Hitting the ‘Up-To-Date’

VB2009 – Steven Ginn

Bull’s eye

• Signature based anti-malware requires updates to stay ahead

• More and more updates are released every day

• Need to provide technology for users to identify their “up-to-date” status

OverviewDefining and tracking “Up-to-Date”

• Recognizes malware based on an identity

• Content is pattern matched against signatures

• New Malware = New Signatures needed

Signature Based ProtectionBackground

• The point where a product has the latest and greatest definitions

The ‘Up-to-Date’ Bull’s eyeWhat is it?

• Staying current maximizes protection• Important to know when to update

The ‘Up-To-Date’ Bull’s EyeWhy should we care?

• Malware is more and more pervasive• Constantly being created• Anti-malware vendors react with new

updates to keep up• User’s need to constantly update to

keep up

Hitting a moving target?

• Monitors Anti-malware products and online material

• Records any update available• Used to Find the bull’s eye

Identifying TrendsOESIS Monitor

• Number of updates per day has increased

• Number of vendors and Signature formats has increased

• Update frequency by day of the week varies

Trends and Observations

Total Updates per year

Number of Vendors identified

Updates by Day of Week

Average Number of Updates by dayFor the average vendor

Average Updates per day by yearFor selected vendors

Average Updates per day by yearFor selected vendors

• Data for 2009 was scaled• New Vendors introduced midyear• New Definition Formats introduced

mid-year

Caveats to DataThe “fine-print”

• Anti-malware vendors have tools to tell user’s whether or not they are up to date

• Each make sense under different scenarios

Finding the Bull’s EyeCommunication tools

• Every Update is stamped with an expiration

• Projected to last until next target delivery

• Allows client software to make educated guess about where the up-to-date mark will be next

Blacklist date“Use by tomorrow”

Pros• Easy to answer “Am I

Up to date?”

Cons• Bad for critical

outbreaks• May expire

prematurely• Best Educated Guess

Blacklist date

• Just go get the latest always• No need to care if up to date or not• Best when you assume that you

aren’t already up to date

Brute-Force UpdateThrowing Blind

Pros• Never miss, if frequent

enough

Cons• Resource intensive• May interrupt user’s

workflow

Brute-Force Update

• Open a line between user and a central server

• When update available, push it to end user

Push MechanismAlways connected?

Pros• Minimizes outside

communication• Simpler to stay up to

date

Cons• Not good in

heterogeneous environments

• Requires constant contact

Push Mechanism

• Monitors Update releases by vendors• Provides reference point of latest

definitions

Third Party enforcementOESIS Monitor

Pros• Supports

heterogeneous deployments

• Reacts quickly• Reference point

updates are often smaller than signature updates

• Best of Brute-force and push mechanisms

Cons• May not catch

everything

Third Party enforcement

• Signatures live in the cloud• Content is assessed by reputation

and scanned when necessary on external sites

Cloud-ScanningGet rid of the definitions

Pros• Improved detection• Faster identification• Fewer systems to

update

Cons• Must always be

connected• Security concerns with

sending data out

Cloud-Scanning

• Signature based detection isn’t scaling

• What good is providing signatures if user’s can’t keep up with them?

• Try to improve alternatives to become proactive, not reactive

What next?Continue the uphill battle, or go around?

Questions?