Home / Blogs

Taking the Leap to Cloud-Based Malware Inspection

Don't miss a thing – sign up for CircleID Weekly Wrap newsletter delivered to your inbox once a week.
Gunter Ollmann

Is desktop anti-virus dead? Someday I'd love to make that announcement, but it still feels to me that there's a Patron Saint of Voodoo with an affinity for bringing it back to life — like some macabre mirror image of the malicious zombies it's supposed to provide protection against.

It's kind of ironic that today's innovation in desktop anti-virus isn't really happening at the desktop; rather it's occurring in the cloud. Today, the best performing desktop anti-virus products pass copies of suspicious files and URL's up to their vendors cloud for detailed analysis and, in response, down comes a diagnostic of the file that was analyzed. Several vendors have been doing this for a number of years, but have only recently been promoting the "cloud" part. Apparently people are more comfortable with the cloud nowadays — go figure.

What advantages are there to using the "cloud" for anti-virus protection? Here are just a few that I've pulled from various literature I happened to come across:

  • Scalability – the ability to keep pace with the ever-increasing volume of new malware.
  • Efficiency – instead of analyzing the same piece of malware on ten thousand desktop computers, why not do it just once?
  • Improved engines – there's only so much technology you can push down to a desktop. Advanced malware detection needs sophisticated automated analysis and dissection technologies that are too big to run side-by-side with Microsoft Excel.
  • Global visibility – there are numerous advantages in being able to see a new piece of malware early on in its lifecycle. Having thousands or millions of "sensors" (i.e. customer deployments) means that there's a steady flood of timely material to analyze.
  • Zero-day detection – the ability to employ sophisticated analysis engines that specialize in "edge case" malware detection makes it easier to spot those real zero-day threats.

Hidden within these anti-malware analysis clouds lie each vendor's latest innovations. That said, at the end of the day we're still talking about desktop anti-virus as a protection platform — with a software component installed upon the customer's (aka "victims") computer — which is worth a gripe all of its own. In a nutshell though, desktop anti-virus suffers from three critical problems:

  1. Desktop anti-virus runs upon a desktop operating system, side by side other applications. There are too many ways in which the attacker can inject their malware onto the victim's computer and slip under the anti-virus product's protective gaze.
  2. The bad guys have access to all these products and simply QA their latest malware samples to ensure that it evades. The malware they send out has already been proven to evade detection.
  3. If the bad guys have physical access to your protection technology, they'll always be able to subvert and evade it.

An obvious remedy to these problems is to remove the protection elements from the bad guys grasp. In particular, move it off the desktop.

Despite the obvious advantages of using the cloud for malware analysis, I find it stupefying that some folks have only taken a half-way step in moving off the desktop and onto a dedicated network appliance — without making the logical leap to cloud-based malware analysis.

To be sure, there are a lot of products on the market that specialize in in-situ automated malware analysis. Earlier this year I discussed the canned sandboxing techniques that various vendors supply and a more detailed side-by-side comparison of the various Next Generation Anti-Virus [PDF] products. But, at the end of the day, why oh why would you want to run poisonous, evasive and downright dangerous criminal (and state-sponsored) malware inside your own organization's network? It's like setting off fireworks while you're still indoors!

Luckily, over the last couple of weeks though there's been substantial advancement in this area. Multiple security vendors are now adding advanced cloud-based malware analysis and disassembly to their network protection platforms. Basically augmenting their in-situ network detection systems with real-time advanced malware analysis — and doing it in such a way that it'll scale with the threat, provide the highest detection and analysis capabilities, and do it all without increasing the appliance cost.

Last week Palo Alto Networks (PAN) announced their new WildFire cloud-based anti-malware defenses, and this week Damballa launched their free (included in the latest release of Damballa Failsafe) cloud-based malware analysis platform. (Disclaimer: I am employed by Damballa, Inc.) I'm sure that there will be a handful of additional announcements from other vendors over the next few months.

While cloud-based malware analysis is obviously the way to go in dealing the advanced (and advancing) nature of the threat, I think there are still a bundle of questions that the industry will need to somehow figure out how to answer. In particular, as with most things "cloud", it's often a little foggy as to what's going on behind the scenes.

A key question going forward is going to relate to the apples-to-apples comparisons between the various cloud-based malware analysis platforms and their capabilities in identifying and dissecting the latest threat advances. I suspect that vendors are going to have to open the kimono a little more — perhaps providing insight in to what overriding technologies they employ (e.g. virtual machines, emulators, bare-metal, KVM automation, etc.) when executing their malware analysis and maybe even the pedigree of the folks tasked with supporting and innovating within that cloud framework.

In the future, customers are going to have to figure out which anti-malware cloud is better than the other. In the meantime though, it would appear that Next Generation Anti-Virus is finally proceeding down a path that actually makes an impact on malware-based cybercrime and targeted attacks.

By Gunter Ollmann, Chief Security Officer at Vectra

Related topics: Cloud Computing, Malware, Security



There's an obvious threat here that worms like conficker have long been aware of Suresh Ramasubramanian  –  Nov 16, 2011 3:35 AM PDT

Conficker was quite good at blocking off user access to various update and AV services, so the CWG's eye chart was a rather interesting way for a user to know he had conficker.

Now, you speak about moving most if not all the protection logic onto the cloud.  So - what about users whose internet connectivity is disrupted, either by heavy outbound traffic from a spambot that maxes out his pipe, or by deliberate action taken by the bot to firewall off security vendor IP space ..

To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Sponsored Topics

Promoted Posts

Now Is the Time for .eco

.eco launches globally at 16:00 UTC on April 25, 2017, when domains will be available on a first-come, first-serve basis. .eco is for businesses, non-profits and people committed to positive change for the planet. See list of registrars offering .eco more»

Boston Ivy Gets Competitive With Its TLDs, Offers Registrars New Wholesale Pricing

With a mission to make its top-level domains available to the broadest market possible, Boston Ivy has permanently reduced its registration, renewal and transfer prices for .Broker, .Forex, .Markets and .Trading. more»

Industry Updates – Sponsored Posts

Leading Internet Associations Strengthen Cooperation

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Is Your TLD Threat Mitigation Strategy up to Scratch?

i2Coalition to Host First Ever Smarter Internet Forum

Encrypting Inbound and Outbound Email Connections with PowerMTA

Resilient Cybersecurity: Dealing with On-Premise, Cloud-Based and Hybrid Security Complexities