Ghost-Hunting With Anti-Virus
In October 2012, data security firm Imperva released a controversial report on the efficacy of anti-virus (AV), which concluded that AV solutions only stopped 5 percent of all malware identified. Few reports in the security industry had been as polarizing as this one—many reacting with white-knuckle rage. It was a classic case of Chris Christensen’s “Innovator’s Dilemma,” where old school technologies cling to life, in the face of a new paradigm. Just yesterday, one of the original anti-virus vendors joined the fray in “declaring anti-virus dead” in the Wall Street Journal.
At FireEye, we look at hundreds of malware samples daily, and, in a recent talk at RSA Conference, Zheng Bu, vice president of research at FireEye presented some interesting data that security teams should consider as they think about their AV initiatives. Looking at nearly half a million malware samples over two years, our researchers discovered that the average lifespan of a piece of malware is very short. The chart below compares how many hours (X axis) malware lives against the total pool of malware samples (Y axis) to show just how quickly they disappear:
Our data shows an interesting picture: most malware remains active for no more than two hours when FireEye is detecting it. To be precise, our analysis showed that in 2013:
- 82 percent of malware disappears after one hour
- 70 percent of malware only exists once
With the half-life of malware being so short, we can draw the conclusion that the function signature-based AV serves has become more akin to ghost hunting than threat detection and prevention. In spite of this, IDC found the market for endpoint security products like anti-virus to generate $11 billion in revenues in its “Worldwide IT Security Products 2013 – 2017 Forecast” despite APT activities creating nearly fifty unique malware infections everyday.
In AV Land, Everyone Is a Sacrificial Lamb
Today’s AV model makes everyone a sacrificial lamb. In the past, malware writers would write their attack code once with little need to iterate. Today, as our numbers show, rapidly developing iterations of malware is becoming the de facto way of hacking.
A simple comparison of the malware writing process versus anti-virus signature development shows a stark contrast.
First, let’s look at the malware development process:
Malware is developed, QA’d against the latest AV signatures, released, and once it is picked up by AV sensors and shared among vendors—the malware dies. The process takes a few days at most.
By contrast, anti-virus vendors work in a process that takes a few days to a few weeks.
Examining the two “supply chains,” you quickly see why anti-virus is inherently behind the curve – doomed to chasing ghosts. By the time malware signatures are updated from collection and have gone through QA, the samples are more-or-less defunct unless it is a rare instance where the core code of the malware could not be modified. Over the years AV vendors have increased the frequency of signature updates to convey the benefits of eventual detection. However, it is already an increasing challenge to apply frequent security updates to thousands of business-critical computer assets in medium to large size organizations – especially where many assets such as laptops are also mobile. Ultimately this does not close the days to weeks collecting new malware samples can take, which is why security solutions – like FireEye – that do not rely on such a reactive model detect malware faster.
To be clear, single-iteration malware will continue to persist, and a minor need for AV will remain to provide a layer of reactive protection against these unsophisticated, benign threats. But with high-profile breaches occurring frequently, being driven by fast-moving, advanced threats, it is clear that next generation technologies and approaches are needed. Even Gartner has noted the senescence of anti-virus in two very recent reports. Notably, in the Magic Quadrant for Endpoint Protection Platforms (i.e., anti-virus), where its opening sentences of the “Market Overview” state:
The rise of the targeted attack is shredding what is left of the [endpoint] anti-malware market's stubborn commitment to reactive protection techniques. Improving the malware signature distribution system, or adapting behavior detection [in endpoint solutions] to account for the latest attack styles, will not improve the effectiveness rates against targeted attacks. (From 8 January 2014).
So, what should we do as an industry knowing that the AV is ineffective today based on these findings? We recommend:
- Accepting that the signature-based AV model cannot play a key part of enterprises’ threat-prevention models. Start shifting security strategies to modern methods that identify malware at the time of attack rather than after it has died.
- Reconfigure compliance mandates to place much less emphasis on AV and other reactive, signature-based approaches. Once regulators and compliance mandates make it easier to adopt innovation, we’ll finally make life a little harder for the attackers.
In doing this, we will be able to protect ourselves not from the ghosts that we imagine are haunting our homes, but from the burglars and malware that truly steal our possessions and erode our foundations.