Organizations that useclassic signature-based anti-virus (AV) software on their networks as their sole protection against infection ought to know that combating malware today requires far more sophisticated weaponry than it did several years ago. Experts recommend a multilayer defense with traditional AV software that uses virus definitions as just the first layer. What has changed these last five years is that the malware community has grown its expertise at hiding its code, thanks to the advent of polymorphic encoders.
Previously, malware took the form of a string of bits that could be identified by its unique appearance. But polymorphic encoders enable the bad guys to encrypt their malicious payloads with variable keys, making them look entirely different each and every time they are released.
“The various security software vendors—the McAfees, the Symantecs, the Kasperskys—have worked very hard to try and keep up,” says Eric Hanselman, chief analyst at Manhattan-based 451 Research LLC. “And, in fact, they have begun to come up with reasonable alternatives to their previous signature-based AVs.”
While the legacy software is extremely efficient at countering older attacks on operating systems, like the popular Windows XP, adds Hanselman, two new variations on protection software analysis are recommended to combat more sophisticated malware:
- Behavioral analysis. Malware today is so packed, wrapped, and otherwise obfuscated that signature analysis is almost useless. It also requires a “patient zero,” a computer or network that has become infected before the disease can be analyzed. Behavioral analysis attempts to recognize malicious code by what it does or might do. The downside is the risk of false positives.
- Sandbox analysis. Protection software quarantines the suspected code in a protected environment on the hard drive or in memory before “detonating it” to determine the nature of the code.
“People are giving up on prevention,” says Hanselman. “By far, the majority of new developments in anti-malware products are about detection—either detecting something that just happened or detecting what might happen,” he says.
Indeed, experts are recommending a multilayer approach to security based on a company’s specific needs and Internet usage habits. “For example, a manufacturer with only a few computers that have Internet access needs one level of protection compared with, say, a company with a lax Internet security policy where employees are permitted to surf the Web or where they bring in their own devices and plug them into the network,” says Ron Culler, CTO and executive vice president at Greensboro, N.C.-based Secure Designs Inc., a managed Internet security service provider. “A good solution provider should be asking questions about a client’s usage to understand how it can adapt technology to protect that client’s business. IT doesn’t do a client any good if it doesn’t work for that client’s specific needs.”
Culler’s best advice to channel pros is to:
- Do your research. Talk to the vendors that provide protection software and know what products are available and how they function.
- Test, test, test. Many vendors provide not-for-sale or fully functional evaluation versions of their products for you to test and evaluate their functionality and features. Don’t rely on vendors’ sales pitches. You need to furnish your clients with the best IT resources and information that you can. To do that, you have to be educated.
- Teach your customers. They need to know that there’s no longer one product that does everything. They also must feel comfortable that you are up to speed on the security products and that your advice is targeted for their environment.
“That becomes a consultative approach that prompts a customer to stay with you because they trust what you’re saying,” says Culler.
“Remember that while you may understand that the security posture has changed, your customers may still believe their anti-virus software covers what they need it to cover,” he stresses. “To add value, you need to convince them otherwise.”