Closing the Antivirus Protection Gap A comparative study on effective endpoint protection strategies

WP-EN-05-07-12

May 2012

Closing the Antivirus Protection Gap

1

Introduction

Corporate economic concerns have put increased pressure on already limited IT resources in recent

years as the onslaught of malware and sophistication of cyber attacks continues to grow at exponential

rates. As a result, 50% of endpoint operating costs are directly attributable to malware,1 yet, corporate IT

budgets are still focused on maintaining stand alone antivirus as the keystone in endpoint security.

In this paper, we will benchmark the effectiveness of standalone AV and O/S resident patching solution

versus newer technologies and a defense-in-depth of approach of layering multiple endpoint security and

operational technologies together.

Methodology

Defining the Average Corporate EndpointIn order to conduct comparative malware testing, a model of the “Average Corporate Endpoint” was defined.

The Average Corporate Endpoint was chosen to be representative of a business oriented end-user comput-

er in terms of Operating System, installed applications and “average” IT operational and security practices.

A Microsoft® Windows 7 Enterprise (64-bit) machine, part of an Active Directory domain, was chosen as

the best representative of an average enterprise desktop endpoint.

The Average Corporate Endpoint test (ACE) system was loaded with Microsoft Forefront Endpoint Protec-

tion 2010 to represent an average 3rd party antivirus provided solution. Forefront was configured to provide

maximum protection. This configuration is shown in Figure 1 and archive (.zip, .cab) and removable media

scanning were also enabled.

When trying to represent the ACE, it is also of value to consider the level of patching support in place as most

malware still seeks to exploit known vulnerabilities within existing applications or within the OS. It was as-

sumed that the OS and all Microsoft applications would be fully patched with the current Patch Tuesday update

available, as patch mechanisms (e.g. Windows Updater, WSUS) are widely used to ensure timely patching.

1. Ponemon Institute, 2011 State of Endpoint Risk, December 2010Continued »

Closing the Antivirus Protection Gap

2

There are numerous studies indicating that patch lags exist, are problematic for smaller organizations2 or

represent a significant and all too real exposure.3 Update mechanisms such as Windows Update or WSUS

do not natively extend their support to 3rd party applications, which in reality represent a significant por-

tion of the applications found on any desktop endpoint. For third party applications, patches were applied,

however, it was assumed that these applications might suffer from patch lag. To represent the real world

exposure of average corporate desktops, a maximum patch lag of 3 months was chosen.

The assumptions made about patching concurrency may indeed by optimistic as there are numerous

examples of exploit that utilized aged vulnerabilities for which a patch had long been available (e.g.

Conficker).4 The Average Corporate Endpoint software is summarized in the tables below.

2. Derek E. Brink, “To Patch or Not to Patch (Not If, But How)” October 2011, Aberdeen Group

3. Derek E. Brink, “Is Your Vulnerability Management Program Leaving You at Risk (Most Likely, Yes)” June 2011, Aberdeen Group

4. http://en.wikipedia.org/wiki/Conficker

Figure 1: Forefront Configuration

Continued »

Closing the Antivirus Protection Gap

3

Microsoft Application Software Version at Time of Test

Microsoft Forefront Endpoint Protection 2010 Up-to-date with current signaturesMicrosoft Office 2007 Up-to-dateMicrosoft Internet Explorer 9 Up-to-date

Table 1: Average Endpoint Software - Microsoft Applications

Application Software Version at Time of Test

Mozilla Firefox Patch laggedGoogle Chrome Patch laggedGoogle Chrome Patch laggedAdobe Flash Player Patch laggedAdobe Acrobat Reader Patch laggedAdobe Shockwave Player Patch laggedApple QuickTime Patch Up-to-date (Latest patch older than 3 months)Java Runtime Environment Patch laggedReal Network RealPlayer Patch Up-to-date (Latest patch older than 3 months)

Table 2: Average Endpoint Software - 3rd Party Applications

Intelligent Whitelisting and Timely Patch ManagementTo explore the malware prevention efficacies of technologies beyond standard antivirus and Microsoft patch-

ing, an additional test configuration was defined.

