By Matt Hines
December 26, 2007
The rise of customized malware is forcing security software vendors to
change their tactics quickly and begin using customers' machines as
their initial line of threat detection intelligence, according to a new
report from Yankee Group.
Echoing recent comments made by industry leaders like Symantec -- which
is considering white-listing techniques, among many other emerging
plans, to thwart the trend toward so-called server-side polymorphism --
Yankee Group Analyst Andrew Jaquith writes in a new research note that
"herd intelligence" will be one of the most effective ways for vendors
to detect and address increasingly customized threats.
By turning their customers' endpoint devices into malware collectors
that can funnel information about new attacks back into their global
networks of threat sensors and scanning technologies, Jaquith said,
security applications vendors may make faster progress in stemming the
tide of lower profile, smaller volume threats.
As malware authors have begun enlisting more malware toolkits and other
technological means to create a greater number of attack variants than
can be found and processed by honeypots and signature-based security
software tools, the analyst said, it will become vital for vendors to
aggregate threat data using customers' computers.
Some smaller vendors, including ESET, Panda Security, Prevx, and Sana
Security, have already begun working in such a fashion, turning their
deployed endpoints into collectors.
Larger vendors looking to add that type of technology to their pallets
could seek to acquire one of those vendors, Sana in particular, to
advance their plans more rapidly, Jaquith contends.
The idea is simple, according to the analyst. If attackers are going to
attempt to create different attacks for nearly every individual user,
then security software vendors must use their customers' machines as
their eyes and ears for discovering and addressing those variants.
On the flip side, as the vendors amass information about new attacks,
they can simultaneously help other customers determine whether new
applications or Web sites are dangerous or safe to use, the analyst
"When an unknown binary attempts to execute, the client-side agent sends
detailed telemetry information to a remote centralized server and asks
whether it is good, bad, or unknown," said Jaquith. "The server makes a
disposition decision based on all the collective history accumulated by
the herd. By pooling information about all executing programs across its
installed base, the herd makes smarter decisions and can confer immunity
faster to new variants."
As part of the effort, security vendors may also need to begin sharing
more of that information with their rivals to create a larger network
effect for thwarting malware on a global basis, according to the expert.
It may be hard to convince rival vendors to work together because of the
perception that it could lessen differentiation between their respective
products and services, but if the process clearly aids on the process of
quelling the rising tide of new malware strains, the software makers may
have little choice other than to partner, he said.
"By turning every endpoint into a malware collector, the herd network
effectively turns into a giant honeypot that can see more than existing
monitoring networks," said Jaquith. "Scale enables the herd to counter
malware authors' strategy of spraying huge volumes of unique malware
samples with, in essence, an Internet-sized sensor network."
Herd intelligence is not without its downsides
However, despite the advantages of moving to a herd mentality model, the
expert recognizes that there might be significant obstacles for vendors
to overcome in making such a transition -- including the cost of
shifting away form their existing malware signature creation and
Among the biggest issues for anti-malware vendors to consider is the
issue of false positives as many legitimate or nefarious programs may be
misclassified by one vendor or the other, and behavior detection-based
tools will still be needed to keep an eye out for sites and applications
that have been compromised.
Customers may represent another hurdle, Jaquith said, as not all
companies will initially be comfortable with sharing the necessary level
of access with vendors, and some may fear that such a system could offer
new opportunities for data loss. Prevx, for one, is already dealing with
the issue of privacy by guaranteeing that the only information being
sent over its pipelines from customer PCs is related to executable
An even larger problem could be the "data glut" generated by the herd
"Telemetric data provided by herd endpoints will be substantial," said
Jaquith. "Anti-malware vendors will need to spend significant millions
of dollars of capital to create scalable infrastructures to collect,
process, and store data furnished by endpoints."
The white lists of legitimate applications maintained by anti-virus
vendors will also need to be updated frequently to address the release
of approved programs and patches, a process that will require even
additional levels of cooperation between many different types of
software makers, he said.
Along similar lines, Symantec researchers recently detailed a new
program through which they are gathering detailed information about
software applications installed onto the computers of customers using
its desktop anti-malware suite.
Using an opt-out participation model, the experiment studies the
behavior and distribution details of individual programs to help make
recommendations to users about which programs they decide to install or
"Right now, this is just a long-term research project, but we hope that
as we get more users involved in the system, we can truly get a better
idea of what is on people's computers so that we can identify malicious
software based on the demographics of who is using it versus what it
does," said Carey Nachenberg, a senior member of Symantec's Security
"We're hoping to get more clarity through the large base of users we
have," he said. "By collecting this data, we should be able to get the
most comprehensive view of the usage patterns to derive reputation
information for everything they use."
Visit InfoSec News