1 / 28

Hitting the ‘Up-To-Date ’

Hitting the ‘Up-To-Date ’. Bull’s eye . VB2009 – Steven Ginn. Overview. Signature based anti-malware requires updates to stay ahead More and more updates are released every day Need to provide technology for users to identify their “up-to-date” status. Defining and tracking “Up-to-Date”.

aprice
Download Presentation

Hitting the ‘Up-To-Date ’

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Hitting the ‘Up-To-Date’ Bull’s eye VB2009 – Steven Ginn

  2. Overview Signature based anti-malware requires updates to stay ahead More and more updates are released every day Need to provide technology for users to identify their “up-to-date” status Defining and tracking “Up-to-Date”

  3. Signature Based Protection Recognizes malware based on an identity Content is pattern matched against signatures New Malware = New Signatures needed Background

  4. The ‘Up-to-Date’ Bull’s eye The point where a product has the latest and greatest definitions What is it?

  5. The ‘Up-To-Date’ Bull’s Eye Staying current maximizes protection Important to know when to update Why should we care?

  6. Hitting a moving target? Malware is more and more pervasive Constantly being created Anti-malware vendors react with new updates to keep up User’s need to constantly update to keep up

  7. Identifying Trends Monitors Anti-malware products and online material Records any update available Used to Find the bull’s eye OESIS Monitor

  8. Trends and Observations Number of updates per day has increased Number of vendors and Signature formats has increased Update frequency by day of the week varies

  9. Total Updates per year

  10. Number of Vendors identified

  11. Updates by Day of Week

  12. Average Number of Updates by day For the average vendor

  13. Average Updates per day by year For selected vendors

  14. Average Updates per day by year For selected vendors

  15. Caveats to Data Data for 2009 was scaled New Vendors introduced midyear New Definition Formats introduced mid-year The “fine-print”

  16. Finding the Bull’s Eye Anti-malware vendors have tools to tell user’s whether or not they are up to date Each make sense under different scenarios Communication tools

  17. Blacklist date Every Update is stamped with an expiration Projected to last until next target delivery Allows client software to make educated guess about where the up-to-date mark will be next “Use by tomorrow”

  18. Blacklist date Pros Cons Bad for critical outbreaks May expire prematurely Best Educated Guess • Easy to answer “Am I Up to date?”

  19. Brute-Force Update Just go get the latest always No need to care if up to date or not Best when you assume that you aren’t already up to date Throwing Blind

  20. Brute-Force Update Pros Cons Resource intensive May interrupt user’s workflow • Never miss, if frequent enough

  21. Push Mechanism Open a line between user and a central server When update available, push it to end user Always connected?

  22. Push Mechanism Pros Cons Not good in heterogeneous environments Requires constant contact • Minimizes outside communication • Simpler to stay up to date

  23. Third Party enforcement Monitors Update releases by vendors Provides reference point of latest definitions OESIS Monitor

  24. Third Party enforcement Pros Cons May not catch everything • Supports heterogeneous deployments • Reacts quickly • Reference point updates are often smaller than signature updates • Best of Brute-force and push mechanisms

  25. Cloud-Scanning Signatures live in the cloud Content is assessed by reputation and scanned when necessary on external sites Get rid of the definitions

  26. Cloud-Scanning Pros Cons Must always be connected Security concerns with sending data out • Improved detection • Faster identification • Fewer systems to update

  27. What next? Signature based detection isn’t scaling What good is providing signatures if user’s can’t keep up with them? Try to improve alternatives to become proactive, not reactive Continue the uphill battle, or go around?

  28. Questions?

More Related