MITRE Security Tests Reveal Built-in Advantage of First-Gen Antivirus Vendors (esecurityplanet.com) 17
Slashdot reader storagedude writes: The MITRE cybersecurity product evaluations use adversarial attack techniques instead of basic malware samples, and as a result are the best tests of enterprise security products — particularly in light of dramatic recent attacks on SolarWinds and Colonial Pipeline.
What's especially interesting is just how well first-generation antivirus vendors like Symantec, McAfee and Trend Micro have fared in the MITRE tests. An eSecurity Planet article analyzes the data and speculates on why the old guard may have a built-in advantage over the hot upstarts:
"They may have been overshadowed in recent years by some of the flashy marketing of the upstarts, but that long history gives the old guard a product depth that's tough to beat," eSecurity Planet wrote. "Just one example: Symantec was prepared for last year's SolarWinds hack because it long ago faced attacks when hackers tried to disable endpoint agents, a primary vector for the Sunburst malware.
"In cybersecurity, experience still counts for something."
What's especially interesting is just how well first-generation antivirus vendors like Symantec, McAfee and Trend Micro have fared in the MITRE tests. An eSecurity Planet article analyzes the data and speculates on why the old guard may have a built-in advantage over the hot upstarts:
"They may have been overshadowed in recent years by some of the flashy marketing of the upstarts, but that long history gives the old guard a product depth that's tough to beat," eSecurity Planet wrote. "Just one example: Symantec was prepared for last year's SolarWinds hack because it long ago faced attacks when hackers tried to disable endpoint agents, a primary vector for the Sunburst malware.
"In cybersecurity, experience still counts for something."
Even if not much for the rest of the industry (Score:5, Interesting)
"In cybersecurity, experience still counts for something."
The rest of the industry however suffers severely from ageism. Not surprising when the silver bullet means everything. Even when studies show older IT workers are actually the most flexible and cope with change better [cio.com], because they've learned about how to get around issues and don't expect that everything will just work; and other things like you can't release something unless it passes all the dogma tests (ignoring that if it isn't out the door, the company is losing money on it, rather than making it). I think it should be obvious that this is part and parcel with the surprise this article seems to express. Experience always counts.
Re: (Score:3)
Re: (Score:3)
In this case, yes, you can say that younger people are preferred. That can be verified. But you can not imply that it is discrimination or hate.
FTFY:
In this case, yes, you can say that younger people are preferred. That can be verified. And you can imply that it is discrimination.
One: discrimination is not necessarily hate.
Two: Choosing not to hire from one group in favour of another, when both can do the same job, or when the group not chosen can actually do a better job IS discrimination. Regardless of motive.
Re: (Score:2)
Arms Race (Score:4, Interesting)
I wonder if we're approaching or maybe have even reached the point where malware authors [not nation state, but traditional cyber criminal gangs] are reverse-engineering these common products to look for feature gaps that they can exploit?
For example, [happy to be corrected] my understanding is that modern AV systems use at least three basic methods of malware detection:
1. Pattern Matching - where the product has a database of malware signatures and scans files against this "known bad" list looking for matches...
2. Heuristics - where the product performs the equivalent of "fuzzy matches" against code; less reliable, but it's looking for something that approximates to "known bad"...
3. Behavioural - the most sophisticated but potentially risky - where the product "watches" executing code in real time and alerts/blocks code that begins to act in suspicious ways...
We've known for a long time that malware authors have developed work-arounds for the better known AV and anti-malware products. As these software packages get more advanced, the attackers are going to use more and more sophisticated techniques to work around them...
Years [and years] ago, I came across a piece of software that was protected by a solution so invasive that I couldn't get the software to load or run. Armed with a few basic tools [mainly I was using a real-time debugger] I decided to step through the code to see if I could figure out what it was doing. One step involved loading a 256-byte sector from disk as a data block, then perform a series of byte-level transformations on the data. Because I was running the code in the debugger, I was able to "see" the data from the sector as it was manipulated. During one such byte-wise operation [in the middle of several] the seemingly random characters in this sector were transformed by a simple XOR transformation to the text, "Does your mother know you do this?".
I remember it well, mainly for the fact that it made me laugh out loud at the time.
But it's a good example of a counterpoint to the observation made by the OP... That otherwise innocuous message could equally easily have been a short block of malware, dressed up to look like data, loaded in to RAM like data, then converted back to executable code with a trivial loop of code.
My hunch is that as our OS platforms evolve, the sort of protections we see given to the OS and drivers [i.e. digitally signed code] is going to become the norm, that we're going to see much more emphasis placed on chain-of-trust solutions, of OS code-loading routines for which the default is to check signatures and maybe even to allow us to tailor system level access on the degree to which we can trust code. We're already at the point where micro-virtualization is pretty much an OS feature now, where everything runs in a detonation chamber and/or has to be affirmatively trusted. Or at least, we should be.
Expect more attacks against the actual software vendors, especially targeting code-signing solutions.
Re: (Score:3)
A security vendor hired by my workplace loves to pass out scary security training materials that begin with something like "To make a secure computing environment, the first option is get rid of the users." which may be a poor attempt at humor but which also obliquely refers to firing everyone. "The next option is to train them." which they proceed to largely fail to do. No mention whatsoever of candy drops yet I alone have found four thumb drives in our parking lot in a year. Dude. Come on. What good is
Name me one industry (Score:1, Troll)
where experience is not an advantage.
And I'm not talking about the mythical 20-something or 30-something CEO. I'm talking about the 40 or 50 year old engineers and designers and managers whose names you likely will never hear who make the trains run on time.
Re: (Score:2)
Re: But that Redmond-based software company (Score:2)
Old-guard in a can. (Score:2)
Be nice if the "old-guard" put some of that expertise into a UniFi Dream Machine Pro. That's where it's really needed covering every machine connected. Plus the modern internet very hostile and needs high grade security.
Most Gen 1s do behavioural analysis (Score:3)
They already had code which did behavioural analysis and picked malware by single-stepping through it and picking "typical virus" patterns then. 25 years ago. As this was long before the days when IPR became a thing, they took their work with them to the anti-virus vendors. In fact, they were hired for it (and with it).
If this was available then, there is no reason for it not to be deployed now.
behavioural analysis (Score:2)
They already had code which did behavioural analysis and picked malware by single-stepping through it and picking "typical virus" patterns then.
Was TBAV (Thunder Byte Antivirus) the first one commercially deployed with such capabilities? I'm not sure I remember exactly which was the one
Any way, viruses pretty quickly moved onto finding way to have different behaviour when ran inside such simulator and then on the real OS (beginning with things as simple as checking the time, and then moving onto more complex as the cat-and-mouse game between antivirus developpers and virus writers went on).