworks and Hacking tools such as BlackHole 2.0
and others, allow easy setup for Host Hijacking and Phishing.

How easy is it ?
For $700: 3 month license for BlackHole available online.
Includes support!


Modern Malware – Key Differentiators

 Modular Design
+ Almost any function can be replaced at any time
 Robust C&C and Collection Infrastructure
+ Relies on web communications
+ Server redundancy, fast flux DNS, bulletproof hosting, etc.
 Versatile Payloads
+ Data extrusion, backdoor and remote control, outbound
activities (attack, spam), destruction
 Sophisticated Infection Infrastructure
+ Drive-by-download & spam
+ Infection kits


The Study


The Study

“The antivirus industry
has a dirty little secret: its
products are often not
very good at stopping
viruses.”

- The New York Times
12/31/2012

Sources: New York Times: Outmaneuvered at Their Own Game, Antivirus Makers Struggle to Adapt,
http://www.nytimes.com/2013/01/01/technology/antivirus-makers-work-on-software-to-catch-malware-more-
effectively.html?pagewanted=all&_r=0


Assessing Antivirus Solutions

 Imperva found that less
than 5% of anti-virus
solutions in the study were
able to initially detect
previously non-cataloged
viruses.
 For certain vendors, it may
take up to four weeks to
detect a new virus from
the time of the initial scan.


Methodology

 Collect malware samples from the web
+ ~80 samples were collected
+ Samples are left untouched
 Test against multiple AV products over time
+ ~40 products
+ Test at 1 week intervals
 Analyze
+ Consider only “consensus” malware
+ Consensus = more than 50% of products at the end of the
testing period


Methodology - Collection

 Anonymous proxy traffic
+ Attackers upload and share malware
+ Took me 3 hours of repeating this exercise before hitting the
first ZeroAccess sample not detected by AV
 Google searches
+ Look for executable files with specific names
 (Softcore) Hacker forums



 Program for hacking ICQ
 Program for hacking e-
mail
 Program for hacking
Skype
 Program for hacking
accounts on Russian
social networks.

25 © 2012 Imperva, Inc.Inc. rights reserved.
© 2013 Imperva, All All rights reserved.

Methodology - Testing

 Using a public API exposed by VirusTotal.com
 “VirusTotal, a subsidiary of Google, is a free online
service that analyzes files and URLs enabling the
identification of viruses, worms, trojans and other
kinds of malicious content detected by antivirus
engines and website scanners.”*
 Record findings per product

*https://www.virustotal.com/about/


Detection Rates
26/06/2012 24/07/2012

Virus Name # % # %
CCFFacebookSetup-v1.45.exe_ 15 35.71429 17 41.46341
ccn.exe_ 15 35.71429 18 43.90244
CHAT.EXE_ 19 46.34146 22 57.89474
CoralExplorer_200401.exe_ 3 7.142857 3 7.317073
Crack-Neobot.exe_ 12 28.57143 13 31.70732
CRNI.zip_ 36 85.71429 36 87.80488
denied.shtml_ 5 12.19512 5 12.19512
directory.exe_ 32 76.19048 31 75.60976
erluofang.exe_ 25 59.52381 25 60.97561
extracticon.rar_ 21 50 18 43.90244
Facebook filter v0.01.exe_ 15 35.71429 12 29.26829
favicon.ico_ 36 87.80488 36 87.80488
FBWallFlooder_sean013.zip_ 3 7.142857 3 7.317073
flashplayer10.exe_ 26 61.90476 24 58.53659
Fraps v3.2.4 Registered.exe_ 21 51.21951 22 53.65854
G-Force1.5.exe_ 15 35.71429 18 43.90244
GoldenEye.exe_ 27 64.28571 28 68.29268
Google setup.exe_ 20 47.61905 20 48.78049
helpdesk.exe_ 10 24.39024 11 26.82927
INFO.RAR_ 35 83.33333 34 85

Internet Download Manager v6.05 Full.rar_ 32 76.19048 34 82.92683
javaupdate.exe_ 32 76.19048 31 75.60976
killer_cdj.exe_ 12 29.26829 14 34.14634
machine_sample.exe_ 30 71.42857 30 73.17073
mirc635ru.exe_ 16 38.09524 15 36.58537
mms.jar_ 29 69.04762 26 68.42105
ocx.rar_ 24 57.14286 23 56.09756
OPALA.rar_ 33 78.57143 34 82.92683
OpenTab-install.exe_ 19 45.2381 20 48.78049
ovh-professional-setup.exe_ 8 19.5122 9 21.95122
pdf_trk_invoice.zip.carefull_ 30 71.42857 31 75.60976
Police.exe_ 9 21.42857 10 24.39024
product.exe_ 27 64.28571 30 73.17073
q3j2xh7qtqmq.jpeg_ 31 73.80952 31 75.60976
qip8095.exe_ 21 50 24 58.53659
RECYCLER.RAR_ 34 80.95238 35 85.36585
reg.zip_ 13 30.95238 17 41.46341
sample_9275.exe_ 29 69.04762 28 70
sample_ebook_2006.exe_ 13 31.70732 12 30
scandsk.exe_ 22 52.38095 30 73.17073
setup.exe_ 29 69.04762 28 68.29268
setup1.exe_ 29 69.04762 30 73.17073


