Your SlideShare is downloading. ×
Assessing the Effectiveness of Antivirus Solutions
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Assessing the Effectiveness of Antivirus Solutions

1,085
views

Published on

How well do antivirus solutions defend against newly created viruses? The answer may surprise you. This presentation will evaluate the ability of antivirus solutions to react to newly created viruses, …

How well do antivirus solutions defend against newly created viruses? The answer may surprise you. This presentation will evaluate the ability of antivirus solutions to react to newly created viruses, explore the window of opportunity created before antivirus solutions begin to detect new viruses, illustrate how targeted malware of limited distribution can elude detection for months or years, explain how misguided compliance mandates create over-investment in antivirus solutions within security budgets.

Published in: Technology

2 Comments
2 Likes
Statistics
Notes
  • @jcvpesina Yes, you can download the PDF. Click the 'save' button found at the top of the presentation viewer, fill out the form, and then SlideShare will email you the link to download the PDF.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • can it be downloaded in some format such as PDF?
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
1,085
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
15
Comments
2
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Assessing the Effectiveness of Antivirus SolutionsAmichai Shulman, CTO © 2013 Imperva, Inc. All rights reserved.
  • 2. Agenda  Modern Malware and Compromised Insider Threat  Our Study  Comparing Spend to Threat  Summary and Conclusions 2 © 2012 Imperva, Inc. All rights rights reserved. © 2013 Imperva, Inc. All reserved.
  • 3. Amichai Shulman – CTO Imperva  Speaker at industry events + RSA, Sybase Techwave, Info Security UK, Black Hat  Lecturer on info security + Technion - Israel Institute of Technology  Former security consultant to banks and financial services firms  Leads the Application Defense Center (ADC) + Discovered over 20 commercial application vulnerabilities – Credited by Oracle, MS-SQL, IBM and others Amichai Shulman one of InfoWorld’s “Top 25 CTOs” © 2012 Imperva, Inc. All rights rights reserved. © 2013 Imperva, Inc. All reserved.
  • 4. Modern Malware and Compromised Insiders4 © 2013 Imperva, Inc. All rights reserved.
  • 5. In Recent Events …  Saudi Aramco + Malicious Insider + 30,000 computers hacked + Full service disruption  Global Payments + Compromised Insider + 1.5M payment cards compromised 5 © 2012 Imperva, Inc. All rights rights reserved. © 2013 Imperva, Inc. All reserved.
  • 6. Case Study 6 © 2012 Imperva, Inc. All rights rights reserved. © 2013 Imperva, Inc. All reserved.
  • 7. Some APT Statistics Malware Type Total number Operating Discovered Undetected of infections since duration (estimated) [years] Stuxnet 2009 Sabotage ? June 2009 ~June 2010 1 Stuxnet 2010 Sabotage >300K March-April June 2010 0.16 2010 Duqu Espionage ~50-60 April 2011 Oct 2011 0.5 Wiper Sabotage Tens April 2012 Flame Espionage ~5000-6000 Aug 2008 May 2012 ~4 Gauss Espionage ~2500 Aug – Sep June 2012 ~1 2011 Narilam Sabotage ? 2010 Nov 2012 3 GrooveMonitor Sabotage ~10 Dec 2012 Red October Espionage ~200 May 2007 Jan 2013 5.5 7 © 2012 Imperva, Inc. All rights rights reserved. © 2013 Imperva, Inc. All reserved.
  • 8. Compromised Insider Defined Compromised Insider A 3rd party who gains access and acquires intellectual property and/or data in excess via client infection. The client, often employees in government, military or private industry, are unknowing accomplices and have no malicious motivation. 8 © 2012 Imperva, Inc. All rights rights reserved. © 2013 Imperva, Inc. All reserved.
  • 9. Malware: Compromised Insiders on the Rise 2012 Verizon Data Breach Report • Malware is on the rise: “69% of all data breaches incorporated Malware”… a 20% increase over 2011. • Malicious insider incidents declining: “4% of data breaches were conducted by implicated internal employees”… a 13% decrease compared to 2011. Director of National Intelligence • “Almost half of all computers in the United States have been compromised in some manner and ~60,000 new pieces of malware are identified per day”. © 2012 Imperva, Inc. All rights rights reserved. © 2013 Imperva, Inc. All reserved.
