Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
1
WHY ANTIVIRUS WILL NEVER DIE …ADVANCED DETECTION FOR DUMMIES
EDDY WILLEMS
SECURITY EVANGELIST
TWITTER: @EDDYWILLEMS
OFFERING SECURITY SOLUTIONS WORLDWIDE
▪ Founded in Bochum, Germany in 1985
▪ First AV solution in 1987
▪ Global head office & development: Bochum
▪ Security solutions for home and business
▪ Solutions available in 90+ countries
▪ ~ 500 employees worldwide
▪ Subsidiaries in Austria, Belgium, China, France,
Germany, Italy, Japan, The Netherlands, Poland, Spain,
Switzerland and the United StatesSubsidiaries
• Security Evangelist at G Data Sofware AG:
• Personally Involved in the security industry since 1989
• Worked as Cyber Security Expert for CERT-organisations and security companies like
Kaspersky Lab, Westcon(Noxs), etc...
• Director of EICAR(+Co-founder), AMTSO and LSEC (3 international security industry org.)
• Researcher/Technical Spokesperson, interviewed/cited in 1000‘s publications/media (CNN,..)
• Author of the book ‚Cybergevaar‘ (BE/NL Dutch 2013) ‚Cybergefahr‘ (DE German 2016)
INTRODUCTION
TODAY’S MALWARE THREATS
400.000 new samples a day
Over 700 million samples => 99,9% INVISIBLE => Money gain
Copyright IEEE Spectrum 2011
Who says AV is dead?
ANTIVIRUS IS DEAD?
The first one: Dr Solomon (2000) CEO, Dr Solomon’s: AV is dead! (EICAR conference)
6
ANTIVIRUS IS DEAD?
WHY WOULD YOU SAY ANTIVIRUS IS DEAD
▪ Those who have a plan behind it
▪ Those who are financially motivated
▪ Those who don’t understand the real problem
▪ Those who don’t understand the real solution
▪ Those who don’t like the word antivirus
▪ Easy to get misquoted
▪ People have secret agenda’s
▪ Boosting shares
▪ Getting a lot of visibility
▪ Emotions
8
DEFINING ANTIVIRUS
▪ In 1984 Dr, Cohen described 3 techniques:
▪ Signature matching
▪ Change of file detection
▪ Behaviour blocking
G DATA | SIMPLY SECURE | SECURITY SUMMIT | SEPTEMBER 24, 2015 | 10
MALWARE IS MUCH MORE SOPHISTICATED THEN 30 YEARS AGO
WHY CALL IT AV? … AV PERCEPTION
▪ Because the general public don’t know anything else
▪ Positive is that lot’s of people seems to be aware
except for mobile devices!!!
▪ Assume programs are about signature detection and
matching techniques with hex, hashes and checksums
▪ There is a complete lack of understanding how anti-
malware works, even from other parts of the security
industry
▪ Lot’s of people confusing that if programs don’t provide
100% protection they provide no protection at all!
G DATA | SIMPLY SECURE | SECURITY SUMMIT | SEPTEMBER 24, 2015 | 12
WHAT (PEOPLE THINK) SIGNATURES ARE
▪ Old technologies like fingerprint, pattern-matching =>
phased out in mid 90’s already
▪ Some still be used for legacy detection (inside DOS)
▪ Signatures are scripts (like maps or defined overviews)
or describers of malicious behaviour
▪ Multiple families of malware
▪ Heuristics
▪ Cloud api calls (reputation)
▪ Packers, cryptors, obfuscators
G DATA | SIMPLY SECURE | SECURITY SUMMIT | SEPTEMBER 24, 2015 | 13
MODERN ANTI-MALWARE TECHNIQUES
▪ Cloud based
▪ Code signing (change detection)
▪ Context sensitivity (riskier sigs, heuristic thresholds)
▪ Behavioral analysis inside emulator or sandbox
▪ Generic detection (sigs for families)
▪ Indicators of compromise (sigs of evidence)
▪ Heuristics (sigs calculated for behaviors + AI)
▪ HIPS (behavioral blocking for apps)
▪ NIDS (sigs for malicious network traffic)
▪ Whitelisting (change of files detection)
▪ Exploit blocking and detection
▪ Deep machine learning for malware behavior (eg. Ransomware)
▪ Big data Artificial Intelligence analysis
▪ Etc …
G DATA | SIMPLY SECURE | SECURITY SUMMIT | SEPTEMBER 24, 2015 | 14
IS AV FAILING?
G DATA | SIMPLY SECURE | SECURITY SUMMIT | SEPTEMBER 24, 2015 | 17
Communication problems inside company
Implementation mistakes of security products
Bad monitoring of security incidents
No awareness (eg. Social engineering)
AV is only one layer in the battle
Don’t say AV is dead:
It only shows you don’t
know anything about
anti-malware detection
techniques
PROACTIVE
DETECTION, BLOCKING
AND REMOVAL
examples
HEURISTICS, BEHAVIOUR BLOCKING AND BIG DATA
G DATA BANKGUARD
Man in the Middle – Man in the browser attack
€200 million loss by malware prevented by BankGuard since 2011
Patented
Protect also online e-wallets (eg. Bitcoins, etc)
G DATA EXPLOIT PROTECTION
70% of all exploits are actively
being used in cyberattacks
90% of these exploits have
already a patch!
G DATA ANTIRANSOMWARE
G DATA ANTIRANSOMWARE
G DATA‘S CLOUD CONNECTION
Copyright IEEE Spectrum 2011
Why antivirus
will be with us
forever?
Evolution of Antivirus
G DATA | SIMPLY SECURE | SECURITY SUMMIT | SEPTEMBER 24, 2015 | 27
The AV PARADOX
Anti-Virus is dead they said.
Pattern matching is defeated they said.
Then they came up with IOC’s (Indicators of Compromise)
and put them into patterns.
THANK YOU!
Q/A?A secure solution for mobile threats!