Closing the Antivirus Protection Gap

A comparative study on effective endpoint protection strategies

May 2012
WP-EN-05-07-12

Closing the Antivirus Protection Gap

Introduction
Corporate economic concerns have put increased pressure on already limited IT resources in recent years as the onslaught of malware and sophistication of cyber attacks continues to grow at exponential rates. As a result, 50% of endpoint operating costs are directly attributable to malware,1 yet, corporate IT budgets are still focused on maintaining stand alone antivirus as the keystone in endpoint security. In this paper, we will benchmark the effectiveness of standalone AV and O/S resident patching solution versus newer technologies and a defense-in-depth of approach of layering multiple endpoint security and operational technologies together.

Methodology
Defining the Average Corporate Endpoint
In order to conduct comparative malware testing, a model of the Average Corporate Endpoint was defined. The Average Corporate Endpoint was chosen to be representative of a business oriented end-user computer in terms of Operating System, installed applications and average IT operational and security practices. A Microsoft Windows 7 Enterprise (64-bit) machine, part of an Active Directory domain, was chosen as the best representative of an average enterprise desktop endpoint. The Average Corporate Endpoint test (ACE) system was loaded with Microsoft Forefront Endpoint Protection 2010 to represent an average 3rd party antivirus provided solution. Forefront was configured to provide maximum protection. This configuration is shown in Figure 1 and archive (.zip, .cab) and removable media scanning were also enabled. When trying to represent the ACE, it is also of value to consider the level of patching support in place as most malware still seeks to exploit known vulnerabilities within existing applications or within the OS. It was assumed that the OS and all Microsoft applications would be fully patched with the current Patch Tuesday update available, as patch mechanisms (e.g. Windows Updater, WSUS) are widely used to ensure timely patching.

1. Ponemon Institute, 2011 State of Endpoint Risk, December 2010

Continued
1

Closing the Antivirus Protection Gap

Figure 1: Forefront Configuration

There are numerous studies indicating that patch lags exist, are problematic for smaller organizations 2 or represent a significant and all too real exposure. 3 Update mechanisms such as Windows Update or WSUS do not natively extend their support to 3rd party applications, which in reality represent a significant portion of the applications found on any desktop endpoint. For third party applications, patches were applied, however, it was assumed that these applications might suffer from patch lag. To represent the real world exposure of average corporate desktops, a maximum patch lag of 3 months was chosen. The assumptions made about patching concurrency may indeed by optimistic as there are numerous examples of exploit that utilized aged vulnerabilities for which a patch had long been available (e.g. Conficker). 4 The Average Corporate Endpoint software is summarized in the tables below.

2. Derek E. Brink, To Patch or Not to Patch (Not If, But How) October 2011, Aberdeen Group 3. Derek E. Brink, Is Your Vulnerability Management Program Leaving You at Risk (Most Likely, Yes) June 2011, Aberdeen Group 4. http://en.wikipedia.org/wiki/Conficker

Continued
2

Closing the Antivirus Protection Gap

Microsoft Application Software Microsoft Forefront Endpoint Protection 2010 Microsoft Office 2007 Microsoft Internet Explorer 9 Version at Time of Test Up-to-date with current signatures Up-to-date Up-to-date
Table 1: Average Endpoint Software - Microsoft Applications

Application Software Mozilla Firefox Google Chrome Google Chrome Adobe Flash Player Adobe Acrobat Reader Adobe Shockwave Player Apple QuickTime Java Runtime Environment Real Network RealPlayer

Version at Time of Test Patch lagged Patch lagged Patch lagged Patch lagged Patch lagged Patch lagged Patch Up-to-date (Latest patch older than 3 months) Patch lagged Patch Up-to-date (Latest patch older than 3 months)
Table 2: Average Endpoint Software - 3rd Party Applications

Intelligent Whitelisting and Timely Patch Management

To explore the malware prevention efficacies of technologies beyond standard antivirus and Microsoft patching, an additional test configuration was defined. The well known exponential growth of novel malware 5 represents a very real challenge for antivirus, which must continue to incorporate the ever increasing known bad (malware signatures). Heuristics, site blocking and increased rapidity of malware identification (often provided through cloud-based signatures and/or reputation) have been some of the techniques introduced by vendors to keep up with malware growth and decrease infection rates. Alternatively, application whitelisting aims to allow only the known good applications. This trades the problem of tracking of an explosive amount of malware to the more pragmatic management of a limited number of desired applications.

5. Frost and Sullivan, Cybersecurity Market: Malware Historical Growth Patterns and Future Projections, Global, 2009-2015

Continued
3

Closing the Antivirus Protection Gap

The comparative system known as the Lumension Endpoint Management and Security Suite or L.E.M.S.S., incorporates application whitelisting through the Lumension Intelligent Whitelisting Solution which is an integrated solution across Lumension Antivirus, Lumension Application Control and Lumension Patch Management. This test system was configured utilizing the Easy Lockdown process which takes an automated "snapshot" of an endpoint, which is then used to create an application whitelist and begin enforcement of whitelist policies. With the addition of Lumension Patch Management Vulnerability coverage was then extended to the 3rd party applications resident on the ACE. Microsoft Forefront is not present on L.E.M.S.S. test system nor is the Microsoft (WSUS) update agent is utilized in this test configuration.

