Monday, August 20, 2012

Trend Micro - You're doing it wrong!

In my Monday morning blog catch-up I stumbled upon Trend Micro's blog "Big Data Analytics and the Smart Protection Network". I don't normally bother reading or commenting on such self-serving marketing crud, but I worry that Trend Micro may starting to believe their own marketing fluff.

There are a number of things that are worth commenting upon, but the following is more dire than many...
"Every day, we receive 430,000 files for analysis, of which 200,000 are unique. That results in 60,000 new signatures for detection every day."
Trend Micro - you're doing it wrong! Who in their right mind still pumps out 60,000 new signatures for yesterdays malware? The fact that any vendor is forced to write signatures for each new threat is obviously a depressing aspect of the whole legacy approach to antivirus. There are considerably smarter ways in dealing with this class of threat. From my own past observations those 200,000 unique samples are more than likely serial variants of only a handful of meaningful malware creations. A ratio of 200:1 or 500:1 is pretty common nowadays - and even then more modern "signature" approaches could shrink the ratio down to between 4000:1 or 10,000:1 by the time you start interpreting the code contained within the malicious binary.

Why is all this important? Firstly, perhaps it's my German heritage, but inefficiencies can be grating. Just because you're been pumping out the same crud the same way for decades, doesn't mean you can't learn something from the younger dogs at the park. Secondly, these 1:1 transformations of signature to unique malware sample are redundant against the current state of the threat. The bad guys can generate a unique malware variant for every single visitor every time they get infected or receive an update. Thirdly, the signature you're pushing out is redundant - it's a marketing number, not a protection number, it wouldn't even serve as a SPF number on a bottle of sunscreen. Finally (and it's only "finally" because I've got a day job and I could go on and on...), "200,000 are unique" - I think you've missed more than a few...
"Thanks to our leadership in the reputation and correlation area, we get many requests from law enforcement to help them identify and jail criminals."
I suppose blind self-promotion works best if evidence is contrary. I'm sorry, but there's a lot more to reputation than blacklisting URL's and whitelisting "good" applications nowadays - and there's an ample list of companies specializing in reputation services that do this particular approach much better. The problem with these (again) legacy blacklist approaches is that the threat has moved on and the criminals have been able to ignore these dilapidated technologies for a half-decade. Server-side domain generation algorithms (DGA), one-time URL's, machine-locked malware, Geoip restrictions, blacklisting of security vendor probing infrastructure, etc. are just a sampling of tools and strategies that the bad guys have brought to bare against this legacy framework of reputation blacklists and correlation.

Don't get me wrong, the data you're gathering is useful for law enforcement. It can be helpful in identifying when the criminals screw up or when a newbie comes on to the scene, and it can be useful in showing how much damage has been done in the past by the bad guys - it's just not too effective against preemptively stopping the threat.

Speaking of the data, I'd love to know who's buying that data from Trend Micro? From past experience I know that most governments around the world pay a pretty penny for knowing precisely what foreign citizens are browsing on their computers, what type of Web browser they're using and what's the current patch level of their operating system... it's traditionally useful for all kinds of spying and espionage but, more importantly nowadays, for modeling and optimizing various cyber-warfare campaign scenarios.