Why AntiVirus is not Enough??
Why Migrate to Symantec Endpoint Protection (SEP) from Symantec Anti-Virus (SAV)?
Because the attackers (and malware threats) have evolved, and there are now far too many variants of them for traditional signature-based anti-virus products to keep up.
What happened in recent years to change the status-quo of 18 previous years?
Since we’ve been using our PC’s for increasingly personal things (banking, personal details, and financial transactions) the objective of the attackers has changed to target our sensitive data, which is in turn worth money to the attackers on the black market. Subsequently, the motivation of the attacker is now financial, and their efforts are profitable.
As always, while security vendors, IT administrators and end users adapt new measures to block security threats, attackers are constantly creating new and innovative ways to get through.
Simply put: They usually create something which will target a weakness in the system, the network, or even the end user, in order to either capture money directly (bank account details, intercepting a transaction) or something sensitive which can be sold for money later on (personal ID, credit card number, email/gaming account, etc). A successful attack (or breach) on behalf of the attacker is now worth money to them, and with increasing success, and increasingly significant revenue streams, they now have formidable resources and skills with which to undermine traditional/incumbent security defences (aka: old-fashioned anti-virus programs).
This summarises the threat landscape over recent years. Industry estimates consistently measure the cost of ID theft and monetary loss in the billions of dollars – suggesting that the attackers have greater revenue streams than all of the IT security vendors put together! The point of this statistic is to understand that in order to be effectively protected in today’s threat landscape, we truly need to be using “smarter” security solutions designed for today’s real-world threats, instead of those we used some years ago which were effective at the time, but not as effective now.
Symantec Intelligence Report: September 2011 shows Social Engineering Attacks Soar as Polymorphic Malware Rate Peaks at 72% of Email Malware in September; Cyber Criminals Ambush Popular Blogging Platform to Push Pills.
The first and most obvious thing that the attackers began to do (and continue to do) is to setup automated systems which churn out literally thousands and thousands of different variants of old viruses. They know that most systems globally are only protected by out-dated anti-virus technologies, and it takes some minutes for an anti-virus vendor to generate, test and publish new virus definitions. Anti-virus programs rely on regular updates to definitions, in order to detect new threats. A “brute force” component of today’s attack methodology is to automatically generate tens of thousands of variants of old or new viruses, at a rate which far outpaces the capacity of any anti-virus vendor to keep up. To quantify this, up to around 2005, several hundred new threats were identified each day, but at the end of 2009 some 15-25,000 new threats were identified every day, and this number keeps doubling every 6-12 months.
With specialised attack servers generating thousands of variants every minute, then disappearing from the internet within an hour or two, and with these threats designed to target different weaknesses on different systems and never use the same technique twice, it’s no surprise that simplistic anti-virus products are increasingly failing, causing costly down-time, cleanup efforts and data loss.
What can be done to combat this overwhelming onslaught of sophisticated attacks?
Additional layers of security are required right throughout the infrastructure, from the firewalls, internet and email gateways, all the way down to (and very much including) the/PC endpoint itself.
Additional factors which add to the challenge are increasing amounts of mobility and devices converging to share or access information across the internet, outside of conventional company boundaries.
As a result, the threat landscape is constantly shifting. The ensuing changes have been evident over the last several months. Based on the data collected during this period, Symantec has observed that the current security threat landscape is predominantly characterised by the following:
- Malicious activity has become Web-based
- Attackers targeting end users instead of computers
- Underground economy consolidates and matures
- Rapid adaptability of attackers and attack activity
What has Symantec done to help customers remain confident in today’s threat landscape?
In 2007, Symantec introduced a fundamentally new breed of anti-virus product call Endpoint Protection. It still has the traditional anti-virus capabilities which are essential for “repairing” an infection on a PC, but it also has additional layers of protection, each of which is uniquely capable of blocking threats without relying on regular signature updates, while also working seamlessly and cleverly together:
- Client firewall
Provides deep inspection of the network traffic flowing both in and out of the machine (some client firewalls only provide inbound filtering and subsequently offer no capability to safeguard against data loss in the event of a breach). This technology allows administrators control over which websites or other computers are accessible from the machine, blocking traffic to/from non-approved applications which the user might try to run, and of course automatic detection of thousands of threats which “look” different to the anti-virus engine, but generate consistent network traffic patterns readily identifiable by the firewall.
- Application control
Critical risk minimisation! Provides controls to prevent which programs are allowed to run in certain locations, and additionally provides snappy and effective control for IT administrators to prevent known/suspect applications from running on systems if a breach is suspected.
- Device control
More critical risk minimisation! Increasing amounts of threats and techniques used by attackers today leverage “what happens” when new devices are plugged into the PC. This goes far beyond just thumb drives, as we see iPhones, PDA’s, large external hard disks, Bluetooth/internet dongles, etc being used more each day. Device control can define what devices are permitted, and what those devices can or cannot do once connected. One very simplistic control here which instantly mitigates hundreds of threats is to disable AUTORUN capabilities when a new device is plugged in. Attackers frequently leverage this capability, by automatically launching a subtle piece of code which might inspect the machine for a missing patch or control, before launching an attack which is increasingly likely to bypass the anti-virus engine, and once installed begins to harvest information or carry out some other function per the intent of the attacker. Simply put, today’s rampant device compatibility exponentially increases security risk, but this is easily mitigated with effective device control.
- Intrusion prevention
A significantly (and increasingly) effective defence against threats which the anti-virus engine doesn’t know about. By checking the behaviour of programs, what happens when a user performs a “typical” action, and importantly by integrating directly with the client firewall, thousands and thousands of threats can be blocked without needing to recognise any previously “identified” threat. Additionally, this technology also provides protection against critical vulnerabilities which haven’t yet been patched, providing genuinely effective defence against zero-day threats.
- Network access control
Again, more critical risk minimisation! By providing thorough inspections of a PC connecting to the network, IT administrators can enforce effective policies around “baseline security” before allowing a machine to connect to the network. This typically involves checking the patch levels and security updates, but can extend to literally any file, folder, registry or even hardware inspection depending on the business or IT requirements of the organisation. This can even extend to un-managed PC’s, particularly effective for minimising the risk posed by contractor or visitor laptops connecting to the network.
Any effective defence against today’s threats requires a multi-layered security posture using some or all of these technologies. So the logical questions is: “how” to get all these capabilities to the endpoint.
One way is to “cobble together” additional agents over and above the incumbent anti-virus layer. However, this requires significantly more administrative overhead for deploying each of them, and managing each of them.
However, Symantec’s new Endpoint Protection provides all these capabilities in a single deployable agent with unmatched integration, granular management and simplicity in design, delivering these capabilities more simply and faster than any competitive solution.
Equally importantly, Symantec’s early adoption of these technologies (from as early as 2001) has allowed the company to refine these technologies for almost a decade, where most competitors are only recently beginning to embrace the need for these capabilities, yet alone integrate them into their endpoint solutions. Symantec’s Endpoint Protection delivers the industry’s highest level of protection without the annoying pop-ups and user alerts which plague almost every other equivalent solution.
In summary, relying on anti-virus technology alone has two flaws:
(1) The system is broadly exposed to all kinds of threats which continue to evolve as technology evolves, new devices emerge and converge, new access methods are used, etc, and
(2) This strategy completely overlooks critical risk minimisation, exposing an outdated defence mechanism to an ever-increasing array of threat vectors which it was never designed for.
By delivering these capabilities in a single security agent, you get genuinely potent protection which quietly gets on with the job of proactively protecting endpoints against today’s increasingly complex and overwhelming threats: with the fastest deployment capabilities, the lowest management complexity, and importantly, the lowest TCO.
Podcast: Antivirus Is Not Enough