At the time of writing, the news about Regin is lighting up Security news, blogs and tweets. The full facts still haven’t surfaced, and whilst some security vendors might try (foolishly) to spin their inability to protect their customers into positive news, it surely must prompt a radical rethink of the way we approach malware.
Personally, I’ve always had a view that the Anti-Virus/Malware approach is a little backward, because it is predicated on trying to protect against the unknown – which is an impossible task. Unless you dedicate a machine’s CPU and memory to sandboxing, it’s a trade-off – net result being a combination of signatures and some basic heuristics. Given the proliferation of malware and the various iterations that come from polymorphic malware, these old fashioned approaches are simply no good any more.
If we sit back and think about what malware is, it is simply a piece of unauthorised code. In other words, it’s an application or sub-routine that the user will most likely not want to run – be it a virus, worm, Trojan, spyware, adware, etc, etc. This being the case, it begs the question why we have continued for so long with a back to front approach to the problem? By this I mean why are we still saying “allow any code to run unless we think – or know – it is malicious/bad”?
Of course, I’m not the only person to say this – with the alternative suggestion to only allow “whitelisted” applications or code to run and blocking anything else. For many IT managers, this approach is considered too onerous – primarily because it requires ongoing monitoring and checking of permitted apps. There have been several ways of achieving this; e.g. using host-based firewall/IPS type solutions, closing down the rights of users to prevent installation of apps or any code that wishes to embed itself within the host OS , or even very OS-specific (i.e Windows) solutions, such as AppSense that creates a “wrapper” around a host and applications. A more recent addition in this space is from Avecto
One thing is for certain, if the level of sophistication seen with Regin is the shape of things to come, then perhaps its time to rethink the approach to malware. So maybe it finally IS time to junk that AV or Anti-Malware solution?…..