Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Antivirus Vendors Push Toward Cloud Computing

Key elements of software now being delivered on a software-as-a-service basis

NEW YORK -- Interop Fall 2008 -- Antivirus software is taking up more and more memory on enterprise computers, both on the client and server ends. But new software-as-a-service (SaaS) offerings -- sometimes called "cloud computing" -- may change the AV picture in the near future, according to at least one vendor exhibiting on the show floor here this week.

Antivirus and security software vendor Panda Security has completed a new study which indicates that the growth of malware and other attacks will soon overwhelm current client/server-based AV software, according to Ryan Sherstobitoff, chief corporate evangelist at Panda.

The problem, Sherstobitoff says, it that the rapid proliferation of malware necessitates the rapid growth of signature-based software programs, which vaccinate the client against each new threat. "From 2006 to 2007, we documented about 300,000 malware samples," he says. "This year, it's around 2.5 million. We have seen incidents in which 500,000 malware samples were created overnight. And it's only going to increase as hackers become more sophisticated."

The result is that antivirus vendors are pushing out larger and larger signature files to clients and servers, and sucking up more and more CPU memory. "We're seeing about 200,000 new threats per month, which translates to a file that's 60-80 megabytes," Sherstobitoff says. "The clients are being vaccinated for 5,000 to 6,000 new signatures per day. You see situations where 50 to 60 percent of the CPU is being eaten up by antivirus software at times. The question is how much CPU can the AV software eat up before it's too much?"

Worse, Sherstobitoff says, the signature-based updates are becoming less effective. In a study of almost a million clients, Panda found that 30 percent of U.S. PCs contained an active infection -- even though half of them were running up-to-date antivirus or anti-malware software. "In Europe, it's about 37 percent," he says. "In Asia, it's close to 50 percent."

Among all the PCs that Panda studied, about 80 percent contained malware, Sherstobitoff says. About half of them contained an active Trojan. "What's clear out of all of this is that the current signature-based model is not working," he says. "We need a better method."

Panda, which rolled out its Panda 2009 line just three weeks ago, hopes to address the problem by moving some of its product capabilities into a "cloud computing" SaaS model. The idea is to put the memory-intensive signatures into a central database that can be accessed via a thinner client, thus reducing the CPU drag on the client machine.

"Instead of downloading a huge 60-80-megabyte file of signatures," Sherstobitoff says, "we can deliver a subset of the data, maybe 15-20 MB, and leave the rest on a Web server." Eventually, the company plans to store less and less data on clients and servers, making less and less impact on CPU utilization. "We'd like to evolve to a 100 percent SaaS model," he says.

The cloud computing approach could also make antivirus software more effective in stopping malware and other attacks, Sherstobitoff says. By employing a broad-based set of servers for analyzing new attacks and developing vaccinations, Panda may be able to better correlate the attack data and apply computing muscle to the process. "If we see malware in one country, we can more easily correlate it with a similar attack we see in another country," he says. This makes the signature process more effective and less bulky on the client end, he says.

Of course, the cloud computing model isn't without its drawbacks. It relies on a connection between the client and the antivirus server, which means there could be network latency problems, Sherstobitoff observes. And all clients will have to be outfitted with some method of "rolling back" to local AV if the connection to the security host becomes unavailable.

"There are some issues that we'll have to deal with, but as more and more applications and data move to the Web, this approach will be more and more compatible with what users are doing," Sherstobitoff says.

Other AV vendors, including McