How did security software change with the evolving malware threat in 2010 and where will it go in 2011?

Opinion by Dan Raywood

This year has seen attacks from bigger and better malware that has proved to be more and more targeted.

This year has seen attacks from bigger and better malware that has proved to be more and more targeted.

We recently looked at how malware was evolving, with the Stuxnet worm a prime example of how the challenge is now as bad as it has ever been. However it is not all doom and gloom, as security software works to battle against these threats and adapts its technology capability to defeat the bad guys.

So having looked at how bad things have been, I decided to talk to some of the vendors in this industry to get an idea of how the software designed to stop it is stepping up to the challenge and what the future of security software looks like.

Firstly, there is a need to react quicker and to analyse faster. Rik Ferguson, senior security advisor at Trend Micro, said: “It is about stopping the files earlier, blocking the places where the files are coming from and stopping you accessing the files.

“Files are still important but that should be your last line of defence and not your first, your security software should say ‘I see you are being directed to a site in the Ukraine which is bad so I am going to block that' and it might be that there was Zeus there, so it is does not matter if there is a file or not, it stopped you getting infected. It is not enough to focus on files; it should focus on threat as a whole.”

Ash Patel, UK country manager at Stonesoft, commented that there is always a challenge with writing signatures when new malware is identified, although despite there being variations the malware is generally much the same. He said that often a small-to-medium business (SMB) will move to a hosted service, such as a cloud-based Software-as-a-Service (SaaS) application, in comparison to a server-based appliance in an enterprise.

So is a cloud-based security, enabling filtering in the cloud a feature for the future? The sector was given a strong boost following the acquisition of cloud security service provider Prevx by fellow vendor Webroot.

Paul Wood, senior analyst at Symantec Hosted Services, said that the cloud ‘is the best place to stop spam from spreading' and from his experience, it is a private place with code moving through it. Perhaps unsurprisingly, he said that it is a ‘key security infrastructure', but it is not just those using cloud services who would agree.

In October Symantec launched the Ubiquity product, what it called ‘a breakthrough approach to fighting malware' by combining signature-based protection, intrusion prevention, behavioural and heuristic detection capabilities in order to ‘detect threats other approaches miss'.

Talking to SC Magazine, Sian John, solutions architect at Symantec, said that the product was developed to deal with the ‘problem of more and increased distribution of threats'. She said that with 240 million new samples detected last year it is a challenge to detect and push updates out for anti-virus with the more minor threats.

Looking at how Google and Amazon control files, she said it is all about reaction and reputation and Symantec based Ubiquity's development on the reputation of the file. “We brought in the consumer mode and have been in blocking mode with that. We took it to the enterprise where they need to have control, add rating and ranking and have something that can set over the risk profile. In 2010 we are currently seeing four million unknown threats a month with this,” she said.

Looking at the future generally, John said that the future of software was down to flexibility and the cost of data in the cloud and she had ‘seen some anti-virus that updates the basis of security and let the user decide what suits them'.

However she said: “We are not at a point where everything is in the cloud. Symantec Hosted Services/MessageLabs changed the market years ago and it is better to check web and email traffic on the way, but what about local threats like plugging in a USB? That is what happened with Stuxnet and there is no way around by doing it in the cloud.”

I recently met with Mark Harris, vice president of SophosLabs, who I talked to about malware in general. He told me that the vast majority of malware does not appear on the desktop, but that it is changing so much that his labs are now blocking by the URL and automation means that as a file arrives it can be pushed to the cloud for scanning.

“We have technologies which if a file is good we let it run, if it is bad we block it and if we do not see it we can request a sample to upload it. We use the cloud to keep protection levels up but we can white list what is good or bad and make decisions based on that,” he said.

“From a detection standpoint this is a good way of detecting volumes, but the real benefit is how to detect new malware using content behaviour and the reputation of it. We can use the information to build up very sophisticated information to react to changing threats.”

I asked David Harley, senior research fellow at ESET and a director of the anti-malware testing standards organisation (AMTSO), what he thought about the future of security software and the use of the cloud for filtering.

He said that reputation services have been in use for a long time in spam management and now more and more products are extending the concept to malware. His concern was that we have entered a world where the industry is moving further along the continuum in the opposite direction to exhaustive validation and analysis towards a ‘pile ‘em high, sell ‘em cheap' approach to detection, where the file hash has become the signature.

He said: “This year we have been looking at a total of 40-50 million presumed malicious samples and that is climbing rapidly. Can we really assume that every one of those has been correctly classified and validated? The Malware Working Group is a major player in improving the exchange of metadata and security companies are also trying to rationalise the ways in which they exchange samples.”

“I do not know that we can ever get to the position we were once in vis-à-vis the WildList, where there was a reasonably up-to-date, reasonably authoritative collection of validated samples though.”

In my conversation with Sian John, it was mentioned that it is really up to the company to decide what technology they want to work with and it could be argued that as a security manager it is not a concern on how the technology works, just that it works at all.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events