© abatis 2004-2011 hdf - the new approach in malware protection patent pending worldwide 1 abatis...
TRANSCRIPT
© Abatis 2004-2011 HDF - the new approach in malware protection Patent Pending Worldwide 1
Abatis Security Innovations and Technologies
Ultimate Protection for your Information assets
Traditional Anti-Virus – A Busted Flush!
by Kerry Davies
Commercial Director, Abatis (UK) Ltd.10-09-11
© Abatis 2004-2011 HDF - the new approach in malware protection Patent Pending Worldwide 2
Abatis Security Innovations and Technologies
Ultimate Protection for your Information assetsBackground
Computer Science degree in early ‘80s
Security field since 1986
Security Evaluator – Consultant – Manager – Company Founder – Director in Big 4 – Business Partner
MSc in Information Security at Royal Holloway 2007-8 (Graduate 2009)
Why is traditional A/V a “Busted Flush”?
What is malware?
How does malware work?
How does traditional A/V work?
An alternative approach (that works!)
© Abatis 2004-2011 HDF - the new approach in malware protection Patent Pending Worldwide 3
Abatis Security Innovations and Technologies
Ultimate Protection for your Information assetsWHAT IS MALWARE ?
Virus, Worm, Trojan Horse, Key-Logger, Root-Kit, Logic Bomb, etc.
Malware is a value judgement
Malware is BIG BUSINESS for cyber criminals, cyber terrorists and hostile state actors - APTs
Traditional anti-virus (A/V) is reactive not proactive – infections have to occur in order for the A/V vendors to collect samples to generate A/V signatures and the antidote
Symantec’s 2010 report announced that they had found 286 million pieces of new malware that year – traditional A/V vendors can’t keep up with this volume and the user community can’t keep taking the megabytes of signature updates that the vendors push out daily
© Abatis 2004-2011 HDF - the new approach in malware protection Patent Pending Worldwide 4
Abatis Security Innovations and Technologies
Ultimate Protection for your Information assets
Payload: implementation of
specific actions such as opening backdoors,
Botnet, spyware, keylogger, rootkit …
Scanning Engine: scanning across the network
How does Malware work?
From: “Malware – Fighting Malicious Code“, p. 79; Ed Skoudis, Prentice Hall 2004
Elements of a worm (as an example)
Warhead: gains access to the victim’s
machine
Propagation Engine: transfers the body to the victim
Target Selection Algorithm: looking for potential new
victims to attack
© Abatis 2004-2011 HDF - the new approach in malware protection Patent Pending Worldwide 5
Abatis Security Innovations and Technologies
Ultimate Protection for your Information assetsAssessing the Threatscape
Malware is everywhere and easily spread – nothing is safe any more
As smart-phone use rockets and social networking explodes, we struggle to balance the need for security versus the need to share information
Connection between the Hoover Dam and Natanz Nuclear facility in Iran?
Consumerisation of IT - the blurring between professional and personal use of technology, mobile platforms and social networking pose serious threats
Email spam, phishing, pharming and spear-phishing on increase
So far in 2011, McAfee has identified 150,000 malware samples every day. One unique file almost every half second, and a 60% increase over 2010
19,000 new malicious URLs each day in the first half of this year. And, 80% of those URLs are legitimate websites that were hacked or compromised
© Abatis 2004-2011 HDF - the new approach in malware protection Patent Pending Worldwide 6
Abatis Security Innovations and Technologies
Ultimate Protection for your Information assetsConsensus in the A/V Industry
‘….With mobile menaces steadily on the rise, we can only anticipate how virulently worms can multiply, especially with the explosion of Bluetooth and the increase in workforce mobility in organisations like the NHS’
Leslie Forbes, Technical Manager, F-Secure:
“Back in the 80s, computer experts were quick to dismiss PC viruses as harmless. We need to learn from this mistake and start taking the mobile malware threat seriously. Only by taking pre-emptive measures can we equip ourselves against this pernicious and escalating menace…” Davey Winder: Security Journalist and Consultant
“anti-virus technology can't stop targeted attacks....Anti-virus is dead because it is unable to detect attacks properly and is incapable of working on mobile devices”Nir Zuk, founder and CTO of Palo Alto Networks to SC Magazine, September 9th 2011
According to Ken Silva, CTO of Verisign: ‘….Criminals will go where the money is," Silva told CNET News. "If you start doing things of financial interest with your mobile phone, they will find a way to get your money."
“The security industry has ‘done a miserable job of protecting customers and industry. More than half of malware is not blocked by anti-virus, as vendors can only deal with known malware........the approach taken by most anti-virus vendors is not good enough, as most claim to block 99 per cent of known malware, but most cyber criminals use unknown variants.M86 Security CEO John Vigouroux Speaking to SC Magazine
In 2007 ‘....there were about 200 malware threats for mobile phones and more than 250,000 viruses for Windows. Graham Cluley, senior technology consultant at Sophos
Symantec recorded that in 2010 it saw 286 Million pieces of new malware
© Abatis 2004-2011 HDF - the new approach in malware protection Patent Pending Worldwide 7
Abatis Security Innovations and Technologies
Ultimate Protection for your Information assetsEffectiveness of Anti-malware solutions
Recent malware infection tactics: Drive-by download infection Fake security tool and free scanning services Social engineering – social networks, e.g. Facebook Embed malicious link in email – phishing, pharming and spear phishing type attacks Cracked PDF and document files – embedded link/payload
Popular AV signature-based solutions detect on average less than 19% of malware threats. That detection rate increases to only 61.7% after 30 days
Malware Detection Rates for Leading AV Solutions: A Cyveillance Analysis 04/08/10
© Abatis 2004-2011 HDF - the new approach in malware protection Patent Pending Worldwide 8
Abatis Security Innovations and Technologies
Ultimate Protection for your Information assetsOTHER METHODS OF PROTECTION
Isolation
Avoid questionable sites, download software only from reputable sites, run an anti-virus scan on any downloaded material
Signature Based – as last table showed, average 19% effective on day 1, max 60%, reactive
Heuristic – reactive, signature based fuzzy pattern matching, false positives (achieves 19%)
Reputation Based – incomplete coverage, limited, vendor specific, error prone, can be defeated
Hashing – used as part of reputation based approach (hashes can be defeated)
Blacklisting – seriously?
Whitelisting – attractive in principle but a huge maintenance nightmare as hashes have to be recalculated and redistributed to every machine for every change
Combination – what the better A/V is doing now………….
Kernel-level Control over I/O – use fundamental nature of malware as executable code and ring-based integrity mechanisms of the O/S to block storage of executable program files on the hard disk to produce a fast, reliable, non signature-based, proactive anti-malware solution
© Abatis 2004-2011 HDF - the new approach in malware protection Patent Pending Worldwide 9
Abatis Security Innovations and Technologies
Ultimate Protection for your Information assetsHDF - IMPLEMENTATION
Operating systeme.g. Windows
(Kernel mode / Ring 0)
Applicationse.g. WinWord(User Mode /
Ring 3)
HDF filter
NTFS drive, C:\
Interface to hardware(NTFS, FAT etc)
Block keylog.exe
(b) save business.doc(a) save keylog.exe
Operating system Input and output control (IO Manager)Without HDF protection
NTFS drive, C:\
Interface to hardware(NTFS, FAT etc)
Business.doc is not blocked
With HDF protection
© Abatis 2004-2011 HDF - the new approach in malware protection Patent Pending Worldwide 10
Abatis Security Innovations and Technologies
Ultimate Protection for your Information assetsPRODUCTS AND BENEFITS
• HDF Workstation
• HDF Server
• All versions of Windows from NT to latest 64 bit
• Red Hat Linux
• Mobile Platforms (future), Real Time, SCADA
• Enforce system integrity
• Stop zero day attacks and targeted attacks
• Block all unwanted software execution
• No signature updates required; fit & forget – low TCO
• No performance impact – potential improvement
© Abatis 2004-2011 HDF - the new approach in malware protection Patent Pending Worldwide 11
Abatis Security Innovations and Technologies
Ultimate Protection for your Information assetsHARD DISK FIREWALL (HDF)
HDF
CLAMPDOWN
SECURE MOBILE PLATFORMSCRITICAL SYSTEMS PROTECTION
SECURE REAL TIME SYSTEMSPERFROMANCE IMPROVEMENT
PROTECTION OF LEGACY EQUIPMENT
TabletDevices
Windows 7 Mobile
Android
KeyloggerProtection incl USB
Mobile workerLaptops eg. Sales people
Drive-by
Download
protection
EmbeddedSystems
Safety Critical Systems
CNI & SCADA
Mission Critical Systems including Virtualised
environments
Stop website defacement & secure hosted environments
Linux
Windows NTWindows 2000Windows XPWindows VISTA
Battery Life Enhancement Research
Security effectiveness Improvement if used with traditional A/V
Faster if used w/o A/V or on-demand only scanning
© Abatis 2004-2011 HDF - the new approach in malware protection Patent Pending Worldwide 12
Abatis Security Innovations and Technologies
Ultimate Protection for your Information assetsQuestions
Kerry Davies
Abatis (UK) Ltd
Royal Holloway Enterprise Centre
Royal Holloway University of London
Egham
Surrey
TW20 0EX
Tel: +44 (0) 7767 240799