Transcription
Think Your Anti-Virus Software Is Working?Think Again.As attacks proliferate, anti-virus software can’t keep up.Fortunately, there’s a better way.We’ve been so bombarded by computer viruses, worms, Trojan horses and other malwarethat we’ve become acclimated to their presence. We subscribe to an anti-virus (AV)offering and hope for the best. Trouble is, AV hasn’t been keeping up. Studiesshow that even though most organizations use AV, more and more aresuccumbing to attacks. It’s time to shift from the status quo to a new,more effective endpoint security approach, called intelligentwhitelisting, which affords greater protection, productivity,and efficiency.March 2011WP-EN-03-11-11
Think Your Anti-Virus Software Is Working? Think Again.IntroductionWe’ve been so bombarded by computer viruses,worms, Trojan horses and other malware that we’vebecome acclimated to their presence. We accept thatthey’re always going to be a threat. So we subscribeto an anti-virus (AV) offering and hope for the best.Trouble is, AV hasn’t been keeping up. Studies showthat even though most organizations use AV, moreand more are succumbing to attacks. Even the leading anti-virus purveyors have admitted as much:“Looking at the sheer volume of infected systems in the world, one thing is resoundingly clear: basic security protection is not good enough.”Rowan Trollope Senior Vice President, Symantec»A View into the BlacklistingSecurity ModelIn this security model you’re at the whim of yourAV vendor’s ability to digest new malware from theworld at large, analyze it, write a new AV signatureand syndicate it down to you as a new definition file.From here you must ensure that every endpoint hasthe latest file. But what if there are machines thatare offline and not connected to the network? Howlong will it take to make sure the new definition file ison every machine? How much IT bandwidth will berequired to make this happen in a timely fashion andwhat’s the performance hit to the network and each»endpoint? A blacklist approach is no longer effectiveas a stand-alone defense against today’s threats.In particular, organizations are falling prey to “zeroday” attacks – viruses that haven’t yet been identi-tion control, or “whitelisting” – the opposite of AV’sfied by AV providers and therefore simply cannotblacklisting approach.be protected against.Application whitelisting is a mature, proven securiThe problem is fundamental to AV’s design. AV isty strategy, but it was never designed with the flex-built upon a “blacklisting” approach where the no-ibility to accept much change, such as constantlytion is to let all traffic in and then, hopefully identifyupdating applications, frequent patch updates,and remedy whatever your AV provider has beenetc. Traditionally, application whitelisting has beenable to define as being “bad”. It’s like leaving yourmore widely adopted for “locked down” systems forfront door wide open and allowing anyone to simplywhich change is minimally introduced - systemswander into your home, hoping you’ll recognize thesuch as point of sale terminals, e-commerce serv-criminals before they do any damage.ers, and ATM machines - that is, up until now.Clearly a more effective way would be to let in onlyToday, application whitelisting has evolved to be-the applications you’ve approved, and block ev-come more flexible and easier-to-use, while stillerything else. This is a process known as applica-maintaining its robust security enforcement. How-1
Think Your Anti-Virus Software Is Working? Think Again.ever, relying on any one solution to defend your endpoints will leave you exposed and vulnerable. That’s whymany organizations have implemented multiple layers of stand-alone, security technologies. But in doing so,organizations have created a much more complex and burdensome endpoint environment to manage with limitedvisibility, inefficient performance, increasing TCO, and a losing battle against increasing IT security threats.It’s time to shift from the status quo to a new, more effective endpoint security approach, called intelligentwhitelisting, which affords greater protection, productivity, and efficiency.Putting AV in Its PlaceFirst, let’s be clear: AV is a still a relevant technology within the endpoint security arsenal, and onethat should be used consistently across the enterprise to help manage fast-spreading and widelyknown malware.However, relying on AV as your primar y defense against malware locks you into an arms race thatyou will never be able to win. There are a number of reasons for this:1. The exponential growth in malware and the exploitation of application vulnerabilitiesAV vendors typically report finding millions of new pieces of malware every year – some as many as 60,000per day. What’s more, this malware is exploiting a rising volume of software application vulnerabilities. In2010, the vulnerability count exceeded 8,000, and users saw about four times more vulnerabilities in thirdparty software than in Microsoft applications1.2. The growingsophistication ofmalware.Number of Vulnerabilities11500The motivation for producing10000malware increasingly is tosteal data and make money.8500So the attacks are becomingmore targeted, and the mal-7000ware involved is getting harder to detect. For example,5500source: Secunia Yearly Report, 201040001.20052006Secunia Yearly Report, cmalwareandcanautomatically mutate in an at-2
Think Your Anti-Virus Software Is Working? Think Again.tempt to avoid detection by anti-virus technology.In short, AV is necessary but not sufficient. TodayIn addition, malware is maturing as an industrythere are simply too many attacks, vulnerabilitiesunto itself - the proliferation of malware exploitationand connections for AV to remain the safeguard itkits and malware as-a-service (MAAS) are effec-once was.tively automating the distribution of new malwareat unprecedented rates.3. The declining effectiveness of AV.»Just How Effective is AV?Consider the numbers. AV software detects onlyThe numbers are bleak. Here’s what the Computer19 percent of new attacks, according to cyber-in-Security Institute, which publishes an annual com-telligence firm Cyveillance. That number increasesputer security survey, found on AV usage and suc-to just 62 percent after 30 days. Overall, AV missescess rates over the past 10 years:10.2 percent of all malware, according to a recentstudy by AV-Test and PC World – or about 6,100 ofthe 60,000 new pieces of malware reported eachday. That’s roughly one breach every 14 seconds.Average No. of New MalwareDiscovered per Minute5041.74031.930YearOrganizationsOrganizations WithUsing AVMalware 97%67%Between 96 percent and 99 percent of organizationswere using AV. But their success against malware20.120didn’t match their usage rates. From 2001 to 2008,malware issues steadily improved. But in the past10two years that trend has reversed, and malware is-11.1sues have been increasing. Even in the best year,2008, fully one-half of organizations had problems with malware.02007200820092010Extrapolated from McAfee Labs, McAfee Threats-Report:Third Quarter 2010.»3
Think Your Anti-Virus Software Is Working? Think Again.Mounting Endpoint CostsAll that malware results in additional costs. Infact, 48 percent of organizations reported an increase in their IT operating expenses, according to a 2010 Ponemon Institute study commissioned by Lumension. Significantly, 50 percentsaid a main driver of that cost increase wasmalware. Such costs include:1. The cost for deploying, managing and updating AV software. All for software that isn’t doing aparticularly good job of protecting your endpoints.2.The performance hit against computerservers and networks for running AV thathas to monitor a growing amount of networktraffic and malware signatures. Some vendors are touting cloud-based AV solutions thatplace the malware signature database in thecloud. But whether the bandwidth crunch is atyour endpoints or in between you and the cloud,3. There’s also the cost for helpdesk calls andtime spent cleaning up and reimaging employeelaptops and other infected endpoints. And increasingly, those helpdesk calls involve more Tier 2 andTier 3 escalations.4. Then there’s the cost of lost data – from individual files to entire disk drives to entire databases.And increasingly sophisticated attacks target sensitive and proprietary data such as personal information and intellectual property.5. Finally is the cost of network downtime andthe resulting loss in productivity. IT loses productivity by having to address problems causedby malware rather than focusing on more strategicactivities. Your users lose productivity as they sitaround waiting for their laptops or desktops to bereimaged or for the network to come back up. Suchlosses can be difficult to measure but are clearlyvery real – and damaging to your bottom line.it’s a performance hit nonetheless.Malware SignaturesMalware Related CostsMalware as a BusinessExponential GrowthIncreasing SophisticationIneffectiveness of AVTraditional EndpointSecurity Effectiveness2007: 250K MonthlyMalware Signatures Identified2011: 1.8M MonthlyMalware Signatures IdentifiedAs malware increases, your cost of endpoint operations will undoubtedly continue to rise as well.4
