Zero-hour Protection Comparison
Why Compare?In evaluating zero-day protection, IT administrators must consider how each solution operates before choosing the one most well-suited to solve the zero-day dilemma Although various technologies claim to offer effective zero-day protection from emerging or targeted threats, they in fact approach the problem from different directions and achieve varied results. This guide will help you evaluate these various approaches in order to arrive at an informed decision. Rating Scale

A rating scale evaluates each technology’s effectiveness with regards to PERFORMANCE, PROTECTION, and PROBABILITY. The scale consists of 1-4, 5-7, 8-10 with 10 being the most effective and 1 the least. PERFORMANCE
The measurement of impact upon the overall e-mail stream. What would an end-user experience? PROTECTION
How successful is this technology in stopping threats? PROBABILITY
How accurate is this technology? 

What concerns exist in mis-classification of threats? Available SolutionsRedundant Pattern Scanners

Implementing multiple pattern scanners to achieve zero-day protection assumes the perspective that patterns are either the best or the only way to consistently detect viruses. While this may possibly reduce the impact of a newly released threat, it does not offer viable zero-day protection. Using redundant pattern scanners does not provide zero-day protection during the window of vulnerability where NO pattern is available. Heuristics-Based Solutions

Where pattern scanners only detect previously identified threats, heuristics attempts to guess the patterns of future threats. However, because of the broad range of evolving threats, heuristic attempts have resulted in marginal success. While many solution providers claim high success rates, no customer experience or third-party validation indicates that heuristic solutions are capable of stopping more than 20% of future threats, according to avtest.org. In instances where success is reported higher, the inevitable cost is a dramatic increase of false-positive reports. Spam Techniques

Spam identification techniques have been adapted recently in an attempt to stop incoming threats through the following methods:
• Identification of “bad neighborhoods†of spam senders
• Scoring e-mail messages
• Monitoring for abnormalities in e-mail traffic flow Blocking all e-mail sent from a specific IP address or other sources may result in a short-term success until spammers secure another avenue of distribution. Knowing this, some administrators turn to solutions that score e-mail received from various users in hopes of identifying emerging threats carried on spam. Although these techniques may limit the scope of outbreaks, they do not truly stop zero-day outbreaks. Additionally, broad attacks that generate anomalies in e-mail traffic may be recognized, but only after the first wave has successfully penetrated the perimeter. Desktop Sandbox Solutions

Desktop sandbox solutions offer the ability to interject themselves through either emulation or replacement of core operating system functions. Certainly, this attempt is admirable — it observes and detects anomalous behavior from ANY possible intrusion point. However, any modification to the operating system introduces a high possibility of performance impact or failure. Furthermore, the design of desktop sandbox solutions introduces a high degree of false results. E-mail Attachment Blocking

E-mail has historically been an open means of communication and data exchange. While other methods exist for file sharing (such as FTP), e-mail continues to be more convenient for business users. As threats continue to escalate, companies are finding a need to define e-mail policies which may include the restriction of certain attachment-types. Certainly, these policies can be implemented to provide a HIGH degree of protection. The cost, however, is the effective use of e-mail as a business-critical tool. Behavior Observation

Users may also protect their systems from zero-day attacks by observing the actual behavior of e-mail attachments in a secure, virtual machine environment. For organizations which MUST receive specific attachment types, no better solution exists to augment existing pattern-based protection. Because the system observes the actual behavior of attachments, only a low probability exists of false reports.
|
