Home | About Us Panda Security
Panda Security : Closing The Gap In Malware Detection

Closing The Gap In Malware Detection

Introduction

Despite continued and increased investments in security (in 2013, enterprises spent more than $13 billion on firewalls, intrusion prevention systems, endpoint protection platforms and secure Web gateways), it is clear that the battle against malware has not improved.

On the contrary, highly publicized breaches, together with the even more famous revelations about state – sponsored spying activities continue to carve out a perception of a very high general risk, and of porous and indefensible networks.

As Gartner says, «all organizations should now assume that they are in a state of continuous compromise» ("Designing an Adaptive Security Architecture for Protection From Advanced Attacks". Published: 12 February 2014). According to the Verizon Data Breach Investigative Report, 85% of the attacks remained undetected for weeks or more, and 92% of the attacks were not detected by the organizations themselves. It is very likely then that the overall risk has remained at similar levels in the past.

As Mr. Donald Rumsfeld's once said, "there are things we do not know we don't know".

The Detection Gap

In an internal study conducted by PandaLabs between the months of January and June 2013, all malware samples collected on a daily basis were put to the test against a large number of antimalware products. A relatively high percentage of the malware that is released in the wild is not being caught in time. In fact, even one year after the malware was collected, close to 1% of the samples were not being yet detected (over 70.000 samples in absolute terms). The results serve to illustrate the gap that always exists in products focused on detection.

Figure 1. Malware not Detected by AV Industry


Source: Panda Security

Figure 2. Percent of breaches where time to compromise / time to discovery was days or less


Source: Panda Security

Verizon Data Breach Investigative Report 2014. Attackers are getting better at compromising systems, faster than the security industry is able to discover the compromise (the gap is widening).

What Is Panda Adaptive Defense?

Panda Adaptive Defense is a security solutionthat validates 100% of running applications in an organization. Aimed at enterprise customers. It consists of an agent sitting at the endpoint, and a cloud-based infrastructure, together with continuous back-end assistance from analysts at PandaLabs.

Panda Adaptive Defense transparently classifies all executable programs (PE files ) running at the endpoint, with a guaranteed accuracy close to 100% (99.999%). It also provides application, data and OS hardening (behavior enforcement) as another baseline layer, to ensure that commonly used applications are not successfully exploited because of existing vulnerabilities, and that sensitive OS areas are not accessed abnormally.

Additionally, it provides forensics traceability in case of an incident (answering the what, when, who and how of attacks).

Panda Adaptive Defense can block executable code before it is allowed to run or right after it (Extended Mode-Base Blocking mode). PAPSmay also automatically clean infections in case of an incident, depending on the service package contracted by the customer.


Source: Panda Security

Principles

Panda Adaptive Defense is based on 3 principles:

Continuous monitoring.

All execution events are recorded and classificated for early warning, traceability and incident forensic purposes. All event logs are available to the admin and are fully searchable, facilitating additional insights into how applications are exactly doing, how are they used, by whom, which connections are established, with which countries, when, etc.

Continuous classification of running executables.

All executables running in memory are classified with a guaranteed accuracy close to 100%, using local and cloud-based systems, correlated with locally collected data, but also with other multiple contextual data, 3rd party intelligence and our Big data analytics engine. Human-assisted classification is also performed on exceptional cases, and particularly during the initial deployment phase.

Additionally, programs must behave accordingly in order to maintain their trust. The calculations of probabilities to determine the level of confidence is based upon proprietary clustering technology and on the empirical and historical data of all files (malware and goodware) ever seen and classified by Panda in the past. Probabilities are re-calculated continuously, as new inputs arrive, performing retrospective analysis of all previous classifications.

Transparency/Convenience.

No admin or end-user input (e.g. creation of whitelists, configuration of parameters, etc) is needed in order for the service to work.

Once deployed, the agent will discover, profile and classify executable files on its own and in combination with the system in the cloud. Since Panda Adaptive Defense is a managed service offered from Panda Security, rather than a self-contained product, it eliminates recurring tasks admins need to do when using other security solutions against advanced threats, such as prioritizing and managing alerts of suspicious activity coming from the monitoring of indicators of compromise. There are no such alerts in PAPS. All alerts indicate the presence of confirmed malware, and suspiciousness is handled entirely by the service, and transparently for admins.

PAPS also eliminates the need to whitelist applications, establish exception and approval processes, since all executable software trying to run will be classified by the system.

Main Benefits

How PAPS helps companies to solve the problem of inadequate protection.

  1. Closes the gap in detection that traditional endpoint protection products have.
  2. Drastical reduction in time spent on investigations of security incidences. All alerts coming from PAPS are confirmed.
  3. Minimizes remediation costs in case of an incident. Automated disinfection.
  4. Tesponds what a traditional product cannot answer: the what, who, when and how of security incidents.
  5. Reduces endpoint security management costs.

Additional benefits of Panda Adaptive Defense

  1. Provides real-time visibility of all activity that happens at the endpoint, enabling admins to easily capture potentially "risky" events or policy violations.
  2. Requires much less attention than other endpoint protection products.
  3. Does not require any management infrastructure.
  4. Does not require to uninstall existing security defenses.
  5. High Performance protection for virtualized desktop environments.


