The True Cost of Anti-Virus: How to Ensure More Effective and Efficient Endpoint Security


Published on

Today, more than 1.6 million new malware signatures are identified each month. And more organizations are falling prey to "zero-day" attacks - malware for which an anti-virus signature does not exist. It’s no surprise that roughly half of the organizations surveyed in a 2010 Ponemon Institute study reported an increase in their IT operating expenses - a main driver of that cost increase was malware. Traditional anti-virus simply can't keep up in the malware arms race and relying on it as your primary defense will prove costly.

In this webcast, Paul Henry, security and forensics expert, and Chris Merritt, Director of Solution Marketing with Lumension, will examine:

* The true cost of anti-virus in terms of PC performance, network bandwidth, IT helpdesk costs, prevention of malware and more
* Why application whitelisting is a better approach to defend against rising targeted attacks
* How application whitelisting has evolved to provide a new level of intelligence that delivers more effective security and necessary flexibility to improve productivity - in even rapidly changing endpoint environments

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • © Copyright 2008 - Lumension Security
  • The True Cost of Anti-Virus: How to Ensure More Effective and Efficient Endpoint Security

    1. 1. The True Cost of Anti-Virus: How to Ensure More Effective and Efficient Endpoint Security
    2. 2. Today’s Speakers Chris Merritt Director of Solution Marketing Lumension Paul Henry Security & Forensics Analyst MCP+I, MCSE, CCSA, CCSE, CFSA, CFSO, CISSP,-ISSAP, CISM, CISA, CIFI, CCE SANS Institute Instructor
    3. 3. Today’s Agenda Decreasing Effectiveness of Anti-Virus Cost Impact of Ineffective Anti-Virus In-Depth View of Application Whitelisting Q&A
    4. 4. Decreasing Effectiveness of Anti-Virus
    5. 5. Malware By The Numbers in 2010 <ul><li>1/3 of all malware ever recorded historically were produced </li></ul><ul><li>One vendor found 60,000,000 malicious files out of 134,000,000 unique files submitted (~45%) </li></ul><ul><li>The average number of unique new malware instances / threats increased by 63,000 per day </li></ul><ul><li>52% of new malware exists for only 24 hours </li></ul><ul><ul><li>Gone before a signature is ever created? </li></ul></ul><ul><li>An astounding 53% of computers with current AV signatures experienced a malware infection </li></ul>
    6. 6. Malware Detection Rates Day 1 Source: Cyveillance, Malware Detection Rates for Leading AV Solutions (August 2010) AVERAGE detection rate upon initial discovery = 19%
    7. 7. Source: Cyveillance, Malware Detection Rates for Leading AV Solutions (August 2010) AVERAGE detection rate after 30 days = 62% Malware Detection Rates Day 30
    8. 8. AV - Nothing Innovative Here <ul><li>“ Current generation” AV is using Heuristics and Reputations to bolster signatures </li></ul><ul><ul><li>Heuristics have been around for over a decade and have not worked </li></ul></ul><ul><ul><li>Reputation lasts only as long as the DHCP lease on the IP address </li></ul></ul><ul><ul><ul><li>Change the address and get a new reputation </li></ul></ul></ul><ul><ul><ul><li>Better yet just spoof an IP address with a good reputation </li></ul></ul></ul><ul><li>AV vendors are moving the signatures to the Cloud to solve the problem… </li></ul><ul><ul><li>This doesn’t solve anything. It simply moves the issue. </li></ul></ul><ul><ul><li>The age old problem remains: you can’t keep up with the bad guys….. </li></ul></ul>
    9. 9. Stuck in a Never-Ending Cycle <ul><li>Vulnerability discovered </li></ul><ul><li>Hacker writes exploit </li></ul><ul><li>Someone infected provides sample to AV company </li></ul><ul><li>AV company creates signature and distributes to community </li></ul><ul><li>Hacker changes a few bytes so signature no longer matches </li></ul><ul><li>Go to step 3 and repeat </li></ul>
    10. 10. Anyway You Look At It – It’s Ugly
    11. 11. Fake AV Is Overtaking Real AV <ul><li>There are about 1,500 new / unique instances of Fake AV per day </li></ul><ul><ul><li>AV detection of Fake AV is less then 20% </li></ul></ul><ul><li>There are an estimated 500,000 unique Fake AV binaries on the Internet today </li></ul><ul><ul><li> </li></ul></ul><ul><li>Fake AV companies are making more money than security vendors </li></ul><ul><ul><li> </li></ul></ul>
    12. 12. Hard To Tell Fake AV From Real AV
    13. 13. Cost Impact of Ineffective Anti-Virus
    14. 14. Your Endpoint TCO Reality 2007: 250K Monthly Malware Signatures Identified 2011: 2M Monthly Malware Signatures Identified Malware Signatures Endpoint TCO Current Endpoint Security Effectiveness Increasing malware Costly point technologies Fractured visibility
    15. 15. True Cost of Malware <ul><li>Acquisition Costs </li></ul><ul><ul><li>Licensing (license cost, maintenance, support) </li></ul></ul><ul><ul><li>Installation (HW / SW, roll-out, other) </li></ul></ul><ul><li>Operational Costs </li></ul><ul><ul><li>System Managemenet </li></ul></ul><ul><ul><li>Incident Management (help desk, escalation, re-imaging) </li></ul></ul><ul><ul><li>Lost Productivity </li></ul></ul><ul><li>Extraordinary Costs </li></ul><ul><ul><li>Data Breach </li></ul></ul>Operational (60~80%) Acquistion (20~40%)
    16. 16. True Cost of Malware * Trend Micro ** ICSA *** Hobson & Company **** Ponemon Institute ***** Unsecured Economies Report Malware Cost Framework Malware Cost Variables Malware Cost Information Security Infrastructure <ul><li>Cost of AV license </li></ul><ul><li>Hardware overhead costs </li></ul><ul><li>Maintenance and upgrade costs </li></ul><ul><li>Cost of endpoint security management staff </li></ul><ul><li>20 hrs/wk avg. time to manage endpoint security*** </li></ul><ul><li>Licensing represents 20% of the TCO for endpoint security software*** </li></ul><ul><li>Average cost of network infrastructure engineer / IT security escalation team = $82K </li></ul>Malware Remediation <ul><li>Help desk costs related to malware </li></ul><ul><li>IT staff cost related to malware </li></ul><ul><li>Cost for an IT manager to be informed of/take action/virus incident $500* </li></ul><ul><li>Cost for one workstation to be stopped, scanned, and cleaned of virus $1000* </li></ul><ul><li>Cost for one workstation to detect and clean a virus infection $100* </li></ul><ul><li>Average no. attempts at cracking network by hacker is 2x month* </li></ul><ul><li>Average cost of security related help desk call: $18.75*** </li></ul>Lost Productivity <ul><li>Network downtime </li></ul><ul><li>Workstation unavailable </li></ul><ul><li>Median server downtime due to malware 21 hrs** </li></ul><ul><li>15 min/user/wk in average lost downtime due to scanning*** </li></ul><ul><li>Average company has one incident affecting 10 users with downtime of 6 hours due to malware*** </li></ul>Data Loss <ul><li>Loss of sensitive data </li></ul><ul><li>Cost of lost data records </li></ul><ul><li>Cost of remediation </li></ul><ul><li>Litigation/compliance fine risk </li></ul><ul><li>Loss customers </li></ul><ul><li>Average organizational cost of a data breach is $7.2M**** </li></ul><ul><li>Average cost of data record lost $214**** </li></ul><ul><li>20% loss of customer after a publicly disclosed data breach***** </li></ul>
    17. 17. A Look at Application Whitelisting
    18. 18. A New Approach Is Needed <ul><li>With traditional AV Reputations and Heuristics did not work before and no signs point to them magically working now </li></ul><ul><li>No one can dispute that whitelisting is a better approach in the current environment </li></ul><ul><ul><li>You’re already using a whitelist </li></ul></ul><ul><ul><li>What people argue about is how it is implemented </li></ul></ul><ul><ul><li>Automating whitelisting with a Trust Model is key </li></ul></ul><ul><li>Today’s Trust Models give a real edge to Whitelisting </li></ul><ul><ul><li>Now that is something new and innovative </li></ul></ul>
