is antivirus (av) dead or just missing in action
TRANSCRIPT
![Page 1: Is Antivirus (AV) Dead or Just Missing in Action](https://reader036.vdocument.in/reader036/viewer/2022070514/5880cb281a28abba3b8b73b3/html5/thumbnails/1.jpg)
Is AV Dead Or Just Missing in Action?
Rajesh NikamQuick Heal Technologies Ltd.
December, 2016
![Page 2: Is Antivirus (AV) Dead or Just Missing in Action](https://reader036.vdocument.in/reader036/viewer/2022070514/5880cb281a28abba3b8b73b3/html5/thumbnails/2.jpg)
Agenda
1. Traditional AV vs Next-Gen Security Products
2. Busting Security Myths3. VirusTotal & Next-Gen AVs4. Comparison of Next-Gen Security
Products5. Conclusion
![Page 3: Is Antivirus (AV) Dead or Just Missing in Action](https://reader036.vdocument.in/reader036/viewer/2022070514/5880cb281a28abba3b8b73b3/html5/thumbnails/3.jpg)
Is AV Dead?
![Page 4: Is Antivirus (AV) Dead or Just Missing in Action](https://reader036.vdocument.in/reader036/viewer/2022070514/5880cb281a28abba3b8b73b3/html5/thumbnails/4.jpg)
![Page 5: Is Antivirus (AV) Dead or Just Missing in Action](https://reader036.vdocument.in/reader036/viewer/2022070514/5880cb281a28abba3b8b73b3/html5/thumbnails/5.jpg)
Traditional AV vs Next-Gen Security ProductsTraditional AV• Signature based, blacklisting & reactive approach• Latency between
• Samples reported, analysis and release of signature for detection• Complex samples using detection evasion mechanism• Ineffective against exploits targeting vulnerabilities in
• Adobe, Microsoft Office file formats • Operating Systems, Web Browsers• Java and other applications• Fileless malware attacks
Threat landscape & Computer Security is ever evolving
![Page 6: Is Antivirus (AV) Dead or Just Missing in Action](https://reader036.vdocument.in/reader036/viewer/2022070514/5880cb281a28abba3b8b73b3/html5/thumbnails/6.jpg)
Next-Gen Security ProductsBig change in approach how threats are detected• Endpoints are acting as sensors • No longer dependent on signature based approach• Threat Intelligence – indicators of compromise, context aware• Ideally no latency in getting protection to all users• Products at perimeter of enterprises
• scanning web traffic, email messages
Traditional AV vs Next-Gen Security Products
![Page 7: Is Antivirus (AV) Dead or Just Missing in Action](https://reader036.vdocument.in/reader036/viewer/2022070514/5880cb281a28abba3b8b73b3/html5/thumbnails/7.jpg)
BustingSecurity Myths
![Page 8: Is Antivirus (AV) Dead or Just Missing in Action](https://reader036.vdocument.in/reader036/viewer/2022070514/5880cb281a28abba3b8b73b3/html5/thumbnails/8.jpg)
Busting Security Myths
Threat Intelligence
Machine Learning
Sandbox
Behavior
Based
Sign
atur
e
Base
d
Traditional AV is just signature based
Machine Learning solves all problems
Malware behavior does not change
Sandbox cure for all Advanced Threats
(Next-Gen) Threat Intelligence
![Page 9: Is Antivirus (AV) Dead or Just Missing in Action](https://reader036.vdocument.in/reader036/viewer/2022070514/5880cb281a28abba3b8b73b3/html5/thumbnails/9.jpg)
Myth#1 Machine Learning solves all problems
• Building models based on train sets and anomalies • Effectiveness depends on accurate feature engineering • need strong domain expertise
• Needs tuning of models for changing threats • challenge in scaling model to big number of samples
• False Positives vs False Negatives• Efficacy against advanced threats • Specific, targeted and unknown samples
• Garbage In Garbage Out (GIGO)• Best Next-Gen AVs with machine learning engines
![Page 10: Is Antivirus (AV) Dead or Just Missing in Action](https://reader036.vdocument.in/reader036/viewer/2022070514/5880cb281a28abba3b8b73b3/html5/thumbnails/10.jpg)
Myth#2 Malware behavior does not change
• Execution on real-systems or sandbox • to identify malicious behavior
• Behavior common with clean applications• execution from temp folder, autorun entries, self-delete,
copy to multiple locations, launch browser etc.• need to minimize false positives with reputation and
whitelisting
• Malware behavior is ever changing• e.g. evolution of ransomware
• Adware, PUAs are hard to detect with behavior
![Page 11: Is Antivirus (AV) Dead or Just Missing in Action](https://reader036.vdocument.in/reader036/viewer/2022070514/5880cb281a28abba3b8b73b3/html5/thumbnails/11.jpg)
Myth#3 Sandbox cure for all Advanced Threats
• Email, Network sandboxing • Sandbox analysis is performed based on• known malicious traffic – netblocks, domains, snort rules• static analysis – yara rules & analysis scripts• known malicious behavior – pattern matching
• Sandbox evasion techniques • detect presence of sandboxes • delay payload execution until user interaction • check for signs of real system
• Ineffective against targeted malware • which run only on specific system configurations
![Page 12: Is Antivirus (AV) Dead or Just Missing in Action](https://reader036.vdocument.in/reader036/viewer/2022070514/5880cb281a28abba3b8b73b3/html5/thumbnails/12.jpg)
Myth#4 Traditional AV is just signature based
Not just signature based detections • algorithmic & emulator based detections• heuristic based detections• machine learning based detections• cloud based detections
Endpoint Protection System have • behavior based detections• anti-exploit detections• firewall, IDS/IPS• web security
AV-Certification methodologies have changed
![Page 13: Is Antivirus (AV) Dead or Just Missing in Action](https://reader036.vdocument.in/reader036/viewer/2022070514/5880cb281a28abba3b8b73b3/html5/thumbnails/13.jpg)
Myth#5 (Next-Gen) Threat Intelligence
Legacy, signature-based intelligence feedsAvoid the hype!• indicators of compromise
• domains, urls, ipv4, ipv6, hashes • block malicious scripts based on patterns
• to prevalent exploit kits• threat intelligence community
• aggregation of threat intel subscriptions gives best results • hourly updates – still leaves window for compromise
![Page 14: Is Antivirus (AV) Dead or Just Missing in Action](https://reader036.vdocument.in/reader036/viewer/2022070514/5880cb281a28abba3b8b73b3/html5/thumbnails/14.jpg)
VirusTotal & Next-Gen AVs
![Page 15: Is Antivirus (AV) Dead or Just Missing in Action](https://reader036.vdocument.in/reader036/viewer/2022070514/5880cb281a28abba3b8b73b3/html5/thumbnails/15.jpg)
Maintaining a healthy community:“all scanning companies will now be required to integrate their detection scanner in the public VT interface, in order to be eligible to receive antivirus results as part of their VirusTotal API services.”
