SAN FRANCISCO (12/26/2007) - The rise of customized malware is forcing security software vendors to change their tactics quickly and begin using customers' machines as their initial line of threat detection intelligence, according to a new report from Yankee Group.
Echoing recent comments made by industry leaders like Symantec -- which is considering white-listing techniques, among many other emerging plans, to thwart the trend toward so-called server-side polymorphism -- Yankee Group Analyst Andrew Jaquith writes in a new research note that "herd intelligence" will be one of the most effective ways for vendors to detect and address increasingly customized threats.
By turning their customers' endpoint devices into malware collectors that can funnel information about new attacks back into their global networks of threat sensors and scanning technologies, Jaquith said, security applications vendors may make faster progress in stemming the tide of lower profile, smaller volume threats.
As malware authors have begun enlisting more malware toolkits and other technological means to create a greater number of attack variants than can be found and processed by honeypots and signature-based security software tools, the analyst said, it will become vital for vendors to aggregate threat data using customers' computers.
Some smaller vendors, including ESET, Panda Security, Prevx, and Sana Security, have already begun working in such a fashion, turning their deployed endpoints into collectors.
Larger vendors looking to add that type of technology to their pallets could seek to acquire one of those vendors, Sana in particular, to advance their plans more rapidly, Jaquith contends.
The idea is simple, according to the analyst. If attackers are going to attempt to create different attacks for nearly every individual user, then security software vendors must use their customers' machines as their eyes and ears for discovering and addressing those variants.
On the flip side, as the vendors amass information about new attacks, they can simultaneously help other customers determine whether new applications or Web sites are dangerous or safe to use, the analyst said.
"When an unknown binary attempts to execute, the client-side agent sends detailed telemetry information to a remote centralized server and asks whether it is good, bad, or unknown," said Jaquith. "The server makes a disposition decision based on all the collective history accumulated by the herd. By pooling information about all executing programs across its installed base, the herd makes smarter decisions and can confer immunity faster to new variants."
As part of the effort, security vendors may also need to begin sharing more of that information with their rivals to create a larger network effect for thwarting malware on a global basis, according to the expert.
It may be hard to convince rival vendors to work together because of the perception that it could lessen differentiation between their respective products and services, but if the process clearly aids on the process of quelling the rising tide of new malware strains, the software makers may have little choice other than to partner, he said.
"By turning every endpoint into a malware collector, the herd network effectively turns into a giant honeypot that can see more than existing monitoring networks," said Jaquith. "Scale enables the herd to counter malware authors' strategy of spraying huge volumes of unique malware samples with, in essence, an Internet-sized sensor network."
Herd intelligence is not without its downsides
However, despite the advantages of moving to a herd mentality model, the expert recognizes that there might be significant obstacles for vendors to overcome in making such a transition -- including the cost of shifting away form their existing malware signature creation and distribution methodology.
Among the biggest issues for anti-malware vendors to consider is the issue of false positives as many legitimate or nefarious programs may be misclassified by one vendor or the other, and behavior detection-based tools will still be needed to keep an eye out for sites and applications that have been compromised.
Customers may represent another hurdle, Jaquith said, as not all companies will initially be comfortable with sharing the necessary level of access with vendors, and some may fear that such a system could offer new opportunities for data loss. Prevx, for one, is already dealing with the issue of privacy by guaranteeing that the only information being sent over its pipelines from customer PCs is related to executable files.
An even larger problem could be the "data glut" generated by the herd anti-malware networks.
"Telemetric data provided by herd endpoints will be substantial," said Jaquith. "Anti-malware vendors will need to spend significant millions of dollars of capital to create scalable infrastructures to collect, process, and store data furnished by endpoints."
The white lists of legitimate applications maintained by anti-virus vendors will also need to be updated frequently to address the release of approved programs and patches, a process that will require even additional levels of cooperation between many different types of software makers, he said.
Along similar lines, Symantec researchers recently detailed a new program through which they are gathering detailed information about software applications installed onto the computers of customers using its desktop anti-malware suite.
Using an opt-out participation model, the experiment studies the behavior and distribution details of individual programs to help make recommendations to users about which programs they decide to install or avoid.
"Right now, this is just a long-term research project, but we hope that as we get more users involved in the system, we can truly get a better idea of what is on people's computers so that we can identify malicious software based on the demographics of who is using it versus what it does," said Carey Nachenberg, a senior member of Symantec's Security Research team.
"We're hoping to get more clarity through the large base of users we have," he said. "By collecting this data, we should be able to get the most comprehensive view of the usage patterns to derive reputation information for everything they u