    19. 20. How Application Control Security Works Anti-Virus Blacklist Application Control Whitelist Malware Signatures 30 Million and growing @ xxx / Month DLoader.AMHZW Exploit_Gen.HOW Hacktool.KDY INF/AutoRun.HK JS/BomOrkut.A JS/Exploit.GX JS/FakeCodec.B JS/Iframe.BZ JS/Redirector.AH KillAV.MPK LNK/CplLnk.K Hash of Approved Application As defined by IT Security Word.exe Excel.exe Winnet.dll Mozilla.exe Run as a Service CPU Usage: Intensive Reactive Ineffective on: Zero Day, Polymorphic Run in the Kernel CPU Usage: Low Proactive Effective for: Zero day, Polymorphic 95% 13%
    20. 21. Impact of AV and Application Control <ul><ul><li>Antivirus Blacklist </li></ul></ul>Application Control Whitelist Unwanted Software (iTunes, Games, IM, etc.) Not supported Only trusted, authorized applications are permitted Updates Weekly, daily, hourly Automated by trust engine Zero Day Protection New malware is always one step ahead Implicit Operational Performance File filter slows system down Huge pattern file comparison Kernel based (=fast), no pattern comparison required Scalability Today (avg): 3,666,872 sigs. Tomorrow? Next Year? Average PC has 66 applications with ~25,000 executables
    21. 22. Don’t Just Listen To Us – Listen To Them! Antivirus, firewalls and intrusion detection are a start… But &quot;whitelisting&quot; offers a stronger defense. … McAfee believes &quot;that's where the future is going.” -- George Kurtz, Worldwide CTO, McAfee “ Effective threat prevention today requires a more proactive combination of approaches that take various infection vectors into consideration.” -- Raimund Genes, CTO, Trend Micro Inc. “ [Signatures are] completely ineffective as the only layer [of endpoint security], but as one of the layers, [they're] effective.” -- Nikolay Grebennikov, CTO, Kaspersky
    22. 23. Lumension ® Intelligent Whitelisting™ Discover Snapshot endpoints to identify and catalog all executables currently running on individual endpoints Define Define policies that automate trust decisions for endpoint applications <ul><li>Enforce </li></ul><ul><ul><li>Adjust and transition endpoints to final lockdown policy </li></ul></ul>Clean Eliminate known malware from production endpoints Manage Reporting and Integrated systems management to update patches, configurations and deploy software Monitor Log all execution attempts and introduced changes to assess policy completeness and impact to current IT environment
    23. 24. Defense-in-Depth Endpoint Security Known Malware Unknown Malware Unwanted, Unlicensed, Unsupported Applications Application Vulnerabilities Configuration Vulnerabilities AntiVirus X X Application Control X X Patch & Remediation X X Security Configuration Management X
    24. 25. Intelligent Whitelisting Value Proposition Malware Signatures Malware Related Costs More Effective Endpoint Security ROI of Intelligent Whitelisting 2011: Introducing Intelligent Whitelisting™
    25. 26. Next Steps <ul><li>Overview of Lumension ® Intelligent Whitelisting™ </li></ul><ul><ul><li> </li></ul></ul><ul><li>Application Scanner Tool </li></ul><ul><ul><li> </li></ul></ul><ul><li>Whitepapers </li></ul><ul><ul><li>Think Your Anti-Virus Software is Working? Think Again. </li></ul></ul><ul><ul><ul><li> </li></ul></ul></ul><ul><ul><li>Intelligent Whitelisting: An Introduction to More Effective and Efficient Security </li></ul></ul><ul><ul><ul><li> </li></ul></ul></ul>
    26. 27. <ul><li>Global Headquarters </li></ul><ul><li>8660 East Hartford Drive </li></ul><ul><li>Suite 300 </li></ul><ul><li>Scottsdale, AZ 85255 </li></ul><ul><li>1.888.725.7828 </li></ul><ul><li>[email_address] </li></ul>