  • 10. Putting Things in Perspective “Less than 1% of your employees may be malicious insiders, but 100% of your employees have the potential to be compromised insiders.” Source: http://edocumentsciences.com/defend-against-compromised-insiders © 2013 Imperva, Inc. All rights reserved. © 2012 Imperva, Inc. All rights reserved.
  • 11. Anatomy of a Modern Malware Attack11 © 2013 Imperva, Inc. All rights reserved.
  • 12. Where Do They Attack? End-user Multimillion devices and dollar the user datacenter Not well Both access Well protected the same data protected 12 © 2012 Imperva, Inc. All rights rights reserved. © 2013 Imperva, Inc. All reserved.
  • 13. Distribution  Phishing / Spear Phishing  Drive-by-download  Malvertizement  BlackHat SEO 13 © 2012 Imperva, Inc. All rights rights reserved. © 2013 Imperva, Inc. All reserved.
  • 14. Distribution – The Unbearable Ease of Targeting 14 © 2012 Imperva, Inc. All rights rights reserved. © 2013 Imperva, Inc. All reserved.
  • 15. Distribution – The Unbearable Ease of Targeting 15 © 2012 Imperva, Inc. All rights rights reserved. © 2013 Imperva, Inc. All reserved.
  • 16. Industrialized Approach Specialized Frameworks and Hacking tools such as BlackHole 2.0 and others, allow easy setup for Host Hijacking and Phishing. How easy is it ? For $700: 3 month license for BlackHole available online. Includes support! 16 © 2012 Imperva, Inc. All rights rights reserved. © 2013 Imperva, Inc. All reserved.
  • 17. Modern Malware – Key Differentiators  Modular Design + Almost any function can be replaced at any time  Robust C&C and Collection Infrastructure + Relies on web communications + Server redundancy, fast flux DNS, bulletproof hosting, etc.  Versatile Payloads + Data extrusion, backdoor and remote control, outbound activities (attack, spam), destruction  Sophisticated Infection Infrastructure + Drive-by-download & spam + Infection kits 17 © 2012 Imperva, Inc. All rights rights reserved. © 2013 Imperva, Inc. All reserved.
  • 18. The Study18 © 2013 Imperva, Inc. All rights reserved.
  • 19. The Study “The antivirus industry has a dirty little secret: its products are often not very good at stopping viruses.” - The New York Times 12/31/2012 Sources: New York Times: Outmaneuvered at Their Own Game, Antivirus Makers Struggle to Adapt, http://www.nytimes.com/2013/01/01/technology/antivirus-makers-work-on-software-to-catch-malware-more- effectively.html?pagewanted=all&_r=0 19 © 2012 Imperva, Inc. All rights rights reserved. © 2013 Imperva, Inc. All reserved.
  • 20. Assessing Antivirus Solutions  Imperva found that less than 5% of anti-virus solutions in the study were able to initially detect previously non-cataloged viruses.  For certain vendors, it may take up to four weeks to detect a new virus from the time of the initial scan. 20 © 2012 Imperva, Inc. All rights rights reserved. © 2013 Imperva, Inc. All reserved.
  • 21. Methodology  Collect malware samples from the web + ~80 samples were collected + Samples are left untouched  Test against multiple AV products over time + ~40 products + Test at 1 week intervals  Analyze + Consider only “consensus” malware + Consensus = more than 50% of products at the end of the testing period 21 © 2012 Imperva, Inc. All rights rights reserved. © 2013 Imperva, Inc. All reserved.
  • 22. Methodology - Collection  Anonymous proxy traffic + Attackers upload and share malware + Took me 3 hours of repeating this exercise before hitting the first ZeroAccess sample not detected by AV  Google searches + Look for executable files with specific names  (Softcore) Hacker forums 22 © 2012 Imperva, Inc. All rights rights reserved. © 2013 Imperva, Inc. All reserved.
  • 23. Methodology - Collection © 2013 Imperva, Inc. All rights reserved. © 2012 Imperva, Inc. All rights reserved.
  • 24. Methodology - Collection © 2013 Imperva, Inc. All rights reserved. © 2012 Imperva, Inc. All rights reserved.
