The True Cost of Anti-Virus: How to Ensure More Effective and Efficient Endpoint Security
Download as PPT, PDF4 likes1,642 views
The document discusses the challenges and costs associated with traditional anti-virus software, highlighting its decreasing effectiveness against rapidly evolving malware. It emphasizes that application whitelisting presents a more effective security approach compared to conventional methods, and outlines the substantial costs related to malware infections and the inefficiencies of current anti-virus solutions. Furthermore, it advocates for intelligent whitelisting as a proactive measure to enhance endpoint security.
![Don’t Just Listen To Us – Listen To Them! Antivirus, firewalls and intrusion detection are a start… But "whitelisting" offers a stronger defense. … McAfee believes "that's where the future is going.” -- George Kurtz, Worldwide CTO, McAfee “ Effective threat prevention today requires a more proactive combination of approaches that take various infection vectors into consideration.” -- Raimund Genes, CTO, Trend Micro Inc. “ [Signatures are] completely ineffective as the only layer [of endpoint security], but as one of the layers, [they're] effective.” -- Nikolay Grebennikov, CTO, Kaspersky](https://image.slidesharecdn.com/truecostofantivirus-110408163726-phpapp02/85/The-True-Cost-of-Anti-Virus-How-to-Ensure-More-Effective-and-Efficient-Endpoint-Security-22-320.jpg)
![Global Headquarters 8660 East Hartford Drive Suite 300 Scottsdale, AZ 85255 1.888.725.7828 [email_address]](https://image.slidesharecdn.com/truecostofantivirus-110408163726-phpapp02/85/The-True-Cost-of-Anti-Virus-How-to-Ensure-More-Effective-and-Efficient-Endpoint-Security-27-320.jpg)
The True Cost of Anti-Virus: How to Ensure More Effective and Efficient Endpoint Security
- 1. The True Cost of Anti-Virus: How to Ensure More Effective and Efficient Endpoint Security
- 2. Today’s Speakers Chris Merritt Director of Solution Marketing Lumension Paul Henry Security & Forensics Analyst MCP+I, MCSE, CCSA, CCSE, CFSA, CFSO, CISSP,-ISSAP, CISM, CISA, CIFI, CCE SANS Institute Instructor
- 3. Today’s Agenda Decreasing Effectiveness of Anti-Virus Cost Impact of Ineffective Anti-Virus In-Depth View of Application Whitelisting Q&A
- 4. Decreasing Effectiveness of Anti-Virus
- 5. Malware By The Numbers in 2010 1/3 of all malware ever recorded historically were produced One vendor found 60,000,000 malicious files out of 134,000,000 unique files submitted (~45%) The average number of unique new malware instances / threats increased by 63,000 per day 52% of new malware exists for only 24 hours Gone before a signature is ever created? An astounding 53% of computers with current AV signatures experienced a malware infection
- 6. Malware Detection Rates Day 1 Source: Cyveillance, Malware Detection Rates for Leading AV Solutions (August 2010) AVERAGE detection rate upon initial discovery = 19%
- 7. Source: Cyveillance, Malware Detection Rates for Leading AV Solutions (August 2010) AVERAGE detection rate after 30 days = 62% Malware Detection Rates Day 30
- 8. AV - Nothing Innovative Here “ Current generation” AV is using Heuristics and Reputations to bolster signatures Heuristics have been around for over a decade and have not worked Reputation lasts only as long as the DHCP lease on the IP address Change the address and get a new reputation Better yet just spoof an IP address with a good reputation AV vendors are moving the signatures to the Cloud to solve the problem… This doesn’t solve anything. It simply moves the issue. The age old problem remains: you can’t keep up with the bad guys…..
- 9. Stuck in a Never-Ending Cycle Vulnerability discovered Hacker writes exploit Someone infected provides sample to AV company AV company creates signature and distributes to community Hacker changes a few bytes so signature no longer matches Go to step 3 and repeat
- 10. Anyway You Look At It – It’s Ugly
- 11. Fake AV Is Overtaking Real AV There are about 1,500 new / unique instances of Fake AV per day AV detection of Fake AV is less then 20% There are an estimated 500,000 unique Fake AV binaries on the Internet today http://www.techjaws.com/fake-antivirus-outpaces-real-antivirus/ Fake AV companies are making more money than security vendors http://www.infosecurity-us.com/view/16010/rsa-fake-av-companies-making-more-money-than-security-vendors/
- 12. Hard To Tell Fake AV From Real AV
- 13. Cost Impact of Ineffective Anti-Virus
- 14. Your Endpoint TCO Reality 2007: 250K Monthly Malware Signatures Identified 2011: 2M Monthly Malware Signatures Identified Malware Signatures Endpoint TCO Current Endpoint Security Effectiveness Increasing malware Costly point technologies Fractured visibility
- 15. True Cost of Malware Acquisition Costs Licensing (license cost, maintenance, support) Installation (HW / SW, roll-out, other) Operational Costs System Managemenet Incident Management (help desk, escalation, re-imaging) Lost Productivity Extraordinary Costs Data Breach Operational (60~80%) Acquistion (20~40%)
