by: Pierluigi Stella, Chief Technology Officer, Network Box USA
In recent days, it was reported that an update from Sophos (an AV company) caused the software to catch itself as a threat.
For as much as this may put a smile on your face, I wouldn’t attack the company too much about it. It isn’t the first time an AV company causes issues with an update. A while back, McAfee released an update which (falsely) detected a Windows system programs as a threat, and substantially took down hundreds of thousands of computers. Less invasive false positives are a fact of the day as well.
The truth of the matter is AV companies are working under an unprecedented level of stress, and errors such as this are bound to happen. What’s ironic is that we’ve been thinking for 5 years, “how much worse can it get”, and yes, it did get worse, and it’ll likely get worse-er yet! (I know, that isn’t really a word but it sort of expresses the gravity of the situation).
To put this in hard numbers, at Network Box, we see about 400,000 new or variants of existing threats every day. No, your eyes aren’t betraying you – we really did say four hundred thousand. In fact, we sometimes see up to 500 thousand per day.
Hackers have automated the process of writing new malware or modifying existing one to create variants in order to bypass existing signatures.
Now think of the process of how a traditional AV signature comes to be:
- The company needs to get a sample of the threat (typically through the use of traps of some kind, also known as honey pots)
- Someone (and by that, I mean an actual human being) needs to analyze that code and understand what it’s trying to do. Much of this process has become automated; otherwise we wouldn’t see more than a handful of signatures a day. Nevertheless, the code must be analyzed in order to ascertain what it’s trying to do and assess if it poses a real threat
- A signature needs to be created
- This signature _should_ be submitted through a series of tests to ensure that, while effective against the threat for which it was built, it doesn’t cause issues elsewhere, such as false positives against legitimate files
- Once this test process is considered passed, the signature is released to distributions servers
- Your computer then downloads it at the next update cycle (which could be an hour from when the new signature becomes available)
This process is, unfortunately, agonizing and way too slow to keep up with the number of new threats released every day; therefore, many companies are rushing signatures out. Truth be told, I’m actually (pleasantly) surprised that issues such as the one mentioned at the beginning of this article, aren’t happening more often.
Nevertheless, the problem remains – signatures are a method of catching threats which is very effective but much too slow. As a result, most companies are inventing new ways with which to stay ahead of the curve.
The following technologies are being used by many organizations, and you should ensure that the product your Credit Union has adopted, is using all of them – simply because you need to be using every single available weapon to even have a slight chance of winning this fight.
Here is the list:
- Crypto Hash Checks
- Regular Expression Checks
- Illegal Mime Checks
- Malware Variant Heuristics
- Hidden Executable Heuristics
- Class ID Heuristics
- Blank Extension Heuristics
- Multiple Extension Heuristics
- Mutation Avoidance Scanning
- Detection Filtering
- Code Decryption
- Code Emulation
- Geometric Detection
- Executable Code Heuristic Analysis
- Standards Enforcement
- Exploit Detection
- Technological Obviation
- Technological Deception
I was too, I confess.
And this list will only continue to expand and grow.
Time and space permitting, I’ll attempt to explain each of these technologies across forthcoming articles but in the interim, the Internet, as we all know, is a treasure trove of information.
After 15 years at IBM, Pierluigi Stella co-founded Network Box USA (the American division of Network Box Corporation Ltd) in 2003. In his capacity as Chief Technology Officer, he has acquired extensive knowledge of security issues with emphases on the financial; banking; hospitality and travel; healthcare; and education sectors. Stella is also an elected Member of the Executive Council of the CompTIA IT Security Community.
Network Box USA, the American division of Network Box Corporation Limited, is a leading Managed Security Services Provider (MSSP) in the domestic market. The company was formed in response to the increasing danger posed by security breaches, virus attacok i ks and similar threats arising from widespread use of the Internet.
Network Box USA is headquartered at 2825 Wilcrest Dr, Suite 259, Houston, Texas 77042. For more information, please call 832-242-5758 or (toll free) 888-315-8886; fax: 713-933-0290; or email firstname.lastname@example.org. Follow us on Twitter and Facebook.