is antivirus (av) dead or just missing in action
TRANSCRIPT
Is AV Dead Or Just Missing in Action?
Rajesh NikamQuick Heal Technologies Ltd.
December, 2016
Agenda
1. Traditional AV vs Next-Gen Security Products
2. Busting Security Myths3. VirusTotal & Next-Gen AVs4. Comparison of Next-Gen Security
Products5. Conclusion
Is AV Dead?
Traditional AV vs Next-Gen Security ProductsTraditional AV• Signature based, blacklisting & reactive approach• Latency between
• Samples reported, analysis and release of signature for detection• Complex samples using detection evasion mechanism• Ineffective against exploits targeting vulnerabilities in
• Adobe, Microsoft Office file formats • Operating Systems, Web Browsers• Java and other applications• Fileless malware attacks
Threat landscape & Computer Security is ever evolving
Next-Gen Security ProductsBig change in approach how threats are detected• Endpoints are acting as sensors • No longer dependent on signature based approach• Threat Intelligence – indicators of compromise, context aware• Ideally no latency in getting protection to all users• Products at perimeter of enterprises
• scanning web traffic, email messages
Traditional AV vs Next-Gen Security Products
BustingSecurity Myths
Busting Security Myths
Threat Intelligence
Machine Learning
Sandbox
Behavior
Based
Sign
atur
e
Base
d
Traditional AV is just signature based
Machine Learning solves all problems
Malware behavior does not change
Sandbox cure for all Advanced Threats
(Next-Gen) Threat Intelligence
Myth#1 Machine Learning solves all problems
• Building models based on train sets and anomalies • Effectiveness depends on accurate feature engineering • need strong domain expertise
• Needs tuning of models for changing threats • challenge in scaling model to big number of samples
• False Positives vs False Negatives• Efficacy against advanced threats • Specific, targeted and unknown samples
• Garbage In Garbage Out (GIGO)• Best Next-Gen AVs with machine learning engines
Myth#2 Malware behavior does not change
• Execution on real-systems or sandbox • to identify malicious behavior
• Behavior common with clean applications• execution from temp folder, autorun entries, self-delete,
copy to multiple locations, launch browser etc.• need to minimize false positives with reputation and
whitelisting
• Malware behavior is ever changing• e.g. evolution of ransomware
• Adware, PUAs are hard to detect with behavior
Myth#3 Sandbox cure for all Advanced Threats
• Email, Network sandboxing • Sandbox analysis is performed based on• known malicious traffic – netblocks, domains, snort rules• static analysis – yara rules & analysis scripts• known malicious behavior – pattern matching
• Sandbox evasion techniques • detect presence of sandboxes • delay payload execution until user interaction • check for signs of real system
• Ineffective against targeted malware • which run only on specific system configurations
Myth#4 Traditional AV is just signature based
Not just signature based detections • algorithmic & emulator based detections• heuristic based detections• machine learning based detections• cloud based detections
Endpoint Protection System have • behavior based detections• anti-exploit detections• firewall, IDS/IPS• web security
AV-Certification methodologies have changed
Myth#5 (Next-Gen) Threat Intelligence
Legacy, signature-based intelligence feedsAvoid the hype!• indicators of compromise
• domains, urls, ipv4, ipv6, hashes • block malicious scripts based on patterns
• to prevalent exploit kits• threat intelligence community
• aggregation of threat intel subscriptions gives best results • hourly updates – still leaves window for compromise
VirusTotal & Next-Gen AVs
Maintaining a healthy community:“all scanning companies will now be required to integrate their detection scanner in the public VT interface, in order to be eligible to receive antivirus results as part of their VirusTotal API services.”
VirusTotal should not be used to generate comparative metrics between different antivirus products. Antivirus engines can be sophisticated tools that have additional detection features that may not function within the VirusTotal scanning environment.
VirusTotal & Next-Gen AVs
NG-AV 1 - The Industry’s Best Machine Learning Next-Gen AVNG-AV 2 - machine learning engine designed to identify previously unknown malwareMD5: feb93aaab2357f00c23b06b7a6cab4c9
VirusTotal & Next-Gen AVs
Comparison of Next-Gen SecurityProducts
Comparison of Next-Gen Security Products
Source: AV-Comparative - Malware Protection and False Alarm Test, Oct 2016
Comparison of Next-Gen Security Products
Source: MRG Effitas - Exploit Test, Oct 2016
Comparison of Next-Gen Security ProductsAV-Comparatives First public comparative Next-Gen Security test report• number of vendors refused to participate • some product only provide logging rather than protecting • protection features are deactivated by default• may not be available as trial version• do not sell to testing labs
Threat Intelligence
Email Protection Web Security Firewall / IPS
Anti-Virus /Anti-Malware
Behavior Based Protection
Anti-Exploit
PatchManagement
ApplicationControl
DataProtection
Endpoint Protection - Layered Security Approach
Just Missing in Action?
Having right expectations from anti-malware products• ransomware & data protection• mobile devices, IoTs
Malware-less attacks• using legitimate remote administration applications
"ain't a horse that can't be rode, ain't a man that can't be throwed"
Defense against insider threats?
Walking cyber security threats
Theory of convenience
And world needs to pay high price!
Conclusion
• Security Products have multiple detection mechanisms• Threat-centric security technologies• Approach to security needs to be constantly evolved• No silver-bullet to solve all cyber security issues
• Go beyond the Next-Gen hype!
Any Questions?
Thank You!Call us at: Write to us at:1800-121-7377 [email protected]
Visit uswww.quickheal.com