Upload
andyayam
View
212
Download
0
Embed Size (px)
Citation preview
Closing the Antivirus Protection Gap A comparative study on effective endpoint protection strategies
WP-EN-05-07-12
May 2012
Closing the Antivirus Protection Gap
1
Introduction
Corporate economic concerns have put increased pressure on already limited IT resources in recent
years as the onslaught of malware and sophistication of cyber attacks continues to grow at exponential
rates. As a result, 50% of endpoint operating costs are directly attributable to malware,1 yet, corporate IT
budgets are still focused on maintaining stand alone antivirus as the keystone in endpoint security.
In this paper, we will benchmark the effectiveness of standalone AV and O/S resident patching solution
versus newer technologies and a defense-in-depth of approach of layering multiple endpoint security and
operational technologies together.
Methodology
Defining the Average Corporate EndpointIn order to conduct comparative malware testing, a model of the “Average Corporate Endpoint” was defined.
The Average Corporate Endpoint was chosen to be representative of a business oriented end-user comput-
er in terms of Operating System, installed applications and “average” IT operational and security practices.
A Microsoft® Windows 7 Enterprise (64-bit) machine, part of an Active Directory domain, was chosen as
the best representative of an average enterprise desktop endpoint.
The Average Corporate Endpoint test (ACE) system was loaded with Microsoft Forefront Endpoint Protec-
tion 2010 to represent an average 3rd party antivirus provided solution. Forefront was configured to provide
maximum protection. This configuration is shown in Figure 1 and archive (.zip, .cab) and removable media
scanning were also enabled.
When trying to represent the ACE, it is also of value to consider the level of patching support in place as most
malware still seeks to exploit known vulnerabilities within existing applications or within the OS. It was as-
sumed that the OS and all Microsoft applications would be fully patched with the current Patch Tuesday update
available, as patch mechanisms (e.g. Windows Updater, WSUS) are widely used to ensure timely patching.
1. Ponemon Institute, 2011 State of Endpoint Risk, December 2010Continued »
Closing the Antivirus Protection Gap
2
There are numerous studies indicating that patch lags exist, are problematic for smaller organizations2 or
represent a significant and all too real exposure.3 Update mechanisms such as Windows Update or WSUS
do not natively extend their support to 3rd party applications, which in reality represent a significant por-
tion of the applications found on any desktop endpoint. For third party applications, patches were applied,
however, it was assumed that these applications might suffer from patch lag. To represent the real world
exposure of average corporate desktops, a maximum patch lag of 3 months was chosen.
The assumptions made about patching concurrency may indeed by optimistic as there are numerous
examples of exploit that utilized aged vulnerabilities for which a patch had long been available (e.g.
Conficker).4 The Average Corporate Endpoint software is summarized in the tables below.
2. Derek E. Brink, “To Patch or Not to Patch (Not If, But How)” October 2011, Aberdeen Group
3. Derek E. Brink, “Is Your Vulnerability Management Program Leaving You at Risk (Most Likely, Yes)” June 2011, Aberdeen Group
4. http://en.wikipedia.org/wiki/Conficker
Figure 1: Forefront Configuration
Continued »
Closing the Antivirus Protection Gap
3
Microsoft Application Software Version at Time of Test
Microsoft Forefront Endpoint Protection 2010 Up-to-date with current signaturesMicrosoft Office 2007 Up-to-dateMicrosoft Internet Explorer 9 Up-to-date
Table 1: Average Endpoint Software - Microsoft Applications
Application Software Version at Time of Test
Mozilla Firefox Patch laggedGoogle Chrome Patch laggedGoogle Chrome Patch laggedAdobe Flash Player Patch laggedAdobe Acrobat Reader Patch laggedAdobe Shockwave Player Patch laggedApple QuickTime Patch Up-to-date (Latest patch older than 3 months)Java Runtime Environment Patch laggedReal Network RealPlayer Patch Up-to-date (Latest patch older than 3 months)
Table 2: Average Endpoint Software - 3rd Party Applications
Intelligent Whitelisting and Timely Patch ManagementTo explore the malware prevention efficacies of technologies beyond standard antivirus and Microsoft patch-
ing, an additional test configuration was defined.