The well known exponential growth of novel malware5 represents a very real challenge for antivirus, which

must continue to incorporate the ever increasing “known bad” (malware signatures). Heuristics, site block-

ing and increased rapidity of malware identification (often provided through cloud-based signatures and/or

reputation) have been some of the techniques introduced by vendors to keep up with malware growth and

decrease infection rates.

Alternatively, application whitelisting aims to allow only the “known good” applications. This trades the prob-

lem of tracking of an explosive amount of malware to the more pragmatic management of a limited number

of desired applications.

5. Frost and Sullivan, “Cybersecurity Market: Malware Historical Growth Patterns and Future Projections, Global, 2009-2015”

Continued »

Closing the Antivirus Protection Gap

4

6. MRG (Malware Research Group) Effitas http://malwareresearchgroup.com/

The comparative system known as the Lumension® Endpoint Management and Security Suite or L.E.M.S.S.,

incorporates application whitelisting through the Lumension® Intelligent Whitelisting Solution which is an

integrated solution across Lumension Antivirus, Lumension Application Control and Lumension Patch Man-

agement. This test system was configured utilizing the “Easy Lockdown” process which takes an automat-

ed "snapshot" of an endpoint, which is then used to create an application whitelist and begin enforcement

of whitelist policies. With the addition of Lumension Patch Management Vulnerability coverage was then

extended to the 3rd party applications resident on the ACE.

Microsoft Forefront is not present on L.E.M.S.S. test system nor is the Microsoft (WSUS) update agent is

utilized in this test configuration.

Real World Malware

It was decided that the most effective comparison would use real malware, found in the wild, in order to

best represent the growing reality of zero day threats. To facilitate this effort, Lumension contracted with

an independent malware research organization6 with expertise in malware attack vectors. Over a seven-

day period, more than 2100 individual samples were collected in the wild and directed against each of the

configured test systems. The malware test set included trojans, backdoors, PUAs, ransomware, viruses,

rootkits and worms.

The Average Corporate Endpoint, utilizing only Microsoft Forefront Endpoint Protection 2010 and the Win-

dows Update Agent, was found to be highly vulnerable to a significant amount of malware allowing download

and execution of 23% of the malware introduced each day. A minimum of 300 malware samples were tested

each day against this configuration and the number of daily misses is referenced in Figure 2.

As antivirus signatures are updated frequently, the test methodology did allow time for the antivirus tech-

nology to utilize updated signatures. To measure this, any sample that executed previously (missed on the

previous day) was retested on the current day. The number of samples caught on subsequent testing varied

from 5 to 40 samples with an average delay of just over 2 days for the signature to catch up with the mal-

ware. The cumulative number of missed samples remained significant at the conclusion of a week’s testing

with 19.2% of malware successfully executing on the Average Corporate Endpoint.

Continued »

Closing the Antivirus Protection Gap

5

Figure 2: Daily Malware Samples Missed

The multi-faceted security approach of the L.E.M.S.S. test provided to be highly successful throughout the

life of the test. The use of the Lumension Endpoint Management and Security Suite which supplied Intel-

ligent Whitelisting as well as Patch and Remediation blocked all malware execution attempts. Though some

recent has suggested shortcomings of defense-in-depth strategies in the world of software7, these findings

support the traditional view that a layered security approach affords the best protection.8 The aggregate

malware testing results are illustrated in Figure 3.

New Malware Samples Missed Per Day

Test Day

Num

ber

of S

ampl

es

Continued »

7. Prescott E. Small, “Defense in Depth: An Impractical Strategy for a Cyber World”, November 2011

8. Steve Ragan, “RSAC 2012: Malware growth and why layered security is still king”, March 2012, http://www.thetechherald.com/articles/RSAC-

2012-Malware-growth-and-why-layered-security-is-still-king

Closing the Antivirus Protection Gap

6

Figure 3: Daily Malware Samples Missed

The overall malware blocking effectiveness is shown in Figure 4. This clearly illustrates the growing inef-

fectiveness of antivirus when used in a standalone manner vs. a more robust approach that utilizes more

effective security technologies such as application whitelisting combined with other solutions such as robust

patch management and antivirus.