Number of Weeks Required to Identify Infected
File not Identified in First Run

4.5

4

3.5

3

2.5

2

1.5

1

0.5

0
Kaspersky Trend-Micro Symantec Avast McAfee


Viruses Detection between First and Last Run, by
Anti-Virus Vendor

70

60

50

40

30

20

10

0


Rate of Detection Over Time – Widespread Malware

0.9

0.8

0.7

0.6

0.5

0.4

0.3

0.2

0.1

0
07-Aug 09-Aug 11-Aug 13-Aug 15-Aug 17-Aug 19-Aug 21-Aug 23-Aug


Sample Drill Down

 Google_setup.exe


Sample Drill Down (cont.)

 Initial analysis by VirusTotal
+ February 9th, 2012
 Results by the end of testing period (August 2012)
+ 20/42
 Results by November 2012
+ 23/42


Security Spend vs. Threats


Security Spending by Market Share

2001 2011
1. Anti-virus 1. Anti-virus
2. Firewall/VPN 2. Firewall/VPN
3. Content Filtering 3. Secure Email/Web
4. IDS/IPS 4. IPS
% of
Security Solutions 2002 % of Spending 2012
Spending
Anti-virus $ 1.4B 59% $ 7.9B 33%
Firewall $ 389M 16% $ 6.7B 28%
Intrusion Detection
$ 161M 7% $ 1.5B 6%
System
Content Filtering $ 291M 12% $ 2.4B 10%
SIEM $ 70M 3% $ 1.2B 5%
Other $ 99M 4% $ 4.1B 17%
Total Spending $ 2.4B 100% $ 23.8B 100%

38 © 2012 Imperva, Inc.Inc. rights reserved.
© 2013 Imperva, All All rights reserved.

Security Spending is Disproportional

Threat Spend
100%
Over 95% of
80% the $27B
In 2011, spent on
60% 83% of data security
breached went to
40% was taken traditional
from web security
20% apps or products.
databases.
0%

Sources: Verizon Data Breach, 2011 and Gartner, Worldwide Spending on Security by Technology Segment, Country and
Region, 2010-2016


The Anti Virus Vendors view

Hackers Exploit 'Zero-Day' Bugs For 10 Months On
Average Before They're Exposed

http://www.forbes.com/sites/andygreenberg/2012/10/16/hackers-exploit-software-bugs-for-10-months-on-
average-before-theyre-fixed/

Recommendations


Typical Attack Timeline

Privilege
Escalation / Maintain
Reconnaissance
Lateral Movement Persistence
/ Data Exfiltration

Initial intrusion Install Various
into the network Utilities

Establish a
Obtain User
Backdoor into the
Credentials
network


Protect and Monitor the Cheese

 The Problem: Most organizations
chase the mice and don’t focus
enough on protecting the cheese.
 Much of security budgets spent on:
+ Malware detection
+ Virus prevention
 Front-line/end-user defenses must be
100% accurate, since if only 1 mouse
gets past them the cheese is gone.


Step 1: Know What Users Do With Data

 Classify Sensitive Information
+ Identifying the information within the corporate databases and
file servers allows understanding of risk and severity of data
access.
 Persistent Security Policy
+ A good security policy will allow you to put compensating
controls in place while not disrupting business needs and
maintaining security.
 User Rights
+ Map your user’s rights. Understand who has access to what and
why, are there dormant accounts ?
 Analyze, Alert and Audit on Activity
+ By keeping track over access and access patterns, it becomes
very easy to understand who accessed your data, what was
accessed and why.

Step #2: Look for Aberrant Behavior

 What: Weirdness probably
means trouble.
 How
+ Profile normal, acceptable
usage and access to sensitive
items by
– Volume
– Access speed
– Privilege level
+ Put in place monitoring or
“cameras in the vault.”


Example: Databases

 Checks the entry method. Legitimate individuals
should, typically, access data through a main door.
 Monitor the activity of the individuals. If
employees have been granted miscellaneous access
permissions, you should monitor what they are
doing. Malware from spear phishing typically causes
unusual behavior
 Monitor the activity of privileged users. Database
controls should track the activity of the privileged users
and monitor what are these privileged users accessing.


Conclusion: Rebalance the Portfolio


Webinar Materials

Join Imperva LinkedIn Group,
Imperva Data Security Direct, for…

Answers to
Post-Webinar
Attendee
Discussions
Questions

Webinar
Join Group
Recording Link


www.imperva.com

- CONFIDENTIAL -

Assessing the Effectiveness of Antivirus Solutions

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (10)

Andere mochten auch

Andere mochten auch (9)

Ähnlich wie Assessing the Effectiveness of Antivirus Solutions

Ähnlich wie Assessing the Effectiveness of Antivirus Solutions (20)

Mehr von Imperva

Mehr von Imperva (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

Assessing the Effectiveness of Antivirus Solutions