Herd intelligence benefits IT security

Herd intelligence benefits IT security
Herd intelligence benefits IT security 

By Matt Hines
December 26, 2007

The rise of customized malware is forcing security software vendors to 
change their tactics quickly and begin using customers' machines as 
their initial line of threat detection intelligence, according to a new 
report from Yankee Group.

Echoing recent comments made by industry leaders like Symantec -- which 
is considering white-listing techniques, among many other emerging 
plans, to thwart the trend toward so-called server-side polymorphism -- 
Yankee Group Analyst Andrew Jaquith writes in a new research note that 
"herd intelligence" will be one of the most effective ways for vendors 
to detect and address increasingly customized threats.

By turning their customers' endpoint devices into malware collectors 
that can funnel information about new attacks back into their global 
networks of threat sensors and scanning technologies, Jaquith said, 
security applications vendors may make faster progress in stemming the 
tide of lower profile, smaller volume threats.

As malware authors have begun enlisting more malware toolkits and other 
technological means to create a greater number of attack variants than 
can be found and processed by honeypots and signature-based security 
software tools, the analyst said, it will become vital for vendors to 
aggregate threat data using customers' computers.

Some smaller vendors, including ESET, Panda Security, Prevx, and Sana 
Security, have already begun working in such a fashion, turning their 
deployed endpoints into collectors.

Larger vendors looking to add that type of technology to their pallets 
could seek to acquire one of those vendors, Sana in particular, to 
advance their plans more rapidly, Jaquith contends.

The idea is simple, according to the analyst. If attackers are going to 
attempt to create different attacks for nearly every individual user, 
then security software vendors must use their customers' machines as 
their eyes and ears for discovering and addressing those variants.

On the flip side, as the vendors amass information about new attacks, 
they can simultaneously help other customers determine whether new 
applications or Web sites are dangerous or safe to use, the analyst 

"When an unknown binary attempts to execute, the client-side agent sends 
detailed telemetry information to a remote centralized server and asks 
whether it is good, bad, or unknown," said Jaquith. "The server makes a 
disposition decision based on all the collective history accumulated by 
the herd. By pooling information about all executing programs across its 
installed base, the herd makes smarter decisions and can confer immunity 
faster to new variants."

As part of the effort, security vendors may also need to begin sharing 
more of that information with their rivals to create a larger network 
effect for thwarting malware on a global basis, according to the expert.

It may be hard to convince rival vendors to work together because of the 
perception that it could lessen differentiation between their respective 
products and services, but if the process clearly aids on the process of 
quelling the rising tide of new malware strains, the software makers may 
have little choice other than to partner, he said.

"By turning every endpoint into a malware collector, the herd network 
effectively turns into a giant honeypot that can see more than existing 
monitoring networks," said Jaquith. "Scale enables the herd to counter 
malware authors' strategy of spraying huge volumes of unique malware 
samples with, in essence, an Internet-sized sensor network."

Herd intelligence is not without its downsides

However, despite the advantages of moving to a herd mentality model, the 
expert recognizes that there might be significant obstacles for vendors 
to overcome in making such a transition -- including the cost of 
shifting away form their existing malware signature creation and 
distribution methodology.

Among the biggest issues for anti-malware vendors to consider is the 
issue of false positives as many legitimate or nefarious programs may be 
misclassified by one vendor or the other, and behavior detection-based 
tools will still be needed to keep an eye out for sites and applications 
that have been compromised.

Customers may represent another hurdle, Jaquith said, as not all 
companies will initially be comfortable with sharing the necessary level 
of access with vendors, and some may fear that such a system could offer 
new opportunities for data loss. Prevx, for one, is already dealing with 
the issue of privacy by guaranteeing that the only information being 
sent over its pipelines from customer PCs is related to executable 

An even larger problem could be the "data glut" generated by the herd 
anti-malware networks.

"Telemetric data provided by herd endpoints will be substantial," said 
Jaquith. "Anti-malware vendors will need to spend significant millions 
of dollars of capital to create scalable infrastructures to collect, 
process, and store data furnished by endpoints."

The white lists of legitimate applications maintained by anti-virus 
vendors will also need to be updated frequently to address the release 
of approved programs and patches, a process that will require even 
additional levels of cooperation between many different types of 
software makers, he said.

Along similar lines, Symantec researchers recently detailed a new 
program through which they are gathering detailed information about 
software applications installed onto the computers of customers using 
its desktop anti-malware suite.

Using an opt-out participation model, the experiment studies the 
behavior and distribution details of individual programs to help make 
recommendations to users about which programs they decide to install or 

"Right now, this is just a long-term research project, but we hope that 
as we get more users involved in the system, we can truly get a better 
idea of what is on people's computers so that we can identify malicious 
software based on the demographics of who is using it versus what it 
does," said Carey Nachenberg, a senior member of Symantec's Security 
Research team.

"We're hoping to get more clarity through the large base of users we 
have," he said. "By collecting this data, we should be able to get the 
most comprehensive view of the usage patterns to derive reputation 
information for everything they use."

Visit InfoSec News 

Site design & layout copyright © 1986-2014 CodeGods