Phishing, Trojans, botnets – all well understood threats and terms which have swiftly passed into the lingua franca of daily life. “False positive”, on the other hand, is a concept which has largely been ignored – accepted as an inevitable if unwanted consequence of the traditional AV industry and its obsession with the signature update paradigm. But as the frequency and impact of false positives rise, important questions are being asked of both security professionals and the vendor community.
False positives in a security context arise when a vendor pushes out a signature update designed to deal with one malicious file but which ends up blacklisting legitimate programs running on a customer’s system. What sounds like a fairly innocuous problem can have massive repercussions, as McAfee discovered recently. The well publicised incident occurred when a simple update from the security giant incorrectly identified a key Windows file as infected, before quarantining it. This meant that swathes of its customers were left with PCs locked in an endless reboot cycle as they were unable to load Windows without the use of the quarantined file.
Now, it’s impossible to quantify just how much money an incident such as the one affecting McAfee cost its customers, but it affected firms running Windows XP with SP3, of which there aren’t an insignificant number. Add to that the downtime each experienced when unable to boot their systems, and the lengthy clean-up that took place, with admins forced to walk from computer to computer, and the incident was pretty close to as bad as it gets
The pressures leading to false positives like this are not all the fault of the vendor community though. Yes, vendors are certainly struggling to stay on top of spiraling threat levels and meet the commercial demand for them to get signature updates out as soon as possible. But on the other hand, information security professionals are under increasing pressure to deal with a patch management landscape growing in complexity. Both problems stem from the unprecedented growth in new malware which can ultimately be traced back to the massive changes that have enveloped the industry over the past ten years or so.
It’s a well rehearsed argument: cyber threats have mutated from something committed primarily by script kiddies in their bedrooms for fame – like the notorious LoveBug, for example – to a multi-billion pound industry perpetrated by well resourced, highly organised criminal gangs. This proliferation of new malware, driven by the availability of online toolkits which have dangerously democratised the means to create and spread threats, has pushed traditional signature based protection methods to breaking point.
So what can be done in the industry to arrest the worrying growth in false positives? Best practice for security professionals would be to stagger the roll-out of updates, ensuring that they aren’t all applied at once and to make sure the first department to be chosen is not mission critical to the business. Even better would be to test the files in a purpose built staging area. But here lies the problem: time pressures and the necessary volume of software updates are so large these days that security administrators are just not able to follow best practice.
Certainly, much of the blame for the increasing incidents of false positives can be put down to some vendor practices. In an effort to combat the growing number of malicious files in the wild, the strategy of many security firms is to rely on more generic heuristic signatures, hoping to widen the net in order to catch more malicious variants with the same update. The unintended consequence of that, of course, is that widening the net also ends up catching some legitimate files.
Vendors need also to look long and hard at their quality assurance (QA) processes. It’s an area more than many others which has been squeezed by the relentless demands of the market. Yet the balance between getting a signature out as quickly as possible, and making sure it’s not riddled with faults has at times been too lopsided. With multiple dot releases, service packs and other versions of operating systems that need to be tested on, an oversight such as forgetting XP SP3 is sadly all too likely if proper attention isn’t paid to the quality side of the equation.
Vendors must therefore think about the resources they put into QA and threat detection and seriously consider if it is enough. Some may also need to go further and see if their methodologies themselves need updating.
But what about outside the vendor community? Part of the reason for problems when they bubble up through the surface and explode in spectacular fashion, as McAfee found to its cost, is that industry in general doesn’t pay enough heed to the problem of false positives. Where are the AV testing firms who measure false positives? Few if any go beyond the age old focus on detection rates, but a little perspective would be good for everyone. It would give the customer a more rounded view of the pros and cons of the products they buy and it would force the vendor community to tighten up on the quality of their signatures.
If we go further though, there is a more fundamental problem here. For too long the focus has been solely on neutralising the malicious file itself. Vendors need to reduce their dependence on the outdated signature update method of protecting customers and take a more holistic approach spanning all infection channels and blocking threats before they even arrive on the network.
One approach involves leveraging cloud-based web, email and file reputation technologies and intelligent correlation to stop threats before the malicious file has even been delivered. If this is done, and threats are blocked in the cloud, false positives do not even become an issue because the whole business of a vendor creating a potentially faulty signature update is rendered obsolete.
Moreover, this cloud-based intelligence becomes more effective the more users there are, with threat databases updated each time a new threat is identified by a single customer’s reputation check. For example, if an email is sent from a “good” IP address but contains a known malicious URL, then that IP address can be blacklisted and added to the reputation database. It is about collaborative intelligence protecting the individual user, from the threat of infection but also the potentially crippling problem of false positives. Prevention in these circumstances is always better than the cure.