Source: Panda Security

PAPS' intelligence inputs:

  • Threats - External.
  • User community.
  • Threats - Internal (PandaLabs).
  • Vulnerability info.
  • Context.
  • Software repository.

Real-time event monitoring on endpoints:

  • Processes, services, PEs.
  • Communications.
  • Registry.
  • Downloads.
  • Hooks.
  • etc.

Admin capabilities:

  • Malware alerts.
  • Forensic reports.
  • Event search.

Detective Capabilities

Malware today utilizes numerous tricks to evade detection by security products. They hide under the guise of benign appearances, not performing any conspicuous actions at once, but slowly over the course of days or weeks. That is why it becomes necessary to continuously monitor all actions of all executables. A first classification of an executable, upon its first execution, may not reveal a malicious nature. Malware can wait to receive instructions or to hit upon conditions in the context in order to start showing malicious behavior or intent. Besides, legitimate programs may also contain vulnerabilities which can be exploited and make them perform malicious actions.

Panda Adaptive Defense monitors all execution events of all executables, Any new behavior or anomaly in the execution profile of already classified executables triggers a re-classification, which takes into account not only the behavioral traces, but also the dynamic and static context of the executable (parent process, path, etc).

As an integral part of the service, customers receive only alerts on confirmed malware incidents. Any suspicious activity or executable will always be fully resolved by Panda until it is either ruled out or confirmed. This generates important cost savings to security departments, which normally need to sift through many alerts of "potential" incidents

"Respond" capabilities.

Once a malware incident is confirmed, an alert is sent to the administrator together with all available forensics information, including dwell time (how long was the executable present in the systems prior to its classification as malware), which machines/users were affected, what the executable did and when, how did it infiltrate the system, which vulnerabilities were present in the applications running at the endpoint, and which data was accessed in the attack and when.

Complete remediation services of incidents are also available to customers as a professional service.

Reporting and alerts.


Screenshot. Visual timeline of actions performed by malware.

Alerts are sent to the administrator and they are also available in a web-based console, together with their associated forensics report. For every incident, a visual representation of the attack is offered, showing the entities, communications and actions performed, and the timeline of events.

Advanced search.

All the activity inputs collected and processed by PAPS, for all executables, can be searched, filtered, or plotted in charts and graphs. The visibility and granularity of events allow for additional use cases, such as the discovery or identification of running applications in real time, usage data (which programs are being used, by whom, and when), geolocation of communications, potential misuse of data.

How Panda Advenced Protection Service Works


Source: Gartner, Designing an Adaptive Security Architecture for Protection From Advanced Attacks, Neil MacDonald, February 2014

1. Deploying the agent:

After choosing the proxy configuration, the agent (an MSI or exe) should be ideally deployed on all machines in the network using active directory policies if available, although it can be deployed by any other means with the appropriate administrative permissions.

Once the PAPS agent is installed, it starts gathering general information about the machine and it registers on the service, enabling a unique association of the machine with the customer and the events collected.

2. Monitoring events and application profiling:

After choosing the proxy configuration, the agent (an MSI or exe) should be ideally deployed on all machines in the network using active directory policies if available, although it can be deployed by any other means with the appropriate administrative permissions.

Once registered, the agent starts monitoring the activity of all running executables. Some of the events collected are:

File downloads, Software installation, URL to file download, Hosts file modification, File age, Driver creation, Window hook/unhook, Process communications (IPs, ports, protocols), PE creation, modification, DLL load, Service creation, PE mapping, File delete/rename, Folder creation, Archive Creation/ Open, Registry Key Creation/Modification, Thread creation on remote process, Kill process, SAM access, Data access (over 200 file formats), Etc.

All running executables are profiled and classified. Classification is based on a continuously updated knowledgebase of goodware and malware, and on the analytics of static, dynamic (observed behavior locally and at the community) and contextual inputs of every executable file.

3. Preventive capabilities:

3.1. Known malware is immediately blocked, using a combination of agent and cloud- based intelligence.

3.2. Commonly-used applications such as Java, Adobe, Microsoft Office and browsers are generically protected against exploit-based attacks, using contextual and behavioral rules which prevent their exploitation.

3.3. Data and certain sensitive areas of the Operating System are hardened against unauthorized access by third party applications, allowing access to those legitimate applications which have been profiled and classified during the deployment period.

All executables are classified with an accuracy of almost 100% (99.999Executables classified as malware will be automatically blocked. Applications can be blocked pre or post execution, based on the policy chosen by the administrator. That is, under a pre-execution block policy ("extended blocking"), un-classified executables at the time of execution will be blocked until its classification is resolved. On the other hand, under a post-execution block policy ("base blocking"), unclassified executables at the time of execution will be allowed to run until its classification is resolved, and they will only be blocked if they are confirmed as malware.

Classification usually takes seconds or minutes, and exceptionally a few hours.

3.4. Legitimate programs can also be blocked based on a black list specified by the administrator, out of productivity reasons or other concerns.

Source: Panda Security

Return to Home