Continued »

Cumulative Malware Samples Missed

Test Day

Num

ber

of S

ampl

es

Closing the Antivirus Protection Gap

7

Figure 4: Daily Malware Samples Missed

Cumulative Malware Blocking Effectiveness

Test Day

Blo

ckin

g P

erce

ntag

e

Continued »

Closing the Antivirus Protection Gap

8

Potential TCO BenefitsMalware may have a dramatic detrimental impact on an organization originating from loss of private cus-

tomer data, corporate intellectual property and reputation. Quantifying the economic loss to the enterprise

stemming from a significant breach of corporate defenses is difficult as the repurcusions of reputation dam-

age are long-lasting.

Malware’s more mundane but not insignificant fiscal effects include the loss of employee productivity and

increased help desk costs. Lumension has developed a True Cost of Malware Calculator9 to help organi-

zations understand these all too real costs. The calculator allows for customization of a large number of

parameters, which allows a realistic organization specific model to be developed. Figure 5 below shows the

representative output modeling a 1000 endpoint enterprise.

Figure 5: TCO Calculator 1000 Endpoint Deployment

9. http://www.lumension.com/Resources/Value-Calculators/Cost-of-Malware-Calculator.aspx

Closing the Antivirus Protection Gap

9

The TCO benefit from simply reducing the number of malware incidents and endpoint reimaging to recover

from severe malware infections is significant. For example, a 1000 node enterprise, where the monthly mal-

ware incidents are reduced 40 to 10, may realize over an impressive 31% reduction in overall TCO.

Deployment Year

Tota

l Cos

t of O

wne

rshi

p (U

SD

)

Figure 6: Enterprise TCO vs. Malware Prevalence

Conclusion

It is clear that the de facto security standard for malware prevention employed in the Average Corporate

Endpoint, traditional antivirus coupled with native patching services, delivers significant risk along with in-

creased cost of operations across an enterprise endpoint environment.

The Pareto Principle associates 80% of effects to 20% of causes. If this principle applies to malware pre-

vention, then the 20% exposure to malware which exists with traditional antivirus may represent a corporate

loss risk four times greater than that which is being protected. Certainly no security solution is perfect; how-

ever, even economically challenged IT operations may be better served by considering a defense-in-depth

approach when it comes to securing their corporate endpoints.

Comparative Total Cost of Ownership

1000 Endpoint Enterprise

40

Closing the Antivirus Protection Gap

10

About Lumension Security, Inc.Lumension Security, Inc., a global leader in endpoint manage-

ment and security, develops, integrates and markets security

software solutions that help businesses protect their vital infor-

mation and manage critical risk across network and endpoint

assets. Lumension enables more than 5,100 customers world-

wide to achieve optimal security and IT success by delivering a

proven and award-winning solution portfolio that includes Vul-

nerability Management, Endpoint Protection, Data Protection,

Antivirus and Reporting and Compliance offerings. Lumension

is known for providing world-class customer support and servic-

es 24x7, 365 days a year. Headquartered in Scottsdale, Arizona,

Lumension has operations worldwide, including Texas, Florida,

Washington D.C., Ireland, Luxembourg, Singapore, the United

Kingdom, and Australia. Lumension: IT Secured. Success Opti-

mized.™ More information can be found at www.lumension.com.

Lumension, “IT Secured. Success Optimized.”, and the Lu-

mension logo are trademarks or registered trademarks of

Lumension Security, Inc. All other trademarks are the prop-

erty of their respective owners.

Global Headquarters

8660 East Hartford Drive, Suite 300

Scottsdale, AZ 85255 USA

phone: +1.480.970.1025

fax: +1.480.970.6323

www.lumension.comVulnerability Management | Endpoint Protection | Data Protection | Compliance and IT Risk Management