Hitting the

1
Hitting the Up-To-Date

• Bulls eye

VB2009 Steven Ginn
2
Overview

• Defining and tracking Up-to-Date

• Signature based anti-malware requires updates to
  stay ahead
• More and more updates are released every day
• Need to provide technology for users to identify
  their up-to-date status

3
Signature Based Protection

• Background

• Recognizes malware based on an identity
• Content is pattern matched against signatures
• New Malware New Signatures needed

4
The Up-to-Date Bulls eye

• What is it?

• The point where a product has the latest and
  greatest definitions

5
The Up-To-Date Bulls Eye

• Why should we care?

• Staying current maximizes protection
• Important to know when to update

6
Hitting a moving target?

• Malware is more and more pervasive
• Constantly being created
• Anti-malware vendors react with new updates to
  keep up
• Users need to constantly update to keep up

7
Identifying Trends

• OESIS Monitor

• Monitors Anti-malware products and online
  material
• Records any update available
• Used to Find the bulls eye

8
Trends and Observations

• Number of updates per day has increased
• Number of vendors and Signature formats has
  increased
• Update frequency by day of the week varies

9
Total Updates per year
10
Number of Vendors identified
11
Updates by Day of Week
12
Average Number of Updates by day

• For the average vendor

13
Average Updates per day by year

• For selected vendors

14
Average Updates per day by year

• For selected vendors

15
Caveats to Data

• The fine-print

• Data for 2009 was scaled
• New Vendors introduced midyear
• New Definition Formats introduced mid-year

16
Finding the Bulls Eye

• Communication tools

• Anti-malware vendors have tools to tell users
  whether or not they are up to date
• Each make sense under different scenarios

17
Blacklist date

• Use by tomorrow

• Every Update is stamped with an expiration
• Projected to last until next target delivery
• Allows client software to make educated guess
  about where the up-to-date mark will be next

18
Blacklist date

• Pros

• Cons

• Easy to answer Am I Up to date?

• Bad for critical outbreaks
• May expire prematurely
• Best Educated Guess

19
Brute-Force Update

• Throwing Blind

• Just go get the latest always
• No need to care if up to date or not
• Best when you assume that you arent already up
  to date

20
Brute-Force Update

• Pros

• Cons

• Never miss, if frequent enough

• Resource intensive
• May interrupt users workflow

21
Push Mechanism

• Always connected?

• Open a line between user and a central server
• When update available, push it to end user

22
Push Mechanism

• Pros

• Cons

• Minimizes outside communication
• Simpler to stay up to date

• Not good in heterogeneous environments
• Requires constant contact

23
Third Party enforcement

• OESIS Monitor

• Monitors Update releases by vendors
• Provides reference point of latest definitions

24
Third Party enforcement

• Pros

• Cons

• Supports heterogeneous deployments
• Reacts quickly
• Reference point updates are often smaller than
  signature updates
• Best of Brute-force and push mechanisms

• May not catch everything

25
Cloud-Scanning

• Get rid of the definitions

• Signatures live in the cloud
• Content is assessed by reputation and scanned
  when necessary on external sites

26
Cloud-Scanning

• Pros

• Cons

• Improved detection
• Faster identification
• Fewer systems to update

• Must always be connected
• Security concerns with sending data out

27
What next?

• Continue the uphill battle, or go around?

• Signature based detection isnt scaling
• What good is providing signatures if users cant
  keep up with them?
• Try to improve alternatives to become proactive,
  not reactive

28

• Questions?