Antivirus is the last line of defence against malware and yet most organisations still rely on a defunct technology for their protection – signatures. In this blog post I’m going to explain why AV signatures aren’t fit for purpose and what the new alternative is (hint: Cylance).
Signatures – The background
The premise of AV signatures is that by recognising a file as malicious one time, we can apply this recognition to future files, or parts of files and provide protection without false positives. This works great when the following conditions apply:
- Files have been seen before in a way that can be recognised from a signature
- Signatures are available to the endpoint immediately
- The endpoint’s signature updates are current
However, when these conditions aren’t met, things start to fall apart very quickly.
The bad and the ugly
The current wave of high profile malware is ransomware, such as the Locky virus, which encrypts your data on local machines and network drives and offers a decryption tool for a fee. And the devastation this kind of outbreak can cause a victim organisation is massive, with both economical and political ramifications. Nobody wants to lose their data, but nobody wants to pay the ransom.
One of the reasons ransomware is spreading so easily is the poor detection rate by signature based AV products due to the “zero-day” nature of the way each piece of malware is crafted. According to Verizon’s 2015 Data Breach Report, “70 to 90% of malware samples are unique to an organization.” Malware is being “packed” or crafted in such a way that it appears new and unique to AV products and therefore unmatched against their databases of signatures, and thus allowed to be opened (a false negative). In reality, pretty much no malware is completely unique, it’s just its appearance that makes it seem new. Whilst zero-day malware is a real problem for most AV vendors, a lot of malware still gets detected correctly and the signatures do their job.
But crucially, we’re relying on the signatures, and not the AV product.
Let me elaborate on this point. We can think of AV products as two components, the scanning software and the signature database. The software is only as good as its database of signatures to feed the scanning engine. But whilst the scanning software is statically resident on the endpoint machine, the signatures need constant updating in an ever long arms race of finding zero-days, creating signatures and then downloading to the endpoint.
The time delay between the vendor first detecting the zero-day and the endpoint being updated is everything.
The Real World
Every signature based vendor (McAfee, Symantec, etc…) will extol the virtues of the speed of their signature turnaround time, which is great, but ask any Security Operations Manager about AV signature updates and they’ll highlight the massive elephant in the room (that no AV vendor wants to discuss) – the machines that haven’t got round to updating their signatures yet. In the ideal world that vendors like to live in, all endpoint machines are always connected to the Internet or their corporate HQ and update their signatures frequently as prescribed, meaning that the whole organisation is up-to-date at all times. THIS NEVER HAPPENS! In every organisation, the Security ops team will tell you that a large percentage of endpoint are up-to-date but there are always some that for various reasons are still on older versions, whether it be a connectivity issue, an endpoint machine problem or some reason unknown.
The result is that however good your signatures are, and however fast your vendor has created them and got them to your endpoints, there will still be machines vulnerable to newer pieces of malware. By way of a real example, an organisation I know fell victim to the Locky virus last week despite their up-to-date McAfee Antivirus products detecting and blocking it. Unfortunately a small number of endpoints had a dat file that was over a week old and hadn’t picked up the signature database version that would have blocked the malware. As a result, the data residing on a number of endpoint machines and connected network drives was all encrypted and held to ransom by the attackers. In this case, this mature organisation maintained up-to-date backups and was able to wipe clean the affected drives and restore the data. Few would have this option. The post mortem can look to address why there were endpoints with out-of-date signatures, but trying to completely prevent this in the future is pretty much impossible. Endpoints are mobile, connectivity is variable and things just go wrong.
When relying on AV signatures, we have to assume that some endpoints will not be protected by the latest version. It’s just how the real world works.
Cylance is the Answer
If you want to believe that signatures are the way forward then the only answer is to continually monitor every endpoint in your organisation to ensure its signatures are up-to-date and remediate in real time. The alternative approach is to not update anything. If you could deploy an Antivirus product once and then forget about it and never have to update it, that would be great. Until now it’s not been possible, but then Cylance came along…
Cylance Protect is a Next-Generation Antivirus product that doesn’t use signatures or heuristics or isolation or sandboxes. Cylance uses a mathematical engine that resides on the endpoint that detects malware based on years of machine learning. The result is that it “just knows” when something is malware. And as a result it doesn’t need regular updates and the engine today will detect malware that is built in the future. Whilst this sounds like complete nonsense, the analogy I like to give is that you know what a cow looks like. If I show you a picture of a cow you know it’s a cow. But how? It’s from years of seeing cow pictures you’re able to recognise other cows, even if you’ve never seen that exact cow before. Your learning process allows you to accurately detect something. And Cylance’s years of machine learning have allowed them to launch a truly unique product that doesn’t suffer from the shortcomings of signature based AV products.
Ultimately we all have two choices:
- Continue with the outdated approach of using AV signatures and enjoy the cost of malware outbreaks and the fun of re-imaging machines, restoring backups or paying ransoms.
- Use a truly Next-Generation AV product and enjoy the Silence/Cylance of not hearing about malware problems again.
If you want to know more about Cylance, see a demo, test it with some of your own malware or challenge any of its claims then please get in touch!