Trusted Strategies Position Paper
Avinti Stops Day-Zero E-mail Viruses
By John R. Muir, Managing Partner
Trusted Strategies Opinion: Avinti's innovative day-zero anti-virus solution powerfully combines isolation with managed "virtual machine" simulations to prevent infection by unknown viruses that spread via e-mail communications. This sophisticated technology provides greater security with less administration effort than competing products, and helps make iSolation Server a high-value addition to anti-virus protection .
New, unknown threats pose the biggest problem because signature recognition provides no defense
Virus attacks continue to escalate in frequency and severity. An article in ZDNet claims "computer virus attacks cost global businesses an estimated $55
Billion in damages in 2003, a sum that is expected to increase this year." (ZDNet Security News, January 2004)
In a press release disclosing the results of a major survey on virus attacks, ICSA states that 88% of the companies surveyed in 2003 thought the problem was "worse" or "much worse" than in 2002. The survey also discovered that in 2003 the cost per major incident rose 23 % to $100,000. (ICSA Press Release March 22, 2004)
“Companies spend an enormous amount of money and energy defending against malicious code. These organizations are too often surprised by new malcode vectors and methods and then spend even more money and resources recovering from virus and worm disasters. The reemergence of ‘outbreak events’ and the success of mass mailers in early 2004 illustrates that organizations are not making enough progress in their defense against malicious code.” – ICSA press release March 22, 2004
Signature recognition AV systems are reactive and can't stop new, unknown threats
From the time computer viruses were first recognized as a threat, the standard prevention technique has been to implement scanning technologies that look for specific code known as the virus "signature". Unfortunately, virus signatures take time to recognize and distribute, thus creating a window of vulnerability that ranges from a few hours to a few weeks or longer, depending upon both the quality of the anti-virus service and the diligence of system administrators. However small, this window constitutes a significant threat in a world where viruses can afflict large portions of the Internet in minutes.
Nine of the 10 most significant viruses in 2003 were mass-mailers, or viruses that spread through the exploitation of e-mail address books to further propagate the virus. The subversion of the most popular Internet application makes the problem intractable because eliminating e-mail is simply not an option. Worse still, the economics also favor the bad guys; it is much cheaper to create and release self-replicating viruses than to rapidly identify them and distribute fixes worldwide.
Alternative types of anti-virus solutions are not very effective in combating zero-day viruses
In response to the destructive potential of zero-day viruses, four additional types of defense have been developed. The first is the "sandbox" approach where each PC has client software that creates, in effect, an isolation chamber where an application program is allowed to open a suspected file and the results are examined for dangerous behavior. Unfortunately, PC sandbox programs have inherent problems, not the least of which is that to perform a proper test and evaluation, a large number of variables need to be considered and properly interpreted. This complexity leads security administrators to "tune" the system for safety's sake, which in turn leads to a large number of false positive reports that annoy and confuse PC users. Moreover, sandbox programs must be deployed and updated on each PC, which adds to the administrative burden. Sandbox programs themselves consume considerable PC resources and affect performance. Conceptually, the worst aspect of PC sandbox programs is that this architecture allows the problems inside the network where a failure anywhere in the system can lead to a failure of the entire system.
A second class of security programs attempt to restrict the availability of certain functions that are likely to be used by viral code to spread the contagion. While useful, these programs can't really predict which functions will be used for subversion and as a result frequently cause problems for legitimate program execution. Note that this technology reacts to the presence of viruses but doesn't actually prevent them from gaining a foothold.
The third type of defensive product constantly scans the network looking for behavior that is consistent with viral attacks such as unusual levels of e-mail activity on legitimate ports. This approach makes sense because it should detect a spreading problem in time to halt widespread damage. Nevertheless, this approach is more akin to fire reporting than fire prevention, and is based on the assumption that viral behavior follows discernible patterns that can always be detected.
The fourth type of product sits at the network perimeter and scans content to look for anomalies, combinations of objects and certain types of code. The difference between this approach and signature recognition is that content scanning looks for unusual rather than specific traits. Obviously this approach is valid only to the extent that dangerous or new patterns can be detected, and can potentially lead to numerous false positives if the logic is not highly refined. Scanning all content can also lead to performance degradation unless a high-performance platform is utilized.
Avinti is first to prevent day-zero viruses with "virtual machine" technology on a scalable gateway platform
Avinti takes a fresh approach that prevents virus infections by isolating suspicious e-mail and attachments at the perimeter and analyzing their behavior inside "virtual machine" modules to determine the actual content. At its core, Avinti's iSolation Server™ disregards any façade virus creators place on e-mail and instead rigorously determines the functionality of the e-mail code – what the code actually does. This proactive technique avoids reliance on signature matching, content scanning, or early alarms, and so eliminates both false positives and negatives.
Bear in mind that known viruses can be easily screened out by existing signature-based AV products, whereas iSolation Server targets unknown or day-zero viruses. Thus iSolation Server is complementary to existing AV installations and forms part of a layered defensive strategy.
Due to its richness, no single analogy adequately serves to describe iSolation Server technology. But in one sense it is like an airport baggage security system that imposes a succession of screens of increasing strength. First, it quickly scans the contents of all bags at a high rate of speed and whisks through bags that contain no solid objects, and then puts bags with solid objects through additional types of screening including checks for explosive chemicals etc. Those bags that contain an obvious threat will be quickly quarantined and destroyed.
But after all these screens, there still remain other bags containing objects that cannot be recognized and so they must be pulled offline for further scrutiny. Now imagine that these bags could be individually placed in "virtual airplanes" safely isolated at the end of an unused runway. The conditions inside the virtual airplane will exactly simulate real flying conditions (changes in temperature, air pressure, motion, and long flights) in such a way that any bag that contains a bomb will certainly detonate, but only inside the virtual airplane where no harm can be done. Those bags that do not explode can be checked manually and returned to the line for delivery.
Like the airport baggage example, iSolation Server includes four filters that can quarantine messages without a virtual machine examination. These include a matching filter that looks for dangerous or aberrant file extension names, a matching filter that determines whether files are what they purport to be, a learning filter that determines if the current e-mail was previously detected to be viral, and an "approved sender" filter. The architecture of iSolation Server allows for additional input filters to perform a variety of different functions including e-mail management. Collectively these filters reduce the volume of messages that are passed to the virtual machine and thus substantially improve processing efficiency.
Figure 1. iSolation Server Architectural Diagram
For those suspicious messages that contain active, but not yet identified, content iSolation Server invokes a virtual machine module that replicates what would happen in a target PC. The virtual machine is fully configurable to match the particular setup of company PCs and so performs every action that would normally occur, even down to acknowledging e-mails. This process assures "real" results because the iSolation Server determines what the suspect code actually does instead of trying to predict what will happen or raising alarms about what has happened.
The virtual machine not only requires substantial computing capability, but for large systems multiple modules must operate simultaneously to avoid unacceptable delays in e-mail delivery. Avinti is apparently well on the way to overcoming these hurdles by pioneering the ability to manage multiple virtual machine modules at a high rate of speed. The iSolation Server is actually a gateway appliance that is designed to scale through fault-tolerant and multi-box operation.
Why is Avinti's technology important?
Trusted Strategies believes that Avinti has made a significant advance in day-zero virus prevention. To our knowledge, the iSolation Server is the only available product that provably prevents unknown viruses carried on e-mail without excessive false positives or the risk of missing unforeseen signatures or behaviors. The product requires very little administrative oversight, has no perceptible impact on users and is architected to be scalable to any size enterprise. Additionally, administrators can override any "false positive" quarantined e-mail, because the quarantine process does not destroy files.
While the concept of isolated machine simulations is not new, Avinti has created a sophisticated system that incorporates the ability to readily configure virtual machine modules and will soon manage multiple modules simultaneously. Early versions of iSolation Server have proven to be highly effective in detecting the most recent crop of viruses and the technology is sufficiently robust to defeat renewed attempts of virus creators to more cleverly mask viral appearance and behavior.
Avinti is an attractive investment in the IT security sector
The urgency of the day-zero virus problem has created a compelling market opportunity that has attracted a variety of competitors including Cisco, Web Washer, Finjan and more. But Trusted Strategies believes the iSolation Server stands alone as the most cost effective and secure product in the day-zero virus defense market.
Avinti's management team has relevant experience in anti-virus technology and has applied for patents on iSolation Server's key technical innovations. The growing demand for day-zero protection will draw in major entities with strong distribution and support capabilities that should have an appetite for Avinti's highly differentiated offering. Further, the core iSolation Server technology should have great appeal to the myriad of multi-application appliance vendors and engender attractive partner opportunities.
ZDNet Security News, January 2004
ICSA Press Release March 22, 2004
|