Real World Malware

It was decided that the most effective comparison would use real malware, found in the wild, in order to best represent the growing reality of zero day threats. To facilitate this effort, Lumension contracted with an independent malware research organization 6 with expertise in malware attack vectors. Over a sevenday period, more than 2100 individual samples were collected in the wild and directed against each of the configured test systems. The malware test set included trojans, backdoors, PUAs, ransomware, viruses, rootkits and worms. The Average Corporate Endpoint, utilizing only Microsoft Forefront Endpoint Protection 2010 and the Windows Update Agent, was found to be highly vulnerable to a significant amount of malware allowing download and execution of 23% of the malware introduced each day. A minimum of 300 malware samples were tested each day against this configuration and the number of daily misses is referenced in Figure 2. As antivirus signatures are updated frequently, the test methodology did allow time for the antivirus technology to utilize updated signatures. To measure this, any sample that executed previously (missed on the previous day) was retested on the current day. The number of samples caught on subsequent testing varied from 5 to 40 samples with an average delay of just over 2 days for the signature to catch up with the malware. The cumulative number of missed samples remained significant at the conclusion of a weeks testing with 19.2% of malware successfully executing on the Average Corporate Endpoint.

6. MRG (Malware Research Group) Effitas http://malwareresearchgroup.com/

Continued
4

Closing the Antivirus Protection Gap

New Malware Samples Missed Per Day

Number of Samples

Test Day

Figure 2: Daily Malware Samples Missed

The multi-faceted security approach of the L.E.M.S.S. test provided to be highly successful throughout the life of the test. The use of the Lumension Endpoint Management and Security Suite which supplied Intelligent Whitelisting as well as Patch and Remediation blocked all malware execution attempts. Though some recent has suggested shortcomings of defense-in-depth strategies in the world of software7, these findings support the traditional view that a layered security approach affords the best protection. 8 The aggregate malware testing results are illustrated in Figure 3.

7. Prescott E. Small, Defense in Depth: An Impractical Strategy for a Cyber World, November 2011 8. Steve Ragan, RSAC 2012: Malware growth and why layered security is still king, March 2012, http://www.thetechherald.com/articles/RSAC2012-Malware-growth-and-why-layered-security-is-still-king

Continued
5

Closing the Antivirus Protection Gap

Cumulative Malware Samples Missed

Number of Samples

Test Day

Figure 3: Daily Malware Samples Missed

The overall malware blocking effectiveness is shown in Figure 4. This clearly illustrates the growing ineffectiveness of antivirus when used in a standalone manner vs. a more robust approach that utilizes more effective security technologies such as application whitelisting combined with other solutions such as robust patch management and antivirus.

Continued
6

Closing the Antivirus Protection Gap

Cumulative Malware Blocking Effectiveness

Blocking Percentage

Test Day

Figure 4: Daily Malware Samples Missed

Continued
7

Closing the Antivirus Protection Gap

Potential TCO Benefits

Malware may have a dramatic detrimental impact on an organization originating from loss of private customer data, corporate intellectual property and reputation. Quantifying the economic loss to the enterprise stemming from a significant breach of corporate defenses is difficult as the repurcusions of reputation damage are long-lasting. Malwares more mundane but not insignificant fiscal effects include the loss of employee productivity and increased help desk costs. Lumension has developed a True Cost of Malware Calculator 9 to help organizations understand these all too real costs. The calculator allows for customization of a large number of parameters, which allows a realistic organization specific model to be developed. Figure 5 below shows the representative output modeling a 1000 endpoint enterprise.

Figure 5: TCO Calculator 1000 Endpoint Deployment 9. http://www.lumension.com/Resources/Value-Calculators/Cost-of-Malware-Calculator.aspx

Closing the Antivirus Protection Gap

The TCO benefit from simply reducing the number of malware incidents and endpoint reimaging to recover from severe malware infections is significant. For example, a 1000 node enterprise, where the monthly malware incidents are reduced 40 to 10, may realize over an impressive 31% reduction in overall TCO.

Comparative Total Cost of Ownership 1000 Endpoint Enterprise

Total Cost of Ownership (USD)

Deployment Year 40
Figure 6: Enterprise TCO vs. Malware Prevalence

Conclusion
It is clear that the de facto security standard for malware prevention employed in the Average Corporate Endpoint, traditional antivirus coupled with native patching services, delivers significant risk along with increased cost of operations across an enterprise endpoint environment. The Pareto Principle associates 80% of effects to 20% of causes. If this principle applies to malware prevention, then the 20% exposure to malware which exists with traditional antivirus may represent a corporate loss risk four times greater than that which is being protected. Certainly no security solution is perfect; however, even economically challenged IT operations may be better served by considering a defense-in-depth approach when it comes to securing their corporate endpoints.

Closing the Antivirus Protection Gap

About Lumension Security, Inc.

Lumension Security, Inc., a global leader in endpoint management and security, develops, integrates and markets security software solutions that help businesses protect their vital information and manage critical risk across network and endpoint assets. Lumension enables more than 5,100 customers worldwide to achieve optimal security and IT success by delivering a proven and award-winning solution portfolio that includes Vulnerability Management, Endpoint Protection, Data Protection, Antivirus and Reporting and Compliance offerings. Lumension is known for providing world-class customer support and services 24x7, 365 days a year. Headquartered in Scottsdale, Arizona, Lumension has operations worldwide, including Texas, Florida, Washington D.C., Ireland, Luxembourg, Singapore, the United Kingdom, and Australia. Lumension: IT Secured. Success Optimized. More information can be found at www.lumension.com.

Lumension, IT Secured. Success Optimized., and the Lumension logo are trademarks or registered trademarks of Lumension Security, Inc. All other trademarks are the property of their respective owners.

Global Headquarters 8660 East Hartford Drive, Suite 300 Scottsdale, AZ 85255 USA phone: +1.480.970.1025 fax: +1.480.970.6323

www.lumension.com
Vulnerability Management | Endpoint Protection | Data Protection | Compliance and IT Risk Management
10