- 16. True Cost of Malware * Trend Micro ** ICSA *** Hobson & Company **** Ponemon Institute ***** Unsecured Economies Report Malware Cost Framework Malware Cost Variables Malware Cost Information Security Infrastructure Cost of AV license Hardware overhead costs Maintenance and upgrade costs Cost of endpoint security management staff 20 hrs/wk avg. time to manage endpoint security*** Licensing represents 20% of the TCO for endpoint security software*** Average cost of network infrastructure engineer / IT security escalation team = $82K Malware Remediation Help desk costs related to malware IT staff cost related to malware Cost for an IT manager to be informed of/take action/virus incident $500* Cost for one workstation to be stopped, scanned, and cleaned of virus $1000* Cost for one workstation to detect and clean a virus infection $100* Average no. attempts at cracking network by hacker is 2x month* Average cost of security related help desk call: $18.75*** Lost Productivity Network downtime Workstation unavailable Median server downtime due to malware 21 hrs** 15 min/user/wk in average lost downtime due to scanning*** Average company has one incident affecting 10 users with downtime of 6 hours due to malware*** Data Loss Loss of sensitive data Cost of lost data records Cost of remediation Litigation/compliance fine risk Loss customers Average organizational cost of a data breach is $7.2M**** Average cost of data record lost $214**** 20% loss of customer after a publicly disclosed data breach*****
- 17. A Look at Application Whitelisting
- 18. A New Approach Is Needed With traditional AV Reputations and Heuristics did not work before and no signs point to them magically working now No one can dispute that whitelisting is a better approach in the current environment You’re already using a whitelist What people argue about is how it is implemented Automating whitelisting with a Trust Model is key Today’s Trust Models give a real edge to Whitelisting Now that is something new and innovative
- 20. How Application Control Security Works Anti-Virus Blacklist Application Control Whitelist Malware Signatures 30 Million and growing @ xxx / Month DLoader.AMHZW \ Exploit_Gen.HOW \ Hacktool.KDY \ INF/AutoRun.HK \ JS/BomOrkut.A \ JS/Exploit.GX \ JS/FakeCodec.B \ JS/Iframe.BZ \ JS/Redirector.AH \ KillAV.MPK \ LNK/CplLnk.K Hash of Approved Application As defined by IT Security Word.exe \ Excel.exe \ Winnet.dll \ Mozilla.exe Run as a Service CPU Usage: Intensive Reactive Ineffective on: Zero Day, Polymorphic Run in the Kernel CPU Usage: Low Proactive Effective for: Zero day, Polymorphic 95% 13%
- 21. Impact of AV and Application Control Antivirus Blacklist Application Control Whitelist Unwanted Software (iTunes, Games, IM, etc.) Not supported Only trusted, authorized applications are permitted Updates Weekly, daily, hourly Automated by trust engine Zero Day Protection New malware is always one step ahead Implicit Operational Performance File filter slows system down Huge pattern file comparison Kernel based (=fast), no pattern comparison required Scalability Today (avg): 3,666,872 sigs. Tomorrow? Next Year? Average PC has 66 applications with ~25,000 executables
- 22. Don’t Just Listen To Us – Listen To Them! Antivirus, firewalls and intrusion detection are a start… But "whitelisting" offers a stronger defense. … McAfee believes "that's where the future is going.” -- George Kurtz, Worldwide CTO, McAfee “ Effective threat prevention today requires a more proactive combination of approaches that take various infection vectors into consideration.” -- Raimund Genes, CTO, Trend Micro Inc. “ [Signatures are] completely ineffective as the only layer [of endpoint security], but as one of the layers, [they're] effective.” -- Nikolay Grebennikov, CTO, Kaspersky
- 23. Lumension ® Intelligent Whitelisting™ Discover Snapshot endpoints to identify and catalog all executables currently running on individual endpoints Define Define policies that automate trust decisions for endpoint applications Enforce Adjust and transition endpoints to final lockdown policy Clean Eliminate known malware from production endpoints Manage Reporting and Integrated systems management to update patches, configurations and deploy software Monitor Log all execution attempts and introduced changes to assess policy completeness and impact to current IT environment
- 24. Defense-in-Depth Endpoint Security Known Malware Unknown Malware Unwanted, Unlicensed, Unsupported Applications Application Vulnerabilities Configuration Vulnerabilities AntiVirus X X Application Control X X Patch & Remediation X X Security Configuration Management X
- 25. Intelligent Whitelisting Value Proposition Malware Signatures Malware Related Costs More Effective Endpoint Security ROI of Intelligent Whitelisting 2011: Introducing Intelligent Whitelisting™
- 26. Next Steps Overview of Lumension ® Intelligent Whitelisting™ http://www.lumension.com/Resources/Demo-Center/Overview-Endpoint-Protection.aspx Application Scanner Tool http://www.lumension.com/Resources/Security-Tools/Application-Scanner-Tool-2-0.aspx Whitepapers Think Your Anti-Virus Software is Working? Think Again. http://www.lumension.com/Resources/WhitePapers/Think-Your-AntiVirus-Software-Is-Working-Think-Again.aspx Intelligent Whitelisting: An Introduction to More Effective and Efficient Security http://www.lumension.com/Resources/Whitepapers/Intelligent-Whitelisting-An-Introduction-to-More-Effective-and-Efficient-Endpoint-Security.aspx
- 27. Global Headquarters 8660 East Hartford Drive Suite 300 Scottsdale, AZ 85255 1.888.725.7828 [email_address]
Editor's Notes
- #4: © Copyright 2008 - Lumension Security