The well known exponential growth of novel malware5 represents a very real challenge for antivirus, which
must continue to incorporate the ever increasing “known bad” (malware signatures). Heuristics, site block-
ing and increased rapidity of malware identification (often provided through cloud-based signatures and/or
reputation) have been some of the techniques introduced by vendors to keep up with malware growth and
decrease infection rates.
Alternatively, application whitelisting aims to allow only the “known good” applications. This trades the prob-
lem of tracking of an explosive amount of malware to the more pragmatic management of a limited number
of desired applications.
5. Frost and Sullivan, “Cybersecurity Market: Malware Historical Growth Patterns and Future Projections, Global, 2009-2015”
Continued »
Closing the Antivirus Protection Gap
4
6. MRG (Malware Research Group) Effitas http://malwareresearchgroup.com/
The comparative system known as the Lumension® Endpoint Management and Security Suite or L.E.M.S.S.,
incorporates application whitelisting through the Lumension® Intelligent Whitelisting Solution which is an
integrated solution across Lumension Antivirus, Lumension Application Control and Lumension Patch Man-
agement. This test system was configured utilizing the “Easy Lockdown” process which takes an automat-
ed "snapshot" of an endpoint, which is then used to create an application whitelist and begin enforcement
of whitelist policies. With the addition of Lumension Patch Management Vulnerability coverage was then
extended to the 3rd party applications resident on the ACE.
Microsoft Forefront is not present on L.E.M.S.S. test system nor is the Microsoft (WSUS) update agent is
utilized in this test configuration.
Real World Malware
It was decided that the most effective comparison would use real malware, found in the wild, in order to
best represent the growing reality of zero day threats. To facilitate this effort, Lumension contracted with
an independent malware research organization6 with expertise in malware attack vectors. Over a seven-
day period, more than 2100 individual samples were collected in the wild and directed against each of the
configured test systems. The malware test set included trojans, backdoors, PUAs, ransomware, viruses,
rootkits and worms.
The Average Corporate Endpoint, utilizing only Microsoft Forefront Endpoint Protection 2010 and the Win-
dows Update Agent, was found to be highly vulnerable to a significant amount of malware allowing download
and execution of 23% of the malware introduced each day. A minimum of 300 malware samples were tested
each day against this configuration and the number of daily misses is referenced in Figure 2.
As antivirus signatures are updated frequently, the test methodology did allow time for the antivirus tech-
nology to utilize updated signatures. To measure this, any sample that executed previously (missed on the
previous day) was retested on the current day. The number of samples caught on subsequent testing varied
from 5 to 40 samples with an average delay of just over 2 days for the signature to catch up with the mal-
ware. The cumulative number of missed samples remained significant at the conclusion of a week’s testing
with 19.2% of malware successfully executing on the Average Corporate Endpoint.
Continued »
Closing the Antivirus Protection Gap
5
Figure 2: Daily Malware Samples Missed
The multi-faceted security approach of the L.E.M.S.S. test provided to be highly successful throughout the
life of the test. The use of the Lumension Endpoint Management and Security Suite which supplied Intel-
ligent Whitelisting as well as Patch and Remediation blocked all malware execution attempts. Though some
recent has suggested shortcomings of defense-in-depth strategies in the world of software7, these findings
support the traditional view that a layered security approach affords the best protection.8 The aggregate
malware testing results are illustrated in Figure 3.
New Malware Samples Missed Per Day
Test Day
Num
ber
of S
ampl
es
Continued »
7. Prescott E. Small, “Defense in Depth: An Impractical Strategy for a Cyber World”, November 2011
8. Steve Ragan, “RSAC 2012: Malware growth and why layered security is still king”, March 2012, http://www.thetechherald.com/articles/RSAC-
2012-Malware-growth-and-why-layered-security-is-still-king
Closing the Antivirus Protection Gap
6
Figure 3: Daily Malware Samples Missed
The overall malware blocking effectiveness is shown in Figure 4. This clearly illustrates the growing inef-
fectiveness of antivirus when used in a standalone manner vs. a more robust approach that utilizes more
effective security technologies such as application whitelisting combined with other solutions such as robust
patch management and antivirus.
Continued »
Cumulative Malware Samples Missed
Test Day
Num
ber
of S
ampl
es
Closing the Antivirus Protection Gap
7
Figure 4: Daily Malware Samples Missed
Cumulative Malware Blocking Effectiveness
Test Day
Blo
ckin
g P
erce
ntag
e
Continued »
Closing the Antivirus Protection Gap
8
Potential TCO BenefitsMalware may have a dramatic detrimental impact on an organization originating from loss of private cus-
tomer data, corporate intellectual property and reputation. Quantifying the economic loss to the enterprise
stemming from a significant breach of corporate defenses is difficult as the repurcusions of reputation dam-
age are long-lasting.
Malware’s more mundane but not insignificant fiscal effects include the loss of employee productivity and
increased help desk costs. Lumension has developed a True Cost of Malware Calculator9 to help organi-
zations understand these all too real costs. The calculator allows for customization of a large number of
parameters, which allows a realistic organization specific model to be developed. Figure 5 below shows the
representative output modeling a 1000 endpoint enterprise.
Figure 5: TCO Calculator 1000 Endpoint Deployment
9. http://www.lumension.com/Resources/Value-Calculators/Cost-of-Malware-Calculator.aspx
Closing the Antivirus Protection Gap
9
The TCO benefit from simply reducing the number of malware incidents and endpoint reimaging to recover
from severe malware infections is significant. For example, a 1000 node enterprise, where the monthly mal-
ware incidents are reduced 40 to 10, may realize over an impressive 31% reduction in overall TCO.
Deployment Year
Tota
l Cos
t of O
wne
rshi
p (U
SD
)
Figure 6: Enterprise TCO vs. Malware Prevalence
Conclusion
It is clear that the de facto security standard for malware prevention employed in the Average Corporate
Endpoint, traditional antivirus coupled with native patching services, delivers significant risk along with in-
creased cost of operations across an enterprise endpoint environment.
The Pareto Principle associates 80% of effects to 20% of causes. If this principle applies to malware pre-
vention, then the 20% exposure to malware which exists with traditional antivirus may represent a corporate
loss risk four times greater than that which is being protected. Certainly no security solution is perfect; how-
ever, even economically challenged IT operations may be better served by considering a defense-in-depth
approach when it comes to securing their corporate endpoints.
Comparative Total Cost of Ownership
1000 Endpoint Enterprise
40
Closing the Antivirus Protection Gap
10
About Lumension Security, Inc.Lumension Security, Inc., a global leader in endpoint manage-
ment and security, develops, integrates and markets security
software solutions that help businesses protect their vital infor-
mation and manage critical risk across network and endpoint
assets. Lumension enables more than 5,100 customers world-
wide to achieve optimal security and IT success by delivering a
proven and award-winning solution portfolio that includes Vul-
nerability Management, Endpoint Protection, Data Protection,
Antivirus and Reporting and Compliance offerings. Lumension
is known for providing world-class customer support and servic-
es 24x7, 365 days a year. Headquartered in Scottsdale, Arizona,
Lumension has operations worldwide, including Texas, Florida,
Washington D.C., Ireland, Luxembourg, Singapore, the United
Kingdom, and Australia. Lumension: IT Secured. Success Opti-
mized.™ More information can be found at www.lumension.com.
Lumension, “IT Secured. Success Optimized.”, and the Lu-
mension logo are trademarks or registered trademarks of
Lumension Security, Inc. All other trademarks are the prop-
erty of their respective owners.
Global Headquarters
8660 East Hartford Drive, Suite 300
Scottsdale, AZ 85255 USA
phone: +1.480.970.1025
fax: +1.480.970.6323
www.lumension.comVulnerability Management | Endpoint Protection | Data Protection | Compliance and IT Risk Management