Antivirus Detection Rates – Undetected Attacks Are Still Attacks

I came across an article in The Business Times this morning that contained a quote that caught my eye.  The article was called “Singapore a growing platform for cyber attacks on region” which talked about the growing number of cyber attacks originating in Singapore.  In the article there was a definition attributed to Symantec:

“By Symantec’s definition, an attack denotes any malicious activity carried out over a network that has been detected by a firewall, intrusion detection or prevention systems.”

Obviously, the word that stuck out in this definition was “detected”.  Why?  Because I have news for you – malicious activity that goes undetected is also an attack.  In fact, I would say that undetected attacks would be placed in a higher tier of the definition, because Rule One of criminal behavior is Don’t Get Caught.  Attacks that would fall under the characterization of an Advanced Persistent Threat are engineered to evade detection and are very much an attack.

(This reminds me of one of my favorite movie scenes.  In Stripes, Harold Ramis and Bill Murray are sitting in the Army recruitment office and the recruiter asks them if they have “ever been convicted of a felony?”.  Bill Murray’s response: “Convicted?”.)

In fairness to Symantec, I am not sure if this quote from the article was paraphrased or misquoted, and I am not out to pick on Symantec.  What I do want to point out is a huge flaw in how in the industry measures malicious activity.  Let me explain.

Both AV software vendors and internal security groups often report on what was detected.  Makes sense, right?  If you could count undetected attacks they would instantly be now detected.  But according to the Symantec Internet Security Threat Report: “Symantec created 2,895,802 new malicious code signatures in 2009, a 71 percent increase over 2008”.  It therefore makes sense that the number of detected attacks would go up proportionately with the number of identified signatures.  An organization could be doing a worse job year over year detecting attacks but their raw volume of detected attacks would still go up, giving a perception of success.

Executives look at the bulk score and are mollified that the organization is protected.  But if the number of attacks grew by 71%, the number of attacks detected by the organization better track to that same 71% or the organization is losing ground.  If you think it through, that 71% may be deceiving because what Symantec and the other AV vendors don’t tell you is how long your organization was exposed between when the attack actually was first introduced and when they finally detected it and wrote a signature. It could have been six hours, but it could have also been six months.

In short, gauging success from bulk detection numbers is a quick way to obfuscate the real risk to any organization.  But if you are selling a shield that has known flaws, it is a great way to use the steadily growing malware volume to present either software or organizational effectiveness in a successful light.

Because Triumfant uses change detection to identify malicious attacks, we have always been open about our ability to see attacks that are resident prior to our installation.  That being said, we inevitably see anomalies that are artifacts of attacks that have passed through the organization’s shields soon after we are installed.  Once installed, we can readily detect what does make it through the organization’s shields or attacks being done by maliciously intended insiders.  It is eye opening to the organization just how many attacks have and are getting through.

Don’t let yourself be lulled to sleep by bulk detection rate numbers.  A lot of attacks are getting through, so counting detected attacks is potentially a false gauge of success.

Why Bad Things Happen to Good Endpoints

I was with a prospect the other day and was asked what, at least for me, was a very thought provoking question.  We were discussing the two major areas of application for Triumfant – continuous enforcement of security configurations and real-time malware detection and remediation – and he asked why you would need the latter if the former was done properly.  In other words, if all of my endpoint protections are in place and everything is properly configured, why am I still getting attacked?

Simple and logical question, right?  But it led me to think long and hard why attacks happen at a very elemental level.  We in security face this question from the powers that be because they cannot understand that attacks still come even though we have added multiple layers of defense. 

After consideration I came up with three reasons.  For perspective, my reasons are very much endpoint centric and presume the attacks have already made their way through protections on the network level, so this is not a cloud to ground holistic view.  Each reason is based on the assumption that the preceding reason(s) have been fully addressed and the represented gap is closed – each reason stands on its own as a problem.  And I will resist the urge to plug in how Triumfant addresses each gap, but I have noted blog entries that do if you care to read on.

Here are my three reasons:

  1. Attacks get through because the machines and the protection software deployed to protect them are not configured to be secure.  The analogy is simple: the most well designed and secure deadbolt lock only secures a door when the deadbolt is engaged.  Too frequently, endpoint protection tools are either improperly installed or improperly configured to perform the tasks for which they are intended, so attacks make it through.  For how Triumfant addresses the configuration management gap see “A New Approach to Configuration Management”.
  2. Attacks get through because traditional endpoint protection tools miss known attacks even when there is a signature for that attack and the protection is properly configured.  The failure rate depends on whose statistics you chose to use, but Gartner puts the detection failure rate at two to ten percent while other studies show failure rates exceeding fifty percent.  Given there will be well over 5M signatures by the end of 2009, ten percent is non-trivial.  See “Antivirus Detection Rates – It is Clear You Need a Plan B”.
  3. Attacks get through because they have been carefully designed and engineered to evade traditional endpoint protections.  These include zero day attacks, rootkits, targeted attacks and the work of the maliciously intended insider.  Zero day attacks are more generic in nature and broker on the fact that most tools require prior knowledge to detect an attack.  Targeted attacks are designed to specifically infiltrate networks and applications to retrieve sensitive information or financial data.  See “It is Raining and You Will Get Wet”.

I am not saying this is groundbreaking thinking here, but if you put things into this perspective, it clearly defines the gaps in protection and subsequently provides a roadmap of what must be done to protect your endpoints.  Reducing the attack surface is clearly not enough.  Antivirus is not getting it done – even the AV vendors say so.  And the bad guys are relentless in their pursuit to exploit any crack in the defenses. 

So what do you think? Too simple or simply brilliant?

It is Raining and You Will Get Wet

Ever walk down the street on a rainy day?  You can have the best umbrella in the world and you will still get wet.  When I get asked the question “why do I need Triumfant when I have other defensive software?” the answer is found in that rainy walk – because you will still get wet.   Malicious stuff will get through your defensive shields and when it does you need something that will address these problems on your endpoint machines. 


Notice that I am not looking to convince you I have a better umbrella, because we never portray Triumfant as a shield.  Nor am I telling you to throw away your existing umbrella, because we never position Triumfant as a replacement for antivirus software, nor do we claim that having Triumfant means you no longer need AV.

But you do need to recognize it is raining and you will get wet.  I have touched on the proof points separately at times but I have never laid them end to end until now.  So here they are:

  • It rains harder every day.  Symantec reported in their Global Internet Security Threat Report, 2009 that there were 1.6M new malware instances in 2008, exceeding the 1M counted as the number of attacks for all previous years combined.  Both McAfee and Symantec show that this 1.6M number was passed sometime mid-summer for 2009.  If you graph the numbers you will see that they increase geometrically.  For example, McAfee saw twice as many attacks in the second half of 2008 than the first half of that same year.
  • It is raining sideways more than ever. McAfee Avert Labs noted in a recent blog post that they see 6,000 new malware instances per day that pass through their signatures, generic filters and heuristics.  Extrapolating this number for the entire year would get you to over 2M attacks that pass through the traditional protections.
  • The rain comes from a different direction every second. An August 13 article in SC Magazine notes a study that found that cyber criminals are now designing malware to last 24 hours before becoming inactive.  The study noted that 52 percent spread for just 24 hours, nineteen percent last for two days, and nine percent persist for three days.  Malware designers produce hundreds of unique samples that carry the malicious payload to evade detection.   Essentially, by the time the malware is detected, analyzed and a signature created, the cyber criminals have long since moved on.
  • The rain is straining the capacity of your umbrella. A recent White Paper called the Cyber Intelligence Report, August 2009 by Cyveillance provided average daily detection rates for the period of 5/12/09 through 06/10/09.  Cyveillance fed active attacks consisting of confirmed malicious files they had detected from the Web into 13 of the top antivirus solutions and tracked the detection rates.  The results are, to say the least, eye opening, as the average detection rate reported was roughly 30 percent.