  • 25. Methodology - Collection  Program for hacking ICQ  Program for hacking e- mail  Program for hacking Skype  Program for hacking accounts on Russian social networks. 25 © 2012 Imperva, Inc.Inc. rights reserved. © 2013 Imperva, All All rights reserved.
  • 26. Methodology - Testing  Using a public API exposed by VirusTotal.com  “VirusTotal, a subsidiary of Google, is a free online service that analyzes files and URLs enabling the identification of viruses, worms, trojans and other kinds of malicious content detected by antivirus engines and website scanners.”*  Record findings per product *https://www.virustotal.com/about/ 26 © 2012 Imperva, Inc. All rights rights reserved. © 2013 Imperva, Inc. All reserved.
  • 27. Methodology - Testing © 2013 Imperva, Inc. All rights reserved.27 © 2012 Imperva, Inc. All rights reserved.
  • 28. Methodology - Testing © 2013 Imperva, Inc. All rights reserved.28 © 2012 Imperva, Inc. All rights reserved.
  • 29. Methodology - Testing © 2013 Imperva, Inc. All rights reserved.29 © 2012 Imperva, Inc. All rights reserved.
  • 30. Methodology - Testing © 2013 Imperva, Inc. All rights reserved.30 © 2012 Imperva, Inc. All rights reserved.
  • 31. Detection Rates 26/06/2012 24/07/2012 Virus Name # % # % CCFFacebookSetup-v1.45.exe_ 15 35.71429 17 41.46341 ccn.exe_ 15 35.71429 18 43.90244 CHAT.EXE_ 19 46.34146 22 57.89474 CoralExplorer_200401.exe_ 3 7.142857 3 7.317073 Crack-Neobot.exe_ 12 28.57143 13 31.70732 CRNI.zip_ 36 85.71429 36 87.80488 denied.shtml_ 5 12.19512 5 12.19512 directory.exe_ 32 76.19048 31 75.60976 erluofang.exe_ 25 59.52381 25 60.97561 extracticon.rar_ 21 50 18 43.90244 Facebook filter v0.01.exe_ 15 35.71429 12 29.26829 favicon.ico_ 36 87.80488 36 87.80488 FBWallFlooder_sean013.zip_ 3 7.142857 3 7.317073 flashplayer10.exe_ 26 61.90476 24 58.53659 Fraps v3.2.4 Registered.exe_ 21 51.21951 22 53.65854 G-Force1.5.exe_ 15 35.71429 18 43.90244 GoldenEye.exe_ 27 64.28571 28 68.29268 Google setup.exe_ 20 47.61905 20 48.78049 helpdesk.exe_ 10 24.39024 11 26.82927 INFO.RAR_ 35 83.33333 34 85 Internet Download Manager v6.05 Full.rar_ 32 76.19048 34 82.92683 javaupdate.exe_ 32 76.19048 31 75.60976 killer_cdj.exe_ 12 29.26829 14 34.14634 machine_sample.exe_ 30 71.42857 30 73.17073 mirc635ru.exe_ 16 38.09524 15 36.58537 mms.jar_ 29 69.04762 26 68.42105 ocx.rar_ 24 57.14286 23 56.09756 OPALA.rar_ 33 78.57143 34 82.92683 OpenTab-install.exe_ 19 45.2381 20 48.78049 ovh-professional-setup.exe_ 8 19.5122 9 21.95122 pdf_trk_invoice.zip.carefull_ 30 71.42857 31 75.60976 Police.exe_ 9 21.42857 10 24.39024 product.exe_ 27 64.28571 30 73.17073 q3j2xh7qtqmq.jpeg_ 31 73.80952 31 75.60976 qip8095.exe_ 21 50 24 58.53659 RECYCLER.RAR_ 34 80.95238 35 85.36585 reg.zip_ 13 30.95238 17 41.46341 sample_9275.exe_ 29 69.04762 28 70 sample_ebook_2006.exe_ 13 31.70732 12 30 scandsk.exe_ 22 52.38095 30 73.17073 setup.exe_ 29 69.04762 28 68.29268 setup1.exe_ 29 69.04762 30 73.17073 © 2013 Imperva, Inc. All rights reserved. © 2012 Imperva, Inc. All rights reserved.
  • 32. Number of Weeks Required to Identify InfectedFile not Identified in First Run 4.5 4 3.5 3 2.5 2 1.5 1 0.5 0 Kaspersky Trend-Micro Symantec Avast McAfee © 2013 Imperva, Inc. All rights reserved. © 2012 Imperva, Inc. All rights reserved.
  • 33. Viruses Detection between First and Last Run, by Anti-Virus Vendor 70 60 50 40 30 20 10 0 © 2012 Imperva, Inc. All rights rights reserved. © 2013 Imperva, Inc. All reserved.
  • 34. Rate of Detection Over Time – Widespread Malware 0.9 0.8 0.7 0.6 0.5 0.4 0.3 0.2 0.1 0 07-Aug 09-Aug 11-Aug 13-Aug 15-Aug 17-Aug 19-Aug 21-Aug 23-Aug © 2013 Imperva, Inc. All rights reserved. © 2012 Imperva, Inc. All rights reserved.
  • 35. Sample Drill Down  Google_setup.exe © 2012 Imperva, Inc. All rights rights reserved. © 2013 Imperva, Inc. All reserved.
  • 36. Sample Drill Down (cont.)  Initial analysis by VirusTotal + February 9th, 2012  Results by the end of testing period (August 2012) + 20/42  Results by November 2012 + 23/42 36 © 2012 Imperva, Inc. All rights rights reserved. © 2013 Imperva, Inc. All reserved.
  • 37. Security Spend vs. Threats37 © 2013 Imperva, Inc. All rights reserved.
