February 25, 2013, 1:54 PM — The New York Times report last month on a months-long intrusion on its corporate network was an indictment of what many have concluded is widespread, and government-sanctioned espionage by China. Almost as glaring was the Times indictment of its antivirus software provider, Symantec Corp., which failed miserably to detect and block 44 of 45 malicious programs that were planted on the computers of Times' reporters and other employees.
Security experts have long cautioned that the protection model used by most antivirus products - which relies on identifying and fingerprinting malicious software - isn't well suited to a world of targeted attacks and purpose built malicious programs. A 2012 study sponsored by the security firm Imperva, and conducted by students at The Technion, Israel's Institute of Technology found that the initial detection rate for new (previously unknown malware) was less than 5% - in other words: more than 9 of 10 new malware won't get picked up by antivirus software. Despite that, spending on antivirus software is one of the biggest items in the security budget of both corporations and consumers. The research firm Gartner estimates that corporations will spend $3.4 billion worldwide on endpoint security software, while consumers will spend around $5 billion in 2012 - both have increased in recent years and are set to go up again this year.
Recent weeks have brought bad news for companies that turned to whitelisting as an alternative, after leading firm Bit9 was found to have allowed attackers to infiltrate its network and "whitelist" some decidedly nasty Trojan horse programs.
But where can companies turn next? Well ... lots of places, actually. In fact, recent announcements from two firms that think they have an answer for bedraggled antivirus users - two of many, small firms that are circling around lumbering antivirus giants in the hopes of picking off customers who have grown skeptical of the value of their endpoint security offerings.
The security firm Trusteer recently announced the availability of a new product, dubbed "Apex" that it says will protect enterprises against "advanced malware attacks and data breaches." And by "advanced," Trusteer means the stuff AV firms are struggling with: previously unknown malware or malware variants, as well as attacks that exploit previously unknown ("zero day") vulnerabilities in ubiquitous platforms like Adobe Acrobat and Flash or Microsoft Office.
Trusteer, which is headquartered in Boston, is one of a number of up and coming firms that are selling alternatives to the traditional endpoint protection suites sold by AV giants like McAfee, Symantec, Sophos and Kaspersky Lab.
The company's technology doesn't rely on threat signatures, or on so-called "whitelists" of good applications. Instead, it watches applications as they run and spotting suspicious or malicious behavior, based on knowledge of "normal" application behavior that it has refined from its large user base. Trusteer claims Apex can block both web based attacks that are used to implant malware by exploiting vulnerable applications, and data loss due to malware infections by spotting attempts by untrusted applications or processes to send data outside an organization or connect with Internet-based command and control (C&C) networks.
Another firm, Bromium, recently offered a wholly different approach to the same endpoint protection problem. The company has an excellent pedigree. Its CEO, Gaurav Banga, was formerly CTO at Phoenix Technologies, while CTO Simon Crosby was formerly the founder and CTO of XenSource. Bromium unveiled its first product, vSentry, in September for Windows 7 and Windows Server. The company's technology leverages native Intel support for virtualization and security to spawn what it calls "micro visors" (as in "tiny hypervisors") that are used to isolate specific application tasks from the underlying (host) operating system.
User interactions - clicking a link on your Facebook wall, or opening an email attachment - spawns a new task, which is assigned its own virtual machine with the resources necessary to complete that task. However, these ephemeral VMs are untrusted by the host operating system, and therefore unable to access it or the CPU itself. As an example, an instance of your IE browser running Facebook.com can only access the browser cookie for Facebook, and the untrusted web, but cannot access any other files, or reach deeper into the enterprise network or access USB devices connected to your PC. Unlike Trusteer, Bromium doesn't claim to be able to sort out malicious versus legitimate application behavior. Instead, it provides a secure container for malicious applications to run in that won't compromise valuable and trusted assets and resources. Once a particular task is killed, the hardware-isolated task is discarded and, with it, any malware.
"People are deploying the wrong technologies for the wrong reasons," said Franklyn Jones, the Vice President, Marketing at Bromium. "They have to deal with the fact that users are going to connect to the Internet and there's no way to protect them when they do," he said.
The company is touting a new report from independent testing lab NSS Labs, which found the company's technology stopped novel malware attacks that NSS threw at it. There will be more news from Bromium this week that expands the reach of its technology - but I'll leave that to them.
And these are just two vendors. The RSA Conference in San Francisco promises news from a slew of vendors who would like a piece of that $7 billion dollar antivirus pie. And, with attacks against organizations of all kinds accelerating, expect a long line of willing buyers. Stay tuned.