Tuesday, April 23, 2013
(I) Time to dump AV as Endpoint Protection? Not yet
I read an article by Robert Lemos on Dark Reading and thought, 'He missed some points'. So I emailed him and shared, now I'm sharing here too.
I think many things about Anti-Virus or Anti-Malware solutions, mostly that they suck at detecting anything new or unique. Sophos states 70% of malware is unique to one company and 80% to ten or less. But they are good for the 20% of malware that is not unique like BlackHole and other wide spread malware. AV is also good for the older lingering pestware, cracks, keygens and other undesirable known applications.
So is AV dead as Endpoint Protection? Not by a long shot. I would recommend to anyone asking me, don't go spending a ton of $$$ on an AV solution, or replace one vendor with another, maybe consider a free version, or cheaper solution. Unless of course you are already using a product like McAfee EPO where you have multiple solutions integrated into one console like database, data loss prevention, encryption, etc. But I sure wouldn't spend much to maintain AV.
If you really want to maximize the security bang for your buck, consider detection solutions like BigFix or Tanium that can do analysis that you craft to look for new files in WBEM for example where malware likes to inject. Or tweak Tripwire to send email alerts on changes to the WBEM directory. You will need agents deployed on every client you want to manage, but this is no different from AV.
What about Log Management? I mean real log management with alerting to nefarious behavior like 'net use', 'cscript', PSExec, RDP, successful logins, etc. and email your admins when their accounts are used successfully so logging is actually useful. Don't forget to enable the proper logging on your Windows systems (advanced logging) and proper logs and auditing on UX systems. Yes, you will need storage, but the data you can alert on with a log management solution or SIEM solution is going to do more with your security budget then AV $$$$.
Just read the Verizon DBIR and Trustwave reports and look at 'Time to Detection after Compromise' figures... If you are not in the 'within an hour' region, you are doing it wrong. Also referred to as Mean Time to Detection (MTTD). A dump term as mean time should not be calculated as you are only as good as your maximum time to detection, the mean is irrelevant.
Spend your security budget on detection items as "Prevention is DEAD" (you read me right) as far as a reliant way to protect your ASSets. Just accept you will get p0wned and work towards a detect, respond and erradicate mentality as Time Based Security suggests. Refine and improve your detection so that you are in the minutes and hours column and laughing at how fast you caught and stopped the malefactors the next day.
And NEVER trust your default security tools installations, they will fail you! Test, test and test again using attack scenarios and a Pen Test if needed to prove they do what you expect and paid for. Implement a "Malware Management Framework" and you CAN get a leg up on the ne’er-do-wellers.
Robert Lemos Dark Reading article on Dumping AV