Though the rapidly evolving malware landscape might seem insurmountable, some high tech companies are looking to conquer malicious threats through “real world” security testing. Last week, Trend Micro Inc. reflected on how it has been dealing with the fast-paced threat world since 2009, through its partnerships with independent security test labs such as NSS Labs and Dennis Technology Labs.
The company’s Internet security solutions for consumers and business have ranked consistently first in both corporate and consumer testing among multiple labs compared to testing of other company’s similar products, including McAfee and Symantec, between September 2009 and January 2011.
“The problem today is that the threats have really evolved,” said Ian Gordon, Trend Micro Canada’s director of marketing and channel. Threats have moved from file-based, such as a malicious e-mail attachment, to Web-based, like a phishing link. “Traditionally, they would gather a sample of malware files, and run (anti-virus) programs and see if they found the issues. Now you have to stop them from getting in, in the first place.”
Threat researchers at testing labs like the ones Trend Micro uses will troll the Internet for malicious sites and add them to a database in the cloud, to keep the threat list updated more easily and effectively than lists on the desktops alone. The company calls this the Trend Micro Smart Protection Network. “Fundamentally, you’re way better off having a single database,” Gordon said.
The labs then test the effectiveness of products like Trend Micro’s in stopping the threat as quickly as possible before it reaches the desktop level. In September 2010, NSS Labs reported that Trend Micro’s solutions had a malware block rate of 90 per cent, with McAfee the next highest at 85 per cent.
Though Trend Micro is not unique in its approach, it has been one of the leaders in the security market, according to James McCloskey, a senior analyst with London, Ont.-based Info-Tech Research Group. “Trend’s approach is certainly ahead of others in the pack,” he said. Symantec Corp. has a similar approach to Trend Micro’s with its Global Intelligence Network. “I think others are heading down that path as well,” McCloskey said.
Trend Micro also runs SimplySecurity.com, a security news Web site to keep the industry as up-to-date as possible on current and evolving threats. It also has a global team of about 1000 threat researchers who work with the labs to analyze evolving threats, Gordon said. “It’s a huge effort in terms of man power.”
This kind of testing also allows products to go to market faster, according to Gordon. “(Channel partners) want to get products out more quickly and know they’re providing the best protection possible,” Gordon said.
“What Trend is highlighting here is this question of not all malware ending up getting down to the desktop,” McCloskey said. “It is better than doing simply static testing,” he said. “It’s more indicative of the product’s true ability to protect you.”
Traditional static security testing is just too slow-paced for today’s threat landscape, McCloskey said. “Frankly, it’s not a sustainable approach. There’s too much variety in malware nowadays and it’s evolving too quickly.”
The speed is so much, in fact, that more vendors are moving from black lists of malware to white lists of recognized, safe software, according to McCloskey. They have also databases of questionable software that functions almost as a watch list, or grey area, where a computer may run the software but catalogue it as a potentially harmful site. Keeping an eye on those sites is key to quick threat responses, he said.
However, combining static testing methods and the real-world approach is still crucial to comprehensive testing, McCloskey said. “This real world testing is excellent but it certainly doesn’t get rid of end point detection capabilities,” since your desktop is still your “last line of defence,” he said. “I think that’s a critical approach.”