  • 38. Security Spending by Market Share 2001 2011 1. Anti-virus 1. Anti-virus 2. Firewall/VPN 2. Firewall/VPN 3. Content Filtering 3. Secure Email/Web 4. IDS/IPS 4. IPS % of Security Solutions 2002 % of Spending 2012 Spending Anti-virus $ 1.4B 59% $ 7.9B 33% Firewall $ 389M 16% $ 6.7B 28% Intrusion Detection $ 161M 7% $ 1.5B 6% System Content Filtering $ 291M 12% $ 2.4B 10% SIEM $ 70M 3% $ 1.2B 5% Other $ 99M 4% $ 4.1B 17% Total Spending $ 2.4B 100% $ 23.8B 100% 38 © 2012 Imperva, Inc.Inc. rights reserved. © 2013 Imperva, All All rights reserved.
  • 39. Security Spending is Disproportional Threat Spend 100% Over 95% of 80% the $27B In 2011, spent on 60% 83% of data security breached went to 40% was taken traditional from web security 20% apps or products. databases. 0% Sources: Verizon Data Breach, 2011 and Gartner, Worldwide Spending on Security by Technology Segment, Country and Region, 2010-2016 39 © 2012 Imperva, Inc. All rights rights reserved. © 2013 Imperva, Inc. All reserved.
  • 40. The Anti Virus Vendors view Hackers Exploit Zero-Day Bugs For 10 Months On Average Before Theyre Exposed http://www.forbes.com/sites/andygreenberg/2012/10/16/hackers-exploit-software-bugs-for-10-months-on- average-before-theyre-fixed/ © 2013 Imperva, Inc. All rights reserved. © 2012 Imperva, Inc. All rights reserved.
  • 41. Recommendations41 © 2013 Imperva, Inc. All rights reserved.
  • 42. Typical Attack Timeline Privilege Escalation / Maintain Reconnaissance Lateral Movement Persistence / Data Exfiltration Initial intrusion Install Various into the network Utilities Establish a Obtain User Backdoor into the Credentials network 42 © 2012 Imperva, Inc. All rights rights reserved. © 2013 Imperva, Inc. All reserved.
  • 43. Protect and Monitor the Cheese  The Problem: Most organizations chase the mice and don’t focus enough on protecting the cheese.  Much of security budgets spent on: + Malware detection + Virus prevention  Front-line/end-user defenses must be 100% accurate, since if only 1 mouse gets past them the cheese is gone. 43 © 2012 Imperva, Inc. All rights rights reserved. © 2013 Imperva, Inc. All reserved.
  • 44. Step 1: Know What Users Do With Data  Classify Sensitive Information + Identifying the information within the corporate databases and file servers allows understanding of risk and severity of data access.  Persistent Security Policy + A good security policy will allow you to put compensating controls in place while not disrupting business needs and maintaining security.  User Rights + Map your user’s rights. Understand who has access to what and why, are there dormant accounts ?  Analyze, Alert and Audit on Activity + By keeping track over access and access patterns, it becomes very easy to understand who accessed your data, what was accessed and why. 44 © 2012 Imperva, Inc. All rights rights reserved. © 2013 Imperva, Inc. All reserved.
  • 45. Step #2: Look for Aberrant Behavior  What: Weirdness probably means trouble.  How + Profile normal, acceptable usage and access to sensitive items by – Volume – Access speed – Privilege level + Put in place monitoring or “cameras in the vault.” 45 © 2012 Imperva, Inc. All rights rights reserved. © 2013 Imperva, Inc. All reserved.
  • 46. Example: Databases  Checks the entry method. Legitimate individuals should, typically, access data through a main door.  Monitor the activity of the individuals. If employees have been granted miscellaneous access permissions, you should monitor what they are doing. Malware from spear phishing typically causes unusual behavior  Monitor the activity of privileged users. Database controls should track the activity of the privileged users and monitor what are these privileged users accessing. 46 © 2012 Imperva, Inc. All rights rights reserved. © 2013 Imperva, Inc. All reserved.
  • 47. Conclusion: Rebalance the Portfolio 47 © 2012 Imperva, Inc. All rights rights reserved. © 2013 Imperva, Inc. All reserved.
  • 48. Webinar Materials Join Imperva LinkedIn Group, Imperva Data Security Direct, for… Answers to Post-Webinar Attendee Discussions Questions Webinar Join Group Recording Link © 2013 Imperva, Inc. All rights reserved. © 2012 Imperva, Inc. All rights reserved.
  • 49. www.imperva.com- CONFIDENTIAL -

×