It is raining hard and relentlessly on your endpoints and sometimes it is coming down sideways.   But it is not just the traditional attack vectors that you must address in the fight for endpoint protection.  There are increasingly nasty rootkits that evade traditional defenses.  There are polymorphic attacks with rotating binaries that automatically morph themselves to never look the same way on any two machines. There are new classes of attacks like drive-by SQL injections and registry based attacks.  There is the work of the maliciously intended insider who either directly corrupts the machine or alters its defenses so it can be corrupted by outside influences.  There are new ways to subvert software assurance and the software supply chain to imbed malicious code in what is thought to be trusted software.  And as always, there is the most nefarious problem of them all – the carbon based life form installing peer-to-peer software, using Facebook, and going to Jessica Biel picture sites.  It is not just raining sideways, sometimes it must feel like it is raining up!

What is clear is that bad things will get past the traditional defenses to the endpoint, and it is time to consider what will protect your organization when that happens.  That is where we come in – we see the malicious attacks that make it to your endpoints.  The stuff that falls through the other defenses, the zero day attacks, and the newest variations of existing attacks.  And all of the attacks that come through exotic vectors that defensive endpoint security software may not yet address.  We build a normative whitelist of your environment and can tell you if something is installing that does not exist anywhere else in your environment. 

And once we detect it, we can also remediate it.  The context provided by our patented analytics enables Resolution Manager to see all of the changes to a machine that are part of the attack, making our solution uniquely able to build a remediation to address the entire scope of the attack and restore the machine to its pre-attack condition.  BTW, that context I speak of is what really sets us apart – for example it allows us to beat the false positive problem – so you may want to look at the associated post.

Folks, it is raining, and don’t look for the rain to quit or even subside because it gets worse by the day.  And you will get wet.  That is the value of Triumfant – we are that last line of defense when you do.

Detecting the Work of the Maliciously Intended Insider

The recent arrest of a retired State Department worker and his wife accused of spying for Cuba for 30 years brings into focus one of the other great capabilities of Triumfant’s technology.  Because Triumfant can see all of the changes on an endpoint machine as well as the work done to cover up those changes, Triumfant Resolution Manager is uniquely capable of detecting the work of the maliciously intended insider. 

In this case, as well as the case for others like Robert Hanssen, the methods for transferring information was very “old school” and did not represent a deep grasp of technology.  Walter Kendall Myers and his wife, Gwendolyn Steingraber Myers, often relayed information to their Cuban handlers by exchanging shopping carts at the grocery store and Robert Hanssen was arrested after leaving a package under a wooden footbridge in a Northern Virginia park.   Such techniques do not lead one to believe either party was terribly computer savvy, but begs the question of the amount of damage done if they had cyber expertise.  It also, unfortunately, begs the question of what activity is potentially being done by those with cyber expertise that is going undetected.

Maliciously intended insiders are a real threat to organizations because the majority of defensive software and endpoint protection is created to prevent intrusions from outside the organizational walls and based on previous knowledge of the attack.  But malicious insiders work from a position of trust and introduce the human factor that normally takes their work outside of the paths of known attacks.  They may directly pull information from confidential or sensitive sources and directly funnel that information out.  Or they may place maliciously intended programs on machines such as key loggers to collect information.  Or they may make subtle changes to machines to make them vulnerable to the eventual installation of malware.

The common factor in this activity is change.  The maliciously intended insider must make changes, even subtle ones, to an endpoint machine to perform their activity.  Triumfant can of course detect change, as well as detect the attempts to cover up the evidence of change.  The fact is, there is almost no way (not that anyone can tell us, anyway) of making changes to a machine without us being able to see those changes.  And because the work of the insider would change an endpoint machine into a state that would be anomalous in comparison to other machines, Triumfant would not only detect the change, but would flag it as a problem and then do the analysis to look for other changes that it could logically associate with the detected change to provide a complete picture of the activity. 

Only a tool with the depth and breadth of scan scope and the ability to quickly identify changes can perform these functions.  Which narrows the list of tools that fit that requirement to one: Triumfant.  We talk a lot about the ability of Triumfant to see the malicious attacks that other signature based tools miss, and we have also discussed the ability of Triumfant to protect the endpoint environment from acts of ignorance and incompetence by continuously enforcing security policies and configurations.  But the protection of your company or government agency from threats on the inside is also a critical functionality that Triumfant brings to the table.  I would also add that the President’s new cyber czar needs to ensure that this topic is front and center as he or she begins to address the issues in the White House Cyberspace Policy Review.