Q&A: Pat Peterson, IronPort Systems
Q&A: Pat Peterson, IronPort Systems

Malware costs over $150 per PC user per year – not to mention the billions of dollars at stake if confidential information is leaked or lost due to malware infections. To find out what companies can and should do about this growing problem, we caught up by email with Patrick Peterson, Vice President of Technology at IronPort Systems. http://www.ironport.com/ Peterson is a longtime security expert and holds B.S. and M.S. degrees in electrical engineering from Stanford University and holds patents related to antennas, radio frequency communications and email authentication technologies.IT Security: How do you define malware?Peterson: Malware comes in a wide range of forms but they share one thing in common—they are pieces of unwanted code that embed themselves on an enduser PC without the end-user’s explicit knowledge.The main types of malware include:• adware • rootkits• tracking cookies • Trojan horses• browser hijackers • worms• Internet dialers • viruses• keyloggersIT Security:How aware are enterprises of the problem? Obviously they know there is a problem, but do most enterprises understand the extent of the problem?Peterson: Most enterprises are becoming aware of the problem quickly because they are seeing the repercussions of not being protected.  However education on the extent of the problem is still necessary, as many organizations that haven’t been hit by malware are unaware how costly it can be.  Malware costs enterprises around the globe billions of dollars every year. These costs come mainly in the form of disruptive side effects—IT help desk requests, desktop cleanup and remediation, system resource consumption. On top of these very real costs, there are significant intangible costs associated with private data being lost or compromised, as well as the negative PR associated with this type of security breach.

IT Security: What are some of the mistakes that enterprises generally make in opening themselves up to malware threats?Peterson: IronPort Systems recently released a study of malware infection rates in the enterprise. This study found that more than 50 percent of corporate PCs were infected with some type of malware. Of these infected machines, adware and tracking cookies were clearly the most prevalent infections, but Trojans and system monitors represented over 7 percent of the infections—a shockingly high infection rate given the malicious nature of these two types of threats.This is despite the fact that more than 65 percent of these same enterprises surveyed had deployed some type of desktop-based anti-spyware or anti-virus system.  Clearly, these first generation malware defenses are not sufficient to protect corporate networks.  This is where enterprises are opening themselves up.  First generation malware protection is not enough and enterprises need to invest in advanced malware defenses such as a web security appliance that sits at the gateway.  Since the cost of deploying and managing advanced malware defenses is significantly lower than the cost of repairing damage done by malware infection, the old adage holds true—an ounce of prevention is worth a pound of cure.  Enterprises need to understand the financial implication of just one malware attack.Consider an extremely conservative view of the business impact. Assume that only the most malicious forms of malware—keyloggers and system monitors— require complete attention. These malicious forms of malware make use of rootkits and other obfuscation techniques as described earlier, and thus require a reload of the operating system to remedy. For a 2,000 seat enterprise, 3.5 percent or 70 systems would require an O/S reinstall. This takes an average of four hours (at a rate of $75/hr for IT staff), plus four hours of lost employee productivity.  Assuming the employees are equally valuable as their IT counterparts, this translates into $600 per infection —$42,000 just to repair those 70 systems. Next, assume that systems infected with adware and tracking cookies can be repaired with client-based tools and minimal IT staff support. This takes an average of one hour of IT time plus one hour of lost productivity, which translates into an additional $135,000. That brings the total (for cleaning the entire population) to $177,000. Considering that new strains of malware are introduced daily, it is not hard to see how this cost becomes a recurring drag on corporate IT resources.  In its study of enterprise IT teams, IronPort found that malware costs over $150 per PC user per year. This number only reflects the direct IT costs associated with control and removal of malware, it does nothing to consider the billions of dollars at stake if confidential information is leaked or lost due to malware infections.IT Security: Is all malware of equal concern to enterprises, or should they instead focus resources on just a limited range of malware? If so, why and what malware should they focus on?

Peterson: All malware is dangerous and costly to an enterprise.  While the most common form of malware is adware, all malware should be of concern as they are getting more dangerous and more widespread as time passes.  Adware is pieces of software that monitor the behavior of end-users and display Web-based advertisements that relate to the end-user’s activity.  Looking at specifics, enterprises should also be focused on:

1. A keylogger or system monitor.  These programs will silently install themselves and monitor the key strokes and system events of an infected PC. Keyloggers can be combined with sophisticated logic to perform tasks such as looking for the address of an online bank, recording the username and password, and then transmitting this information back to a rogue server —which in turn can transfer funds from the affected user. Keyloggers can also be used to harvest sensitive corporate information. A keylogger placed on the machine of a CFO or CEO could readily access corporate earnings data prior to earnings announcements, creating a trading opportunity worth billions of dollars. A keylogger has access to every application—it can obtain information from webpages, emails and database interactions.2. Another extremely dangerous form of malware is a “rootkit.” A rootkit is a piece of software that attaches itself to the core operating system in order to bypass system security restrictions. Every operating system relies on application program interfaces (APIs) to function. A call to open a file is an API call. A rootkit allows these APIs to be manipulated.  Thus when the operating system requests a  particular file, the rootkit could return any other data object. This level of control is almost impossible to counteract. Rootkits can disable any desktop-based security software. They are extremely difficult to detect, and often designed to preserve and reinstall themselves.

IT Security: Most enterprises presumably now have basic security in place (firewalls, intrusion detection etc.). Can these also be used to protect against modern malware, and if so how? If they can’t, why can’t they?

Peterson: First generation malware is not enough and enterprises need to invest in advanced malware defenses such as a web security appliance that sits at the gateway.  Malware defense systems bear a strong resemblance to the anti-virus solutions that have been widely deployed and are now considered mature. This includes multi-layer, best-of-breed defenses—with protection at the desktop, in the network core and at the perimeter. Desktop solutions for anti-malware have been in existence for some time, with every major anti-virus vendor offering anti-malware protection to address modern threats like keyloggers and Trojans. There are also specialized providers, which offer best-of-breed desktop solutions focused specifically on spyware. These providers have been able to post impressive results—sometimes offering twice the catch rates—of the incumbent anti-virus solutions that have been updated to address spyware.Perimeter-based anti-malware solutions are much less mature. Consequently, they are worthy of discussion.  There are four basic processing approaches for perimeter-based malware defense—network-based, proxy-based, list-based and signature-based systems.  All four approaches have their own strengths and limitations. The best solutions in the industry take advantage of all four types of processing.

1. Network-based systems operate at the packet level.  They can either be inline or non-inline (on a span tap or other network connection point). Because they are not fully rendering the content, but rather inspecting the pieces of data as they go past, these systems are typically very high performance. They also have the advantage of being able to analyze all network traffic types, not just the traffic of a specific protocol.  The primary disadvantage of network-based systems is their inability to view traffic at the application layer. Consequently, a malicious piece of code that is piggybacked on another piece of code will typically avoid detection because (when examined, packet by packet) the malicious code is camouflaged.2. A proxy is an application server that sits between the end-user and the server they are trying to reach.  A Web proxy receives an outgoing request from a client and then initiates a new connection with the target site on behalf of the user. Server responses are directed to the proxy, which in turn shuttles each response through to the end-user. The proxy is an ideal filtering agent because it fully understands the HTTP protocol and can perform a complete examination of the content.3. List-Based Systems: Many of the current vendors of anti-malware solutions have their roots in acceptable use policy (AUP) enforcement. These systems created lists of URLs that were classified by content type—adult, games, sports, etc. This allowed corporate IT managers to enforce acceptable use policies by blocking undesirable site access. These systems generally used some type of manual site classification which created a large database of classified URLs. Since legitimate websites don’t change all that often, these databases were updated periodically, maybe daily or weekly.  List-based AUP filters can be deployed on either network-based or proxy-based systems.  List-based systems are an effective part of an overall malware defense. They also have the advantage of combining their legacy acceptable use filtering with newer anti-malware filtering. However, they are also subject to some very significant shortcomings.

List-based systems, by definition, are reactive. A piece of malware is served from a particular system—and detected by some type of detection mechanism.  The database will then be updated and pushed out to remote systems in the field. This process can range from a minimum of several hours to a more typical response, measured in days.  With malware authors creating dynamic attacks that persist on a bot machine for only a matter of hours, most list-based systems are too slow to react. Another drawback of list-based systems is that they only “map” or have values for a very small percentage of the Internet—usually about 10-20 percent. Thus, for the vast majority of Web servers on the Internet (as well as short-lived websites and bots—the most typical malware infection vectors), a list-based system has no information.4. Signature-based systems are the mainstay of traditional anti-virus programs. These systems create a digital “fingerprint” of the bit patterns associated with known malicious code. They are very accurate, yielding near perfect results (catch rates in excess of 99 percent with false positive rates of one in one million or less). Yet, while these systems are powerful, computer viruses and malware remain a problem. Signature-based systems have two major drawbacks. The first of these is reaction time. When a new exploit occurs, a signature vendor needs to detect and isolate the threat, develop the signature, and push it out to the millions of systems that use it.  This process takes anywhere from hours to weeks, depending on the complexity of the outbreak.  Furthermore, the response times of all major vendors vary widely. This is why most enterprise security teams have deployed a multi-vendor, multi-layer defense—if one signature vendor is slow to react.The other major challenge with signature-based systems is performance. As malware has grown increasingly sophisticated, the size of leading signature engines has grown exponentially. Throughput of industry leading spam filters has dropped more than 60 percent in the past 12 months. The vast majority of anti-malware signature scanning takes place at the email gateway or at the desktop, neither of which are highly sensitive to performance. But the Web is a real-time protocol. Consequently, introducing signature-based scanning at the Web gateway creates serious performance issues. Traditional signature-based systems will add several seconds of latency to each page load. For the end-user, waiting for that page to load, the impact is significant—it can feel like a modem instead of a high-speed data link. This sensitivity to latency creates an important subtlety. Latency (the time required to scan a single object) and throughput (the total number of objects that can be scanned) are related. As the system gets busy, latency increases. But the performance penalty associated with signature scanning often introduces unacceptable latency, even when the system is not busy, because performing a single scan takes time. For this reason, enterprises both large and small have avoided widespread deployment of signature-based scanning systems on HTTP traffic.

IT Security:What extra protections if any do enterprises need to deal with today’s malware, and why do they need them? Peterson:  There are four main things companies need to have:1. Network Layer Protection:  Monitors traffic that sits inline or on a network tap. It monitors all network activity looking for malicious traffic that is trying to “phone home” or connect to a rogue server.  Additional feature would include identifying the most infected PCs on the corporate network—allowing IT administrators to proactively and efficiently launch desktop clean up efforts.2. Proxy Layer Processing:  High performance Web proxy that can support thousands of simultaneous connections.3. Accelerated Signature Scanning:  accelerate the signature scanning of Web content and minimize latency.4. Web Reputation System:  For each Web request, a web reputation system should make an assessment of the reputation (or trustworthiness) of the URL requested. This should include questions such as:

• How long has the domain been registered?• What is the country of origin?• What is the IP range of the hosting server?• How does the name server infrastructure behave?• How much traffic is the URL getting?

IT Security: How do you think malware will evolve? What should enterprises expect with malware in the future? Peterson: In 2007, the malware market will become more commercialized as sophisticated organized crime groups fund development to generate profit. In addition, organized attacks motivated by political or economic interests will rise and potentially create homeland security threats. 

Despite the social and legal ramifications, legitimate businesses are willing to utilize new methods to increase advertising revenues. Video formats on social networking sites and media download sites will increase malware distribution opportunities.IT Security: If enterprises put malware protections in place now will they be enough to cope with malware in the future? What should enterprises do now to ensure they can deal with malware in the future, as far as is practical?

Peterson: Enterprises need to deploy a preventive security solution, such as a Web security gateway that uses real-time data to stay ahead of malware.  These solutions evolve to protect enterprises from new malware threats.  Additionally, enterprises need to ensure that a their email security appliance and Web security gateway work together and share a common threat database to have the best defense against the sophisticated new generation of threats on the Internet.

For more information on IronPort Systems and its products, see the following white papers: