Upload
melina-laurel-harrell
View
217
Download
0
Tags:
Embed Size (px)
Citation preview
Understanding and Mitigating the Enterprise Spyware Threat
Webroot Software
Chris Echelmeier
Regional Account Manager
(303) 442-3813 x539
Tim Greenfield
Regional Sales Engineer
(303) 442-3813 x622
privacy ● protection ● peace of mind
2
Agenda
• About Webroot• State of Spyware Q3 2005• Spyware vs. Viruses• Next generation spyware characteristics• Importance of focused spyware research• Solution overview & architecture• Spy Sweeper Enterprise Demo
privacy ● protection ● peace of mind
3
About Webroot Software
Market LEADING provider of Best-of-Breed anti-spyware technology Founded 1997 by a “white hat” – always a privacy company Privately held and continuously profitable Installed base of 5,000,000+ enterprise desktops 10,000+ enterprise customers Installed on over 10,000,000 consumer desktops 35,000 units/week by Geek Squad #1 best seller across all software & PC game categories 12/2005
Industry’s largest spyware research center Proactive spyware research methodology via Phileas
Global sales and support, HQ in Boulder, Colo.
Advanced Technology Center HQ in Silicon Valley
privacy ● protection ● peace of mind
4
The Market Leader - Webroot Software
Source: Radicati GroupAugust, 2005
privacy ● protection ● peace of mind
5
Webroot Customers
privacy ● protection ● peace of mind
6
State of Spyware Report – Q4 2005
• Industry’s first & only report specific to this security category Quantifies the spyware threat
based on solid statistical data
• Details threat prevalence, infection rates, and delivery mechanisms Tracks data for consumer &
enterprise segments
•Utilizes Webroot’s Spy Audit and Phileas© technology•System Monitors increased 50% in the last three quarters•FBI survey: 64% of businesses experienced a business disruption caused by spyware…extrapolated costs across US businesses…$62B•Next generation: targeted & blended threats (Trojan delivers custom Keylogger)
privacy ● protection ● peace of mind
7
Sample SpyAudit data
privacy ● protection ● peace of mind
8
The Spyware Problem - Risk Impact
• Access proprietary corporate information Compromised passwords, admin privileges, applications
• Intellectual Property • Sensitive customer data• Employee & company financial information• Litigation data
• Direct implications to Compliance Gramm Leach Bliley Sarbanes Oxley HIPAA
• FDIC Guidance on Mitigating Risks from Spyware - July 2005 Sent to all FDIC insured banks in the United States Advises consideration of spyware as part of the overall risk assessment process Recommends actions to mitigate threat – including implementing anti-spyware
solutions
privacy ● protection ● peace of mind
9
How is Spyware Different from Viruses?
Fame vs. Fortune “Vandalism” & “Internet Graffiti” vs. $$$ …Have virus writers grown up and moved out of Mom & Dad’s
basement?
Harder to Find Passive vs. Active Research – “Honey Pot” vs. Webroot’s “Phileas”
Harder to Remove Virus - 1 file (“trace”) on an infected desktop Spyware - between 10 and 2000 traces Tedious, step-by-step removal routines…polymorphic code, registry entries, watcher programs, related processes Propagation vs. Hiding
More Complex “Engine” AV engine designed to detect a few types of malware, good at blocking/detection, but weak at removal. Spyware can be literally any program…defining is difficult…engine needs to keep pace Signature, memory “fingerprinting,” behavioral detection, advanced shields
Harder to Keep Up AV = commodity threat; anti-spyware is an evolving threat Ever-changing websites aimed at breaking through perimeter defenses 99% are new variants aimed at avoiding detection and removal
Bottom Line RESEARCH is KEY Suite vendors have always been late to address new threats (spam, …) Too much dependency on a single vendor weakens security and enables exorbitant fees without recourse
privacy ● protection ● peace of mind
10
Advanced Research - PHILEAS©
• Overview of Webroot Phileas© System Largest database of spyware web-pages 1 hour of 1 Phileas© bot equals 10 days
of manual work Finds malware globally – language
independent 50 person Spyware R&D – largest in
the world – and now the most efficient
• Traverses 1000s of urls/second Visit over 60,000,000 html pages/day Optimized constantly for speed of web
traversal Database updated on a real-time basis
• Benefits Catches bad guys’ R&D/beta spies!
Zero day protection “Google for Spyware ”
privacy ● protection ● peace of mind
11
Second Generation Spyware
Disguised as legitimate traffic (services.exe, explorer.exe) Polymorphic (Self-modifying code) Process monitoring to prevent removal Changes system security levels, properties and preferences Embeds itself deeper into the OS…ring 0…harder to remove “Hijacker mentality” Uses vulnerabilities and Trojans to install (recent WMF)
privacy ● protection ● peace of mind
12
Patent Applications Last Quarter
• Webroot is an agile innovator, which has led to our success• Celebrating over 65 Patents Pending
Mike Wilson – System and Method for Removing Multiple Related Running Processes
Justin Bertman/Matt Boney – Statistical Analysis of Web Content Michael Burtscher – Disk Scan Speed Improvements Jeff Horne – Advanced Memory Scanning of Encrypted
Executables Jeff Horne – Dynamic Memory Offset Signature Jeff Horne – Advanced Inline Memory Scanning Jeff Horne – Zero Day & Custom Keylogger detection 12 Patents on Phileas and 7 pending
privacy ● protection ● peace of mind
13
Technology Evolution / Roadmap
2003 2004 2005 2006
Technology
File name matchingMD5 signature checking
In memory analysis
Kernel / driver level protection
Advanced behavioral shields
Basic shields
Research Methodology
Frequency/ Accuracy of definitions
Comprehensiveness of Removal
Business Model
Targeted attack protection
privacy ● protection ● peace of mind
14
Suites & Best-of-Breed
• Is a suite the best solution when it is multiple products cobbled together?
• If they are all Best-of-Breed…Of course
• And customers lose control – of technology, pricing, & support
• What does Best-of-Breed mean? Best at current threat…more agile to adapt to future threats Best research Best definitions Best engine Most effective
• Detect – knowing what’s there is the first step in cleaning
• Block – prevent from coming back
• Remove – fully remove from system…leave no traces behind which can be used in future
Defense-in-Depth / Defense-in-Disparity / Best-of-Breed
privacy ● protection ● peace of mind
15
Block / Detect / Remove
Spy Sweeper Enterprise 2.5.1
privacy ● protection ● peace of mind
17
Webroot Solution Architecture
Centrally managed, scalable solution with most comprehensive removal engine available
Spy Sweeper Enterprise Demo