According to a report released in 2014 by Software Advice, 30% of security experts believe that the idea that antiviruses are becoming obsolete, given today’s mutating threats, is severely underrated. However, despite this clearly voiced concern, the popular belief still remains that networks are fully protected with up-to-date antivirus software. Contrary to what the name itself might suggest, there are serious limitations to what it is capable of doing. As in the case of every unfortunate medical prescription, “curing” security with a cost-efficient, yet ineffective solution can lead to undesired side-effects.
But let us take one step back and examine things closer. An antivirus can protect your PC from the moment the system is launched and until it is turned off. The real issue here is the extent to which it can expand this protection, which is restricted to the perimeter of its signature database. You might ask yourself: “how does this affect me?”. If you paid enough attention to our previous article (see here), you will know by now that cyber-threats are continuously evolving, faster that any antivirus is able of adapting to. In other words, you can only be inoculated against known viruses, otherwise, the antivirus “shot” you so determinedly administer to your information system will only give you a false sense of security. Not being able to ensure protection against attacks that are especially targeted and coded, foreign to the existing signature virus database, renders all scans null.
The problem, as with all virus outbreaks, is that a cyber-threat can only be officially identified by antivirus editors once it has already successfully infected several entities and spread unknowingly among the masses. That is, until someone finally takes notice of its presence and alerts software suppliers, proving once more that the process has its flaws. In this case, other methods employed by antivirus software editors come to the surface. Sandboxes, for instance, are a container used by antiviruses, placed around a running application, ensuring none of the mess inside gets spreads throughout the “playground”. It is the quarantine meant to prevent untrustworthy applications from jeopardizing the integrity of your operating system.
Then there is also heuristic analysis, the equivalent of experimental treatment in cybersecurity. Basically, the programming commands of a suspiciously behaving program are executed within a specialized VM (virtual machine), which is an environment that simulates a completely separate computer from the real-world machine. It then proceeds to playing out the scenario of what repercussions that particular file may have. If viral activities are detected, the user receives a message alerting him or her with concern to its potentially unsafe nature.
Yet, these approaches also have their drawbacks. Being based on the comparison of suspicious programs with the code of already-known viruses, the likelihood of overlooking newly concocted ones is quite high. This is even more the case when confronted with APTs, malicious behaviors, morphing viruses, phishing and other malware & user actions, which elude or circumvent traditional or basic security measures. These new threats trigger the dire necessity of a new security paradigm.
Luckily, these attacks often leave behind signs of their passing, much like the symptoms before catching the flu. If we were to perhaps pay enough attention to these signals, however weak, and catch on to them beforehand, we might just be able to put a stop to the threat before it becomes a full-blown epidemic. But when it comes to identifying weak signals that are hidden in massive amounts of data, current tools don’t stand a change. Given how security tools cannot be as selective and, more often than not, hand over potential anomalies to human judgment, analysts everywhere are overwhelmed. As such, ITrust proposes the Reveelium solution, developed to cure this issue by analyzing billions of system events and logs, in real time, on a daily basis, and to identify occurring anomalies in a system’s behavior, determining at the same time which ones are most likely to pose security threats.
Reveelium is meant to bridge the intelligence gap that antiviruses are confronted with and to cure all side-effects, bringing detection times down from a typical 12 months to 1 week and reduces false positives by 95%. It can identify the symptoms of all malicious behaviors through its automated anomaly detection system, built as a 3D technology comprising: a weak signal detection engine, the result of extensive research into mathematical algorithms (1); a correlation engine, based on the experience of system engineers and security consultants (2); a global knowledge base, Reveelium’s experience repository which collects, abstracts and shares the behaviors identified across Reveelium users (3).