Understanding and Mitigating the Enterprise Spyware Threat Webroot Software Chris Echelmeier Regional Account Manager (303) 442-3813 x539 [email protected]

Understanding and Mitigating the Enterprise Spyware Threat

Webroot Software

Chris Echelmeier

Regional Account Manager

(303) 442-3813 x539

[email protected]

Tim Greenfield

Regional Sales Engineer

(303) 442-3813 x622

[email protected]

privacy ● protection ● peace of mind

2

Agenda

• About Webroot• State of Spyware Q3 2005• Spyware vs. Viruses• Next generation spyware characteristics• Importance of focused spyware research• Solution overview & architecture• Spy Sweeper Enterprise Demo


3

About Webroot Software

Market LEADING provider of Best-of-Breed anti-spyware technology Founded 1997 by a “white hat” – always a privacy company Privately held and continuously profitable Installed base of 5,000,000+ enterprise desktops 10,000+ enterprise customers Installed on over 10,000,000 consumer desktops 35,000 units/week by Geek Squad #1 best seller across all software & PC game categories 12/2005

Industry’s largest spyware research center Proactive spyware research methodology via Phileas

Global sales and support, HQ in Boulder, Colo.

Advanced Technology Center HQ in Silicon Valley


4

The Market Leader - Webroot Software

Source: Radicati GroupAugust, 2005


5

Webroot Customers


6

State of Spyware Report – Q4 2005

• Industry’s first & only report specific to this security category Quantifies the spyware threat

based on solid statistical data

• Details threat prevalence, infection rates, and delivery mechanisms Tracks data for consumer &

enterprise segments

•Utilizes Webroot’s Spy Audit and Phileas© technology•System Monitors increased 50% in the last three quarters•FBI survey: 64% of businesses experienced a business disruption caused by spyware…extrapolated costs across US businesses…$62B•Next generation: targeted & blended threats (Trojan delivers custom Keylogger)


7

Sample SpyAudit data


8

The Spyware Problem - Risk Impact

• Access proprietary corporate information Compromised passwords, admin privileges, applications

• Intellectual Property • Sensitive customer data• Employee & company financial information• Litigation data

• Direct implications to Compliance Gramm Leach Bliley Sarbanes Oxley HIPAA

• FDIC Guidance on Mitigating Risks from Spyware - July 2005 Sent to all FDIC insured banks in the United States Advises consideration of spyware as part of the overall risk assessment process Recommends actions to mitigate threat – including implementing anti-spyware

solutions


9

How is Spyware Different from Viruses?

Fame vs. Fortune “Vandalism” & “Internet Graffiti” vs. $$$ …Have virus writers grown up and moved out of Mom & Dad’s

basement?

Harder to Find Passive vs. Active Research – “Honey Pot” vs. Webroot’s “Phileas”

Harder to Remove Virus - 1 file (“trace”) on an infected desktop Spyware - between 10 and 2000 traces Tedious, step-by-step removal routines…polymorphic code, registry entries, watcher programs, related processes Propagation vs. Hiding

More Complex “Engine” AV engine designed to detect a few types of malware, good at blocking/detection, but weak at removal. Spyware can be literally any program…defining is difficult…engine needs to keep pace Signature, memory “fingerprinting,” behavioral detection, advanced shields

Harder to Keep Up AV = commodity threat; anti-spyware is an evolving threat Ever-changing websites aimed at breaking through perimeter defenses 99% are new variants aimed at avoiding detection and removal

Bottom Line RESEARCH is KEY Suite vendors have always been late to address new threats (spam, …) Too much dependency on a single vendor weakens security and enables exorbitant fees without recourse


10

Advanced Research - PHILEAS©

• Overview of Webroot Phileas© System Largest database of spyware web-pages 1 hour of 1 Phileas© bot equals 10 days

of manual work Finds malware globally – language

independent 50 person Spyware R&D – largest in

the world – and now the most efficient

• Traverses 1000s of urls/second Visit over 60,000,000 html pages/day Optimized constantly for speed of web

traversal Database updated on a real-time basis

• Benefits Catches bad guys’ R&D/beta spies!

Zero day protection “Google for Spyware ”


11

Second Generation Spyware

Disguised as legitimate traffic (services.exe, explorer.exe) Polymorphic (Self-modifying code) Process monitoring to prevent removal Changes system security levels, properties and preferences Embeds itself deeper into the OS…ring 0…harder to remove “Hijacker mentality” Uses vulnerabilities and Trojans to install (recent WMF)


12

Patent Applications Last Quarter

• Webroot is an agile innovator, which has led to our success• Celebrating over 65 Patents Pending

Mike Wilson – System and Method for Removing Multiple Related Running Processes

Justin Bertman/Matt Boney – Statistical Analysis of Web Content Michael Burtscher – Disk Scan Speed Improvements Jeff Horne – Advanced Memory Scanning of Encrypted

Executables Jeff Horne – Dynamic Memory Offset Signature Jeff Horne – Advanced Inline Memory Scanning Jeff Horne – Zero Day & Custom Keylogger detection 12 Patents on Phileas and 7 pending


13

Technology Evolution / Roadmap

2003 2004 2005 2006

Technology

File name matchingMD5 signature checking

In memory analysis

Kernel / driver level protection

Advanced behavioral shields

Basic shields

Research Methodology

Frequency/ Accuracy of definitions

Comprehensiveness of Removal

Business Model

Targeted attack protection


14

Suites & Best-of-Breed

• Is a suite the best solution when it is multiple products cobbled together?

• If they are all Best-of-Breed…Of course

• And customers lose control – of technology, pricing, & support

• What does Best-of-Breed mean? Best at current threat…more agile to adapt to future threats Best research Best definitions Best engine Most effective

• Detect – knowing what’s there is the first step in cleaning

• Block – prevent from coming back

• Remove – fully remove from system…leave no traces behind which can be used in future

Defense-in-Depth / Defense-in-Disparity / Best-of-Breed


15

Block / Detect / Remove

Spy Sweeper Enterprise 2.5.1


17

Webroot Solution Architecture

Centrally managed, scalable solution with most comprehensive removal engine available

Spy Sweeper Enterprise Demo

Documents

Understanding and Mitigating the Enterprise Spyware Threat Webroot Software Chris Echelmeier Regional Account Manager (303) 442-3813 x539 [email protected]