Is AV Dead Or Just Missing in Action?

Rajesh NikamQuick Heal Technologies Ltd.

December, 2016

Agenda

1. Traditional AV vs Next-Gen Security Products

2. Busting Security Myths3. VirusTotal & Next-Gen AVs4. Comparison of Next-Gen Security

Products5. Conclusion

Is AV Dead?

Traditional AV vs Next-Gen Security ProductsTraditional AV• Signature based, blacklisting & reactive approach• Latency between

• Samples reported, analysis and release of signature for detection• Complex samples using detection evasion mechanism• Ineffective against exploits targeting vulnerabilities in

• Adobe, Microsoft Office file formats • Operating Systems, Web Browsers• Java and other applications• Fileless malware attacks

Threat landscape & Computer Security is ever evolving

Next-Gen Security ProductsBig change in approach how threats are detected• Endpoints are acting as sensors • No longer dependent on signature based approach• Threat Intelligence – indicators of compromise, context aware• Ideally no latency in getting protection to all users• Products at perimeter of enterprises

• scanning web traffic, email messages

Traditional AV vs Next-Gen Security Products

BustingSecurity Myths

Busting Security Myths

Threat Intelligence

Machine Learning

Sandbox

Behavior

Based

Sign

atur

e

Base

d

Traditional AV is just signature based

Machine Learning solves all problems

Malware behavior does not change

Sandbox cure for all Advanced Threats

(Next-Gen) Threat Intelligence

Myth#1 Machine Learning solves all problems

• Building models based on train sets and anomalies • Effectiveness depends on accurate feature engineering • need strong domain expertise

• Needs tuning of models for changing threats • challenge in scaling model to big number of samples

• False Positives vs False Negatives• Efficacy against advanced threats • Specific, targeted and unknown samples

• Garbage In Garbage Out (GIGO)• Best Next-Gen AVs with machine learning engines

Myth#2 Malware behavior does not change

• Execution on real-systems or sandbox • to identify malicious behavior

• Behavior common with clean applications• execution from temp folder, autorun entries, self-delete,

copy to multiple locations, launch browser etc.• need to minimize false positives with reputation and

whitelisting

• Malware behavior is ever changing• e.g. evolution of ransomware

• Adware, PUAs are hard to detect with behavior

Myth#3 Sandbox cure for all Advanced Threats

• Email, Network sandboxing • Sandbox analysis is performed based on• known malicious traffic – netblocks, domains, snort rules• static analysis – yara rules & analysis scripts• known malicious behavior – pattern matching

• Sandbox evasion techniques • detect presence of sandboxes • delay payload execution until user interaction • check for signs of real system

• Ineffective against targeted malware • which run only on specific system configurations

Myth#4 Traditional AV is just signature based

Not just signature based detections • algorithmic & emulator based detections• heuristic based detections• machine learning based detections• cloud based detections

Endpoint Protection System have • behavior based detections• anti-exploit detections• firewall, IDS/IPS• web security

AV-Certification methodologies have changed

Myth#5 (Next-Gen) Threat Intelligence

Legacy, signature-based intelligence feedsAvoid the hype!• indicators of compromise

• domains, urls, ipv4, ipv6, hashes • block malicious scripts based on patterns

• to prevalent exploit kits• threat intelligence community

• aggregation of threat intel subscriptions gives best results • hourly updates – still leaves window for compromise

VirusTotal & Next-Gen AVs

Maintaining a healthy community:“all scanning companies will now be required to integrate their detection scanner in the public VT interface, in order to be eligible to receive antivirus results as part of their VirusTotal API services.”

VirusTotal should not be used to generate comparative metrics between different antivirus products. Antivirus engines can be sophisticated tools that have additional detection features that may not function within the VirusTotal scanning environment.

VirusTotal & Next-Gen AVs

NG-AV 1 - The Industry’s Best Machine Learning Next-Gen AVNG-AV 2 - machine learning engine designed to identify previously unknown malwareMD5: feb93aaab2357f00c23b06b7a6cab4c9

VirusTotal & Next-Gen AVs

Comparison of Next-Gen SecurityProducts

Comparison of Next-Gen Security Products

Source: AV-Comparative - Malware Protection and False Alarm Test, Oct 2016

Comparison of Next-Gen Security Products

Source: MRG Effitas - Exploit Test, Oct 2016

Comparison of Next-Gen Security ProductsAV-Comparatives First public comparative Next-Gen Security test report• number of vendors refused to participate • some product only provide logging rather than protecting • protection features are deactivated by default• may not be available as trial version• do not sell to testing labs

Threat Intelligence

Email Protection Web Security Firewall / IPS

Anti-Virus /Anti-Malware

Behavior Based Protection

Anti-Exploit

PatchManagement

ApplicationControl

DataProtection

Endpoint Protection - Layered Security Approach

Just Missing in Action?

Having right expectations from anti-malware products• ransomware & data protection• mobile devices, IoTs

Malware-less attacks• using legitimate remote administration applications

"ain't a horse that can't be rode, ain't a man that can't be throwed"

Defense against insider threats?

Walking cyber security threats

Theory of convenience

And world needs to pay high price!

Conclusion

• Security Products have multiple detection mechanisms• Threat-centric security technologies• Approach to security needs to be constantly evolved• No silver-bullet to solve all cyber security issues

• Go beyond the Next-Gen hype!

Any Questions?

Thank You!Call us at: Write to us at:1800-121-7377 support@quickheal.com

Visit uswww.quickheal.com