Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
May 2012
WP-EN-05-07-12
Introduction
Corporate economic concerns have put increased pressure on already limited IT resources in recent years as the onslaught of malware and sophistication of cyber attacks continues to grow at exponential rates. As a result, 50% of endpoint operating costs are directly attributable to malware,1 yet, corporate IT budgets are still focused on maintaining stand alone antivirus as the keystone in endpoint security. In this paper, we will benchmark the effectiveness of standalone AV and O/S resident patching solution versus newer technologies and a defense-in-depth of approach of layering multiple endpoint security and operational technologies together.
Methodology
Defining the Average Corporate Endpoint
In order to conduct comparative malware testing, a model of the Average Corporate Endpoint was defined. The Average Corporate Endpoint was chosen to be representative of a business oriented end-user computer in terms of Operating System, installed applications and average IT operational and security practices. A Microsoft Windows 7 Enterprise (64-bit) machine, part of an Active Directory domain, was chosen as the best representative of an average enterprise desktop endpoint. The Average Corporate Endpoint test (ACE) system was loaded with Microsoft Forefront Endpoint Protection 2010 to represent an average 3rd party antivirus provided solution. Forefront was configured to provide maximum protection. This configuration is shown in Figure 1 and archive (.zip, .cab) and removable media scanning were also enabled. When trying to represent the ACE, it is also of value to consider the level of patching support in place as most malware still seeks to exploit known vulnerabilities within existing applications or within the OS. It was assumed that the OS and all Microsoft applications would be fully patched with the current Patch Tuesday update available, as patch mechanisms (e.g. Windows Updater, WSUS) are widely used to ensure timely patching.
Continued
1
There are numerous studies indicating that patch lags exist, are problematic for smaller organizations 2 or represent a significant and all too real exposure. 3 Update mechanisms such as Windows Update or WSUS do not natively extend their support to 3rd party applications, which in reality represent a significant portion of the applications found on any desktop endpoint. For third party applications, patches were applied, however, it was assumed that these applications might suffer from patch lag. To represent the real world exposure of average corporate desktops, a maximum patch lag of 3 months was chosen. The assumptions made about patching concurrency may indeed by optimistic as there are numerous examples of exploit that utilized aged vulnerabilities for which a patch had long been available (e.g. Conficker). 4 The Average Corporate Endpoint software is summarized in the tables below.
2. Derek E. Brink, To Patch or Not to Patch (Not If, But How) October 2011, Aberdeen Group 3. Derek E. Brink, Is Your Vulnerability Management Program Leaving You at Risk (Most Likely, Yes) June 2011, Aberdeen Group 4. http://en.wikipedia.org/wiki/Conficker
Continued
2
Application Software Mozilla Firefox Google Chrome Google Chrome Adobe Flash Player Adobe Acrobat Reader Adobe Shockwave Player Apple QuickTime Java Runtime Environment Real Network RealPlayer
Version at Time of Test Patch lagged Patch lagged Patch lagged Patch lagged Patch lagged Patch lagged Patch Up-to-date (Latest patch older than 3 months) Patch lagged Patch Up-to-date (Latest patch older than 3 months)
Table 2: Average Endpoint Software - 3rd Party Applications
5. Frost and Sullivan, Cybersecurity Market: Malware Historical Growth Patterns and Future Projections, Global, 2009-2015
Continued
3
Continued
4
Number of Samples
Test Day
The multi-faceted security approach of the L.E.M.S.S. test provided to be highly successful throughout the life of the test. The use of the Lumension Endpoint Management and Security Suite which supplied Intelligent Whitelisting as well as Patch and Remediation blocked all malware execution attempts. Though some recent has suggested shortcomings of defense-in-depth strategies in the world of software7, these findings support the traditional view that a layered security approach affords the best protection. 8 The aggregate malware testing results are illustrated in Figure 3.
7. Prescott E. Small, Defense in Depth: An Impractical Strategy for a Cyber World, November 2011 8. Steve Ragan, RSAC 2012: Malware growth and why layered security is still king, March 2012, http://www.thetechherald.com/articles/RSAC2012-Malware-growth-and-why-layered-security-is-still-king
Continued
5
Number of Samples
Test Day
The overall malware blocking effectiveness is shown in Figure 4. This clearly illustrates the growing ineffectiveness of antivirus when used in a standalone manner vs. a more robust approach that utilizes more effective security technologies such as application whitelisting combined with other solutions such as robust patch management and antivirus.
Continued
6
Blocking Percentage
Test Day
Continued
7
Deployment Year 40
Figure 6: Enterprise TCO vs. Malware Prevalence
Conclusion
It is clear that the de facto security standard for malware prevention employed in the Average Corporate Endpoint, traditional antivirus coupled with native patching services, delivers significant risk along with increased cost of operations across an enterprise endpoint environment. The Pareto Principle associates 80% of effects to 20% of causes. If this principle applies to malware prevention, then the 20% exposure to malware which exists with traditional antivirus may represent a corporate loss risk four times greater than that which is being protected. Certainly no security solution is perfect; however, even economically challenged IT operations may be better served by considering a defense-in-depth approach when it comes to securing their corporate endpoints.
Lumension, IT Secured. Success Optimized., and the Lumension logo are trademarks or registered trademarks of Lumension Security, Inc. All other trademarks are the property of their respective owners.
Global Headquarters 8660 East Hartford Drive, Suite 300 Scottsdale, AZ 85255 USA phone: +1.480.970.1025 fax: +1.480.970.6323
www.lumension.com
Vulnerability Management | Endpoint Protection | Data Protection | Compliance and IT Risk Management
10