Presentations‎ > ‎

Mind The Gap

Author

Type

Lightning Talk

Abstract

Today, in a world where thousands of malware samples are being processed and signed every day, and numerous technologies exist for the sake of detecting hostile activity, it seems the security industry has never been better. Static analysis, emulation, cloud reputation, and run time behavior analysis are only a few of the detection mechanisms used to determine the security rank of a file.
Therefore, it may come as a surprise that we are still able to find simple malware samples (which did not employ any special 0-day vulnerability) that bypass most of the security mechanisms in some of the most prominent AV software. There is a gap between AVs` sophisticated mechanisms and their ability to detect advanced targeted attacks. The reason lies in the automatic decision making process which is overly tolerant due to the fear of false positives.
There are solutions to this problem, but none of them is sufficient. Cloud Reputation attempts to solve this problem, but fails to deal with new or tailored attacks. Integrating human analysis is another option, although it is a very expensive and quite an impractical one.
Consequently, there is a need for a different approach. Persistent logging and long term analysis are necessary to increase the ratio between true detections and false positives. For example, examining actions of a process through time might unveil its hostile intentions. Observing similar but unique behaviors across different neighboring computers may reveal malicious goals. In order to successfully combat the unforeseen, centralized logging and continuous analysis is crucial.