Think Your Anti-Virus Software Is Working? Think Again.Application Whitelisting: A MoreEffective Defense»fense against malware. It prevents any unknown orEndpoint Security for a ZeroDay Realityunwanted software – including known and unknownWith traditional anti-virus (AV) software, you’remalware – from executing on your computers.defenseless against “zero-day” malware – thatWhitelisting is by its very nature a more effective de-is, malware that takes advantage of a recentlyThe mechanism whitelisting uses is fundamentallydiscovered vulnerability where no patch yetdifferent from that of AV. Instead of identifying theexists and is so new that no AV vendor has amillions of known pieces of malware and blockingsignature defined or deployed. With applicationthem, whitelisting allows only authorized programswhitelisting, however, you’re already better pro-and associated files to execute. No other programstected by default – without needing to wait for theare permitted to run, period.latest vulnerability patch or anti-virus definition.»Whitelisting establishes a policy that covers operating systems, business applications and user executables. It can also deflect attempts to changein today’s complex and dynamic computing envi-this approved configuration, such as attacks thatronment, constant change is a requirement. Usersburrow into existing files to evade AV scanners.both inside and outside your organization’s wallsuse a growing and changing array of applicationsBut while traditional whitelisting has historicallyeveryday to do their jobs and remain productive –been viewed as a strong and effective security tool,resulting in constantly evolving endpoint configura-it hasn’t been perceived as operationally efficienttions that are unique to each user.within a dynamic endpoint environment. That’s because at its foundation, application control is aboutSo how do you leverage the rock-solid security ofpreventing change from occurring. That’s fine forwhitelisting while enabling the flexibility you needstatic environments such as mission-critical serv-in today’s business environment? The answer liesers, which typically don’t require much change. Butin intelligent whitelisting.Continued »5
Think Your Anti-Virus Software Is Working? Think Again.Intelligent Whitelisting: ASmarter ApproachAnti-VirusApplying an intelligent approach to applicationwhitelisting makes it flexible enough to serve today’s dynamic endpoints. But application whitelisting is intelligent only if it’s seamlessly layered intoPatch Managementan overall endpoint security framework that includes a spectrum of other endpoint security andmanagement tools, including AV, patch manage-Application Controlment and other technologies.Lumension Intelligent Whitelisting effectivelycombines application whitelisting, AV, patch management and trust-based change management into aIntelligent Whitelistingsingle, unified solution that can defend against knownand unknown malware. Yet it also delivers organizational and operational flexibility and ease of use toGo here to learn more about how Lumension In-ensure that business productivity is not impacted– intelligent Whitelisting works.even the most dynamic endpoint environments.Lumension Intelligent Whitelisting integrates themost effective third party security tools and techniques that traditionally were siloed into one seamless, security platform suite. The result is more effective endpoint security, with the flexibility you needto ensure that organizational productivity is not impacted and to reduce your total cost of ownership.Continued »6
Think Your Anti-Virus Software Is Working? Think Again.»Is Your OrganizationBest-in-Class?A recent report on endpoint security by AberdeenGroup compared “best-in-class” and “laggard” organizations. It found that both best-in-class and laggards had deployed baseline security technologiessuch as anti-virus (AV). But the best-in-class organizations were far more likely to be early adoptersof best-in-class security technologies. Among thosebest-in-class technologies were application controlssuch as application whitelisting.The Benefits of IntelligentWhitelisting AccrueIntelligent whitelisting delivers numerous benefits:»» More Effective Endpoint Security:Intelligent Whitelisting delivers the mosteffective way to prevent unwanted andunauthorized applications and malware. And itcan prevent zero-day attacks without waitingfor an AV signature or vulnerability patch.Plus, Lumension Intelligent Whitelisting allowsOne benefit achieved by best-in-class organizations was a year-over-year reduction in costs. Theyachieved this by decreasing the number of endpointsecurity incidents, as well as the average time toidentify and address them:IT to better manage local admin users, byplacing limits on the kinds of software theycan install while also restricting access tolocal system consoles typically used to makesystem configuration changes.»» Reduced Endpoint Complexity and TCO:Key PerformanceYear-Over-YearIndicatorAdvantageBy integrating anti-virus, application controlNumber of endpoint security incidents13.5%and patch management within the LumensionTime to identify incidents3.2%Endpoint Management and Security Suite, ITTime to address incidents6.8%can reduce the overall complexity and cost ofTotal cost of addressing incidents9.3%managing the endpoint environment causedNumber of endpoint helpdesk calls9.3%by multiple, stand-alone security technologies.User disruption from endpoint downtime9.4%Lumension Intelligent Whitelisting helps IT to:Endpoint management costs10.9% Reduce costs for blocking malware,Staff dedicated to endpoint security4.5%remediating infections, managing endpointsIt’s interesting to note that the best-in-class saw a3.8 percent decrease, year-over-year, in the number of endpoint-security incidents. The laggards,meanwhile, had a 9.7 percent increase. Every year,»for support, management, security and compliance,and reinstallation, reimaging and recovery, best-inclass-organizations saved 24 per endpoint.and running your helpdesk. Deliver excellent performance comparedto AV. AV software has to process a list ofmillions of attack signatures. Applicationwhitelisting checks a much shorter list ofallowed executables and modifiable systemfiles, without impeding response times.7
Think Your Anti-Virus Software Is Working? Think Again.Likewise, it enables you to reduce “agentAn Intelligent Futurebloat” and complexity at the endpoint.The days of just installing AV and trusting that Manage endpoint security and operationalyou’re protected are long gone. There are too manyworkflows within one console as opposed tovulnerabilities in your organization’s applications.having to work across multiple applicationsToo many applications being downloaded onto yourand consoles. This provides IT with greaterdesktops and laptops. Too many new instances ofvisibility and control over endpoints whileviruses, worms, Trojan horses and other malware.reducing administrative burden and cost.And too much associated cost in lost time, resourc- Improve endpoint performance by reducinges and productivity due to malware.agent bloat and ensuring only trustedapplications are allowed to run. This, combinedToday, the best defense against malware is intel-with the diminished need for constant AV scansligent whitelisting, with a unified security approachensures that endpoint resources are optimizedusing a flexible, trusted change model to affordand not consumed unnecessarily.maximum risk mitigation and minimal administrative burden. Ultimately, intelligent whitelisting can»» Improved IT Operations and Productivity:dramatically reduce malware infection rates andLumension Intelligent Whitelisting simplifieslower the total cost of protecting endpoints, allIT administration, because it automaticallywhile improving employee and IT productivity.associates protected applications with trustedsources. There’s no need for constant humanBefore you think about simply renewing your AVintervention. And it simplifies the securitysubscription, you might want to stop and think again.of endpoints with one view as opposed toleveraging multiple point technologies. As a result, you can enable more productiveusers while achieving greater visibility and controlover your endpoint-security configuration. Lumension Intelligent Whitelisting also allowsemployees to do their jobs more effectively,because IT can establish application policiesfor users and roles affording greater flexibilityfor those that require more change anddevelop a more stringent policy for thosethat don’t need as much flexibility in order toperform their job responsibilities.8
Think Your Anti-Virus Software Is Working? Think Again.About Lumension Security, Inc.Lumension Security, Inc., a global leader in operational endpoint management and security, develops, integrates and markets security software solutions that help businesses protecttheir vital information and manage critical risk across networkand endpoint assets. Lumension enables more than 5,100 customers worldwide to achieve optimal security and IT successby delivering a proven and award-winning solution portfolio thatincludes Vulnerability Management, Endpoint Protection, DataProtection, and Compliance and Risk Management offerings.Lumension is known for providing world-class customer supportand services 24x7, 365 days a year. Headquartered in Scottsdale, Arizona, Lumension has operations worldwide, includingFlorida, Texas, Luxembourg, the United Kingdom, Germany, Ireland, Spain, France, Australia, and Singapore. Lumension: IT Secured. Success Optimized. More information can be found atwww.lumension.com.Lumension, Lumension Patch and Remediation, LumensionVulnerability Management Solution, “IT Secured. SuccessOptimized.”, and the Lumension logo are trademarks orregistered trademarks of Lumension Security, Inc. All othertrademarks are the property of their respective owners.Global Headquarters8660 East Hartford Drive, Suite 300Scottsdale, AZ 85255 USAphone: 1.888.725.7828fax: 1.480.970.6323www.lumension.comVulnerability Management Endpoint Protection Data Protection Compliance and IT Risk Management9
It's time to shift from the status quo to a new, more effective endpoint security approach, called intelligent whitelisting, which affords greater protection, productivity, and efficiency. . sioned by Lumension. Significantly, 50 percent said a main driver of that cost increase was malware. Such costs include: 1. The cost for deploying .
