AV Declared Loser in Malware Wars

Verizon just released its annual Data Breach Investigations Report, one of the most closely watched surveys of the state of cybersecurity. It is a great tool for organizations and vendors to use to review their security strategies in light of the cold, hard (and unfortunately painful) FACTS about the state of the industry. This year's report covers breach data from 80,000 security incidents using information provided by 70 contributing organizations in 61 countries.

The report is disturbing, showing how constant advancement in approaches used by attackers continues to put defenders at a disadvantage. It also drives home a point that we at Cylance have firmly believed since the company's inception some three years ago: Antivirus is dead. That's why we invested in machine learning technology, which powers our CylancePROTECT™ product. The only way to get ahead of the attackers is through artificial intelligence because there are not enough humans available to thwart growing cyber threats.

Here are three key lessons we culled from the report.

Signatures-based Detection is Dead

The Verizon DBIR says 5 "malware events"occur every second. Thinking in terms of defense, that means a lot of hashes need to be included in a signature file or threat feed. So it shouldn’t be surprising that the report also declared the death of traditional antivirus software by specifically noting that "signatures are dead."

The report also noted that custom-built malware has become prevalent, saying that 70 percent to 90 percent of malware samples are "unique" to an organization." With that stat, I think it's safe to stop looking for ways to apply hash-based threat intelligence to the endpoint. It's a futile exercise.

The DBIR's authors also pointed out that much of the malware isn't particularly sophisticated.

"Receiving a never-before-seen piece of malware doesn’t mean it was an 'advanced or 'targeted' attack. It’s kinda cool to think they handcrafted a highly custom program just for you, but it’s just not true. Get over it and get ready for it. Special snowflakes fall on every backyard." -DBIR, page 22

It's about time our defenses evolve to something beyond signatures of any kind.

Malware is Alive

“In previous years, we were only able to show how malware contributed to confirmed security incidents. This year, we drank straight from the firehose of breaches that might have been.” - DBIR, page 21.

I was happy to see Verizon for the first time include raw incident data, including network appliance findings from a variety of vendors in this year's analysis. That allows us to get some color on the frequency of the myriad attacks that are NOT manually reported. It also suggests that DBIR has historically not given a full picture of the prevalence of malware.

The dataset still seems incomplete because it does not include metrics from endpoint malware products.  It appears that the dataset was derived from network appliances only. As a provider of next-generation antivirus software (NGAV), we plan to submit data to Verizon so that the 2016 DBIR can paint a fuller picture of the threat landscape.  For example, our current data shows that 48 percent of PCs are infected by unauthorized and unwanted software.

Indicators of Compromise Not an Enterprise Strategy

In a previous life, I spent way too many hours identifying new indicators of compromise (IOCs) for customers while working at an incident response firm. I  wasn't surprised to see that the 2015 DBIR shows that it is very difficult for defenders to use IOCs and other threat intelligence to actual improve their security.

Consider the following points from the report:

Intel overlap among all 54 sources was 3 percent, indicating that each feed provides different data.

That data suggests an enterprise would need to have all of those feeds In order to benefit from the intel.

Applying all the feeds would require a Herculean effort.

A large majority of threat intel content is IP addresses, which attackers can easily change.

Threat intel as a strategy is an expensive proposition that the industry can't and may never be able to support. We need only consider the factors that killed traditional AV technology, where old school vendors were quickly overwhelmed by volume. IOCs will succumb to the same death by nothing more than an increased number of attackers, and the natural evolution of an attacker's toolset.

Kris Harms
Sr. Director of Architecture & former Incident Responder