The Fight Against Malware Has Moved Skyward

 Author: Evan Thomas, EvanT@gladtech.net

Like most of you, I have been inundated over the past few years with news surrounding cloud computing and what it means for the future of information technology.  What you may have missed in the deluge of information is that many security vendors are now moving their malware defenses to the cloud.  The shift away from traditional desktop software anti-virus applications to cloud-based monitoring for malicious traffic will have a profound impact on the way IT administrators and end users view malware protection in the near future.   “What does this mean for my users?” and “What are the advantages to cloud-based malware detection?” may be a few of the questions you’re asking yourselves. 

Many desktop anti-virus (AV) vendors have been utilizing the cloud to analyze suspicious files for years (with or without your knowledge).  This process involves software ‘agents’ installed on user machines sending copies of the file(s) to the vendor’s cloud service to be analyzed with the findings of that analysis pushed down to the software application running on the desktop.  Only recently have these same vendors started touting the “cloud” part of their analysis due to the industry’s apparent increased comfort with cloud computing overall.  The one area where the industry will need to improve to have wider scale acceptance of this method is in the secrecy behind how vendors actually perform their analysis. 

So, why have vendors moved their analysis to the cloud?  The advantages gained from using the cloud for AV protection are numerous.  Gunter Ollmann, the VP of Research for the computer security firm Damballa, compiled the following list:

• Scalability – the ability to keep pace with the ever-increasing volume of new malware.
• Efficiency – instead of analyzing the same piece of malware on ten thousand desktop computers, why not do it just once?
• Improved engines – there’s only so much technology you can push down to a desktop.  Advance malware detection needs sophisticated automated analysis and dissection technologies that are too big to run side-by-side with Microsoft Excel®.
• Global visibility – there are numerous advantages in being able to see a new piece of malware early on in its lifecycle.  Having thousands or millions of “sensors” (i.e. customer deployments) means that there’s a steady flood of timely material to analyze.
• Zero-day detection – the ability to employ sophisticated analysis engines that specialize in “edge case” malware detection makes it easier to spot those real zero-day threats.

What does this mean for your end users?  If you are still employing a signature-based anti-virus solution as your main endpoint protection, then you are placing yourself in a high-risk situation.  To those of you non-technical folks out there, signatures are pieces of known malicious computer code that are used to compare against files on your computer.  One of the main reasons for this increased risk is the bad guys are able to obtain the same AV products you are using and can actually test their malicious code against these products to see if any alerts are triggered.  By moving away from signatures and to the “cloud,” the theory states that these nefarious characters will not have access to the “secret sauce” used by vendors for detecting and removing malicious files. 

If you are feeling nervous to dive right into cloud-based malware products for all of your users, I would suggest starting to familiarize yourselves with some of the new technologies available in the market today.  The consensus in the security industry today is that the traditional, in house or on your premise approach is simply losing the battle against cybercriminals.  The result will be that by moving to a more global approach to malware defense, we can protect our users (and information) from falling into the wrong hands.