How to
Rick Correa
Jan 2016

The Problem with Signature-Based Security: How Long is Your Pit Stop?

Photo by UnitedAutoSports

With traditional signature-based security like anti-virus, waiting for updates is like going in for a pit stop. Meanwhile, attackers aren't waiting for you to play catch up.

A former colleague recently posted an article over at Motherboard that included an incredible video you can watch below. It depicts the evolution of the F-1 racing pit stop, comparing how it was done in 1950 to how quickly it’s done today.

 

In the 1950s version, the pit stop has the crew banging on the car tires with a mallet for what seems like an eternity. It’s one of the most painful minutes I’ve spent in a long time. Compare that with the modern-day pit stop time (starting at 1:23) and the difference is remarkable.

What Pit Stops Have to Do with Cybersecurity 

Before I joined Barkly, I was at the malware helm of a large global network, often spending more time than I’d like to admit working to get vendors to do a signature update for a threat we found. I saw firsthand attackers refining their pit-stop processes into a well-tuned machine. The latest zero day weaponized within an hour, the exploit from an APT group extracted and rolled into a crimeware exploit kit by the end of the day. Cryptors, JIT-assembly, server-side polymorphism — those are just a few techniques malware authors have employed to reduce their time in the pits.

As a consequence, even companies with large 24x7 security teams can be overwhelmed. This past summer, Mandiant released the Clandestine Wolf write-up on APT 3. Two days later, the exploit (CVE-2015-3113) was being used by exploit kits like Nuclear and Angler. Less than two weeks later, the Hacking Team breach yielded three more Adobe zero days. Defenders were scrambling trying to assess the threat, looking for compromised boxes and getting their patching up-to-date. Meanwhile, their signature-based defenses struggled to push updated signatures for old threats that had already evolved into new threats.

An Outdated vs. New, More Effective Approach

Signature defense like anti-virus and traditional network sandboxes remind me of the guy with the mallet trying to dislodge a wheel — they often take hours, days, or even months to create a new signature for their products. It’s like having a 1950s pit stop crew servicing your defense for an entire race, all while the attackers do laps on your networks with a modern pit crew.

At Barkly, we’re always looking for new malware to test our RapidVisor. The immediate satisfaction I got during the last few seconds of the clip where you see the modern pitstop in under 3 seconds…that’s the same feeling of satisfaction I get seeing our RapidVisor catch and stop unknown malware. It doesn’t require waiting for a signature update or a pit manager with a rubber mallet to bang on my computer.

Photo by United Autosports

Rick Correa

Rick Correa

Rick is a Principal Malware Researcher at Barkly. He has over 13 years experience working in computer security research and development including malware analysis, embedded systems, and wired/wireless networking.

lock-white.png

Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.