Panel Introduction: Life After Antivirus – What Does the Future Hold?

1. Panel Introduction: Life After Antivirus – What Does the Future Hold? Martin Fréchette Sr. Principal Engineer Symantec Research Labs – Advanced Concepts

2. The Evolving Threat Landscape Attackers have shifted away from mass distribution of a small number of threats to micro distribution of millions of distinct threats How? Their servers generate a new malware strain every few minutes/hours Each victim potentially gets attacked by a different strain! Called “server-side polymorphism” How big is the problem? We now know of over 1.8M distinct malware strains We’re collecting 10,000s of new strains per day Further, our sensor data shows us that we’ve passed an inflection point… The amount of malware released now exceeds the amount of goodware! From Nov 7th to Nov 14th, roughly 54,600 new EXEs were downloaded by (participating) consumer users Of these, roughly 65% of all files were malicious! # of apps malware good apps time 2

3. Coping with the Malware Flood • The current blacklist model is decreasingly effective at coping with millions of distinct threats • Vendors are generating up to 20,000+ new fingerprints per day! • Furthermore, many strains of older malware may also go permanently undetected! • Why? Because if only 3 people in the world have a threat, there’s little chance a security vendor has discovered it and written a signature for it • A few years ago, a single classic signature could protect 10,000s of users • Today a single classic signature typically protects < 20 users • The result is that the industry • is flooding its customers with 100s of thousands of signatures every month, • yet our efficacy was arguably better a decade ago with 1/100th the signatures! Conclusion: The classic fingerprinting approach needs to be augmented/replaced.

4. A New Approach • Symantec’s top security architects believe • a hybrid whitelisting and reputation-based antivirus approach • will become the only effective means of • securing enterprise & consumer endpoints • In the long-run, these schemes will largely replace traditional blacklist AV technologies • Traditional fingerprinting AV will become a part of the supporting cast

5. e.g., the 10th most popular app is used by 1M users e.g., the 4,999,125th most popular app is used by 2 users r r r r r r r r r r r r r r r r r r r r r r r The New Approach to Antivirus Software applications have a “long-tail” distribution. Symantec proposes using a whitelist to identify the most popular legitimate applications. Over time we can expand the whitelist to cover lower-prevalence software as well. However the advent of personalized malware has made it difficult for AV vendors to discover and protect against the majority of today’s threats. Legitimate apps span the spectrum, with the most popular apps occupying the head of the curve. On the other hand, most malicious software occupies the long tail… So how can whitelisting and reputation-based detection help? We propose using a novel new reputation system (like systems used by amazon.com) to automatically derive the reputation of long-tail apps based on the wisdom of our 100M strong crowd of users. Traditional blacklisting works best for mass-distributed malware where a single sig covers thousands of users. But how about the long tail of good and malicious apps? w 100M users w w Legendx Traditional Blacklisting w w The Idea Rather than just blocking software found on the blacklist, we will shift to a hybrid model employing whitelisting, reputation, and blacklisting. w w Whitelisting w w r Reputation system w Prevalence x x r r r r x x x r r r r x r r r x r r 1 user x x Most popular file Least popular file

6. Whitelisting Blacklisting Reputation The New Approach to Antivirus • Here’s another way of thinking about the problem: Prevalent goodware Prevalent malware The long tail