Makers of antivirus (AV) software have been on the losing end of an arms race with malicious software creators and organized online crime groups for much of the last decade. Simply put: the production of malware is now highly automated, resulting in new, malicious programs that can be produced on industrial scale.
In contrast, the antivirus industry – while more efficient than ever – still relies heavily on the work of human antivirus researchers, especially to identify and analyze novel threats and develop threat "signatures" that can identify and remove them from infected systems.
The results have been predictable: a huge percentage of new threats go undetected by antivirus products, even when those products have the latest available threat signatures. The 'detection gap' came into full view in January, when The New York Times reported that its network had been compromised for more than four months by hackers based in China. For three months, the attacks peppered The Times' network with 45 pieces of malware, only one of which was detected by the antivirus software used there, which was made by the firm Symantec.
In response, Symantec said that its products use a combination of detection tools that complement signatures, including reputation filtering and behavioral detection. Signatures, the company said, are not enough.
But IT security analysts and experts are increasingly of the mind that antivirus software isn't enough – no matter what is under the hood. The basic "detect and block" model doesn't scale fast enough to meet the threat. Organizations may still rely on AV to find and remove known threats, but they no longer believe it has the ability to prevent infections.
Besides, even talking about "endpoint protection" these days is mostly a matter of conjecture. The last 20 years have been dominated by PC-based attacks and malware. But the next 20 years – or five years for that matter – will be very different. Having ditched desktops, users are abandoning laptops in droves in favor of tablets and smart phones. Before too long, you can add wearable devices like Google Glass to the mix. Data, applications and compute power are divided between the endpoint and the cloud, and AV vendors don't enjoy the same, low level kernel access that they've had on platforms like Windows. That transition is a paradigm shift for employers, and for the endpoint security firms that count them as customers.
Considering all that, it's no surprise that, in recent years, a handful of security firms and some newly-minted start-ups claim to have built 'a better mousetrap' for protecting endpoints from viruses, worms and other malware. These products say that they provide superior protection not just against malware, but other kinds of sophisticated cyber threats. ITworld took a look at five of the most promising firms:
You can't really call Triumfant a "start up." The company, originally named "Chorus Systems" was founded in 2002. But talk to folks who cover the endpoint security space, and they say that this Rockville, MD, firm's technology – which has mostly been used in government settings – offers one of the clearest visions of what the future of endpoint protection might look like.
Triumfant approaches endpoint security from the "change and configuration management" space. Its agents do endpoint health monitoring, but in a way that doesn't rely on baseline comparisons with generic "clean" systems. Instead, the company's endpoint agents develop a normative profile of systems based on their unique characteristics – things like the platform used, registry hives, MD5 hashes of every file, hardware attributes, open ports, event logs and so on. Triumfant claims to monitor 200,000 attributes and configuration settings in all, covering more than 400 applications.
And, because Triumfant works from the standpoint of configuration management, it can do what mere detection tools can't: clean up after infections. "They're about the closest thing to a full AV replacement," says Morales. "They do both detection and remediation. They've actually built a process to return to something like the 'last known good image,' but with tons of parameters." The company, which partners with the likes of ArcSight and McAfee has focused on the government space, but is extending its reach into more traditional commercial and enterprise settings. That could be a problem though, says Morales. "As it stands, the product is quite technical," he said. And it's relatively expensive, especially with many companies paying rock bottom prices, per seat, for antivirus products from the major AV vendors. While security conscious organizations like the government and high tech firms may be willing to pay for the extra protection, Triumfant faces an uphill battle convincing rank and file enterprises that the premium they pay for the Triumfant technology will be worth the extra investment.
Sourcefire, also, has been around quite a while, and made a name for itself in areas far afield from endpoint security. The publicly traded company (NASDAQ: FIRE) is best known for its open source SNORT intrusion detection scanner. But since going public in March, 2007 (and fending off some take-over attempts), Sourcefire has expanded its reach to the endpoint. It established a beachhead by acquiring the ClamAV open source antivirus technology in 2007. It built on that in 2011, with the acquisition of Immunet, a cloud-based anti-malware firm. Today, Sourcefire's Advanced Malware Protection (AMP) product claims to be able to leverage "big data," including the intelligence gleaned from FIRE's SNORT and premium IDS/IPS deployments to identify malicious files and even stealthy, targeted attacks. AMP works inline as an appliance (FirePOWER), or as an add-on to Sourcefire's Next Generation IPS. FireAMP is a version that runs on endpoints, virtual machines and mobile devices.
Rather than trying to lock down something as unwieldy and complex as an operating system, the security start-up Bromium offers another approach: isolate everything from everything else. Using a technology called the "Bromium Microvisor," that uses hardware-backed virtualization to isolate discrete operating system processes and tasks within virtual containers, all within a virtualized operating system. Bromium says its technology can be used to isolate vulnerable tasks from the operating system and from each other. That approach leaves users free to access untrusted data and devices (like USB drives) without concern that a malicious attack will be able to access sensitive data or resources on the host or the larger network – an attractive prospect for IT managers frustrated by social engineering attacks.
Ask someone who knows the security space to muse on post-AV technology and they'll likely drop FireEye's name. The company started out offering botnet detection tools, but soon broadened its message to "advanced threat" detection. And you can read "advanced threat" as "all the stuff AV misses." At its core is technology FireEye calls MVX – for Multi-Vector Virtual Execution. In layman's terms: it's a virtual container (or "sandbox") that suspicious files such as e-mail attachments and web objects are allowed to run in. FireEye observes their behavior, and alerts companies when it finds behavior that's malicious. The company has made a name for itself by detecting and calling attention to emergent threats. Chris Morales, a senior analyst at The 451 Group said FireEye's approach – letting suspicious files run to see what they do – isn't novel. "FireEye is taking stuff that's been happening in the labs and in the honeypots and bringing it inside the company," Morales said. The big question is: what to do once you know a suspicious file is malicious – FirEye promises to detect and "stop" threats, but malware removal isn't (currently) a FireEye feature.
Spotflux doesn't play in the same game as other endpoint security firms. Instead, the Brooklyn, NY-based startup is looking forward to our mobile- and cloud-based future. The company's technology seeks to sanitize connections between endpoints (broadly defined) and the increasingly risky, cloud-based resources that we all rely on. A cloud-based, consumer-oriented service uses a thin-client installed on the endpoint to encrypt and proxy all Internet traffic through the company's cloud-based servers. There, Spotflux says it runs "millions of calculations" to identify and remove a wide range of malicious or undesirable content, from ads and tracking cookies to viruses and malware. Security is only part of the sell here. The bigger concern (rightly) is on data and user privacy in an era of increasingly intrusive applications and monitoring. The company was a finalist at The RSA Conference's Innovation Sandbox competition, suggesting that the Spotflux story is finding receptive ears.