VirusTotal should not be used to generate comparative metrics between different antivirus products. Antivirus engines can be sophisticated tools that have additional detection features that may not function within the VirusTotal scanning environment.
VirusTotal & Next-Gen AVs
![Page 16: Is Antivirus (AV) Dead or Just Missing in Action](https://reader036.vdocument.in/reader036/viewer/2022070514/5880cb281a28abba3b8b73b3/html5/thumbnails/16.jpg)
NG-AV 1 - The Industry’s Best Machine Learning Next-Gen AVNG-AV 2 - machine learning engine designed to identify previously unknown malwareMD5: feb93aaab2357f00c23b06b7a6cab4c9
VirusTotal & Next-Gen AVs
![Page 17: Is Antivirus (AV) Dead or Just Missing in Action](https://reader036.vdocument.in/reader036/viewer/2022070514/5880cb281a28abba3b8b73b3/html5/thumbnails/17.jpg)
Comparison of Next-Gen SecurityProducts
![Page 18: Is Antivirus (AV) Dead or Just Missing in Action](https://reader036.vdocument.in/reader036/viewer/2022070514/5880cb281a28abba3b8b73b3/html5/thumbnails/18.jpg)
Comparison of Next-Gen Security Products
Source: AV-Comparative - Malware Protection and False Alarm Test, Oct 2016
![Page 19: Is Antivirus (AV) Dead or Just Missing in Action](https://reader036.vdocument.in/reader036/viewer/2022070514/5880cb281a28abba3b8b73b3/html5/thumbnails/19.jpg)
Comparison of Next-Gen Security Products
Source: MRG Effitas - Exploit Test, Oct 2016
![Page 20: Is Antivirus (AV) Dead or Just Missing in Action](https://reader036.vdocument.in/reader036/viewer/2022070514/5880cb281a28abba3b8b73b3/html5/thumbnails/20.jpg)
Comparison of Next-Gen Security ProductsAV-Comparatives First public comparative Next-Gen Security test report• number of vendors refused to participate • some product only provide logging rather than protecting • protection features are deactivated by default• may not be available as trial version• do not sell to testing labs
![Page 21: Is Antivirus (AV) Dead or Just Missing in Action](https://reader036.vdocument.in/reader036/viewer/2022070514/5880cb281a28abba3b8b73b3/html5/thumbnails/21.jpg)
Threat Intelligence
Email Protection Web Security Firewall / IPS
Anti-Virus /Anti-Malware
Behavior Based Protection
Anti-Exploit
PatchManagement
ApplicationControl
DataProtection
Endpoint Protection - Layered Security Approach
![Page 22: Is Antivirus (AV) Dead or Just Missing in Action](https://reader036.vdocument.in/reader036/viewer/2022070514/5880cb281a28abba3b8b73b3/html5/thumbnails/22.jpg)
Just Missing in Action?
Having right expectations from anti-malware products• ransomware & data protection• mobile devices, IoTs
Malware-less attacks• using legitimate remote administration applications
![Page 23: Is Antivirus (AV) Dead or Just Missing in Action](https://reader036.vdocument.in/reader036/viewer/2022070514/5880cb281a28abba3b8b73b3/html5/thumbnails/23.jpg)
"ain't a horse that can't be rode, ain't a man that can't be throwed"
![Page 24: Is Antivirus (AV) Dead or Just Missing in Action](https://reader036.vdocument.in/reader036/viewer/2022070514/5880cb281a28abba3b8b73b3/html5/thumbnails/24.jpg)
Defense against insider threats?
Walking cyber security threats
Theory of convenience
And world needs to pay high price!
![Page 25: Is Antivirus (AV) Dead or Just Missing in Action](https://reader036.vdocument.in/reader036/viewer/2022070514/5880cb281a28abba3b8b73b3/html5/thumbnails/25.jpg)
Conclusion
• Security Products have multiple detection mechanisms• Threat-centric security technologies• Approach to security needs to be constantly evolved• No silver-bullet to solve all cyber security issues
• Go beyond the Next-Gen hype!
![Page 26: Is Antivirus (AV) Dead or Just Missing in Action](https://reader036.vdocument.in/reader036/viewer/2022070514/5880cb281a28abba3b8b73b3/html5/thumbnails/26.jpg)
Any Questions?
Thank You!Call us at: Write to us at:1800-121-7377 [email protected]
Visit uswww.quickheal.com