Monday, May 19, 2008

The Future of Desktop Security - Part 1 - The Demise of Anti-Virus

In this four part series, I would like to present the various technologies that make up the desktop security. Arguably, desktop security has become synonymous with anti-virus technologies and perhaps a little of desktop administration and user rights management thrown in.

However, in this article, I would like to present some new emerging trends in desktop security and show why traditional signature based anti-virus technologies are on the wane. Besides, I would like to show why convergance of traditional signature based anti-virus with the newly emerging trends in pro-active security such as HIPS, Firewalls etc is a key. This is an area where large anti-virus companies such as Symantec, McAfee etc battle with alternative technology providers such as Prevx, Bit9, DriveSentry etc to offer one unified product.

Moving towards the enterprise side, I see policy based desktop management as an extension of IT security management. In the coming days, the battle for domination in Desktop Management by products such as Novell Zenworks, Microsoft SMS will heat up further when newly emerging upstarts such as DriveSentry, Bit9 etc stretch their wares towards IT configuration, asset management and forensics.

In the first part of this series, I would like to argue that traditional anti-virus technologies (i.e signature based virus detection and solution) are a passé. Given the near 100% market penetration that traditional anti-virus companies like McAfee, Symantec etc enjoy, the death of traditional anti-virus technologies might sound preposterous and untimely. However, I would like to present the various factors that have contributed to the ineffectiveness of traditional signature based scanning.


Defining the Traditional Anti-Virus Technologies.

Traditionally, anti-viruses solutions have two major components – a) a virus scanning and detection part and b) an anti-gen which will nullify or quarantine the virus, retrieve the files infected. The detection of anti-virus is based on signatures that are unique to each virus. Thus, when a new virus surfaces, the anti-virus companies deduce the signature, propagate the same via updates and then have the cleaning engine clean the virus from the computer that is infected.

In most cases the cleaning of the virus is generic enough and is built into the anti-virus engine. However, in some cases, the antigen has to be completely recoded and then transmitted to each of infected hosts. Thus, there exists an inherent delay between the time a virus emerges and a strain is developed. Viruses that take advantage of such a delay are called Zero-Day viruses.

The Anti-Virus technology is dead. Long Live the Anti-Virus Technology!!
Factor 1- Increasing Sophistication of Viruses
It is a well known fact that in the current race between Viruses and Anti-Viruses the Viruses always have the edge. In the past 25 or so years since the first virus appeared, the level of sophistication that viruses have undergone is simply tremendous. From a simple beginning, today’s viruses have shown the adaptability that are well known to their biological cousins. Mutation, Polymorphism, Genetic Makeover – you name it, the viruses have all got it. The sophistication has grown to a point where each day a new virus emergence utilizing the weaknesses in hardware, operating systems, applications, networks, databases and all the way to human behavior (phishing). Furthermore, the motivation for virus coders has shifted from mere personal challenge, hobby or status to more commerce based.



Factor 2 – Increase in Zero Day Threats
With the advent of Internet and the explosion in other communications technologies, the spread of viruses have been particularly disastrous. The proliferation of new zero-day threats have become a major cause of worry for several institutions who are held hostage until an antigen is developed.

Every time a new strand of virus breaks down, the world watches with tense moments (much like waiting for a SARS or Bird Flu breakdown) until the Anti-Virus companies come up with solution. During this period, the world is taken hostage by the newly unleashed viruses. Given today’s Internet penetration, epidemics such as the ones caused by Slammer W/32, Melissa, CodeRed etc in a short period of time has been devastating. Such threats have came to be known as Zero-Day Threats and traditional Anti-Viruses technologies in theory have no solutions for this.

Factor 3 – The Decrease in Effectiveness of Traditional Anti-Virus Technologies
With some of the more advanced viruses such as metamorphic viruses, the chances of an Anti-Virus technology being able to detect and squelch it is 30% at best. The pace as well as the intensity (sophistication) of such attacks also seems to be on the rise. According to Gartner, by 2007 75% of enterprises will be infected with undetected, financially motivated targeted malware (MacDonald, 2007). Thus, in the race between the good and the bad, the bad seems to be creeping ahead leaving the good far behind.


Factor 4 – Anti-Virus Technologies Are Reactive Not Proactive by Nature
The failure of Anti-Virus is clear. The reason why Anti-Viruses are hopelessly behind in this new race is that Anti-Viruses is because AV technologies are reactive by nature. That is, Anti Virus softwares wait for a new malware to attack before they come up with the defense. Such technologies have worked reasonable well in a static world dominated by sporadic virus bursts.

But, not anymore. We are now in a world of cyber-dollies (Dolly – the cloned sheep) and mutating engines. What IT security managers need is proactive technology that can prevent viruses before they sting- or better still before they clone or better yet before they are birthed!! This concept is akin to the pre-crime division that Stephen Spielberg famously portrayed in his movie “Minority Report”.

Technical Note: Most Anti-Virus products come with some level of pro-active security in the form of heuristics. However, such heuristics are only effective against a known family of viruses. For entirely new viruses, they are ineffective. (Refer part 2 of this series for discussion on heuristics).

Anti-Virus- A Technology past its prime
Anti-Virus has long served the cyber-world with stellar results. Their contribution should be duly recognized. Without their support, many of the tremors that we experienced with viruses would have been more like a major earthquake or a tsunami. However, according to Computer World magazine (quoting Symantec), in 2007 alone about 700,000 (roughly 70% of all known viruses today) have been created. By any measure this is alarming. Besides, the new viruses clone themselves into a totally new breed taking corporate IT networks hostage and turning them into a cloning factory. Thus, we need to look at new alternatives to traditional anti-viruses to secure ourselves.


References:
1) MacDonald Neil, Host-Based Intrusion Prevention Systems (HIPS) Update: Why Antivirus and Personal Firewall Technologies Aren’t Enough – Gartner Teleconference 25th Jan 2007
2) Chen, Thomas – The Evolution of Viruses and Worms – Working Paper
3) Cohen, Fred – “Computer Viruses: theory and experiments,” Computers and Security, vol 6., pp 22-35, Feb
4) DriveSentry – To learn more about DriveSentry’s innovative products, visit http://www.drivesentry.com/
5) Evelson Borris, Teubner Collin – How The Convergence of Business Rules, BPM and BI will Drive Business Optimization
6) Malware Count Blows Past 1 Million Mark – Computer World, Apr 8, 2008 - http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9075518

7) Surowiecki,James, 2004The Wisdom of Crowds: Why the Many Are Smarter Than the Few and How Collective Wisdom Shapes Business, Economies, Societies and Nations

8) Vollmer Ken, Teubner, Collin – “Increase Business Agility with BPM Suites”, Forrester Research - http://www.forrester.com/Research/Document/Excerpt/0,7211,40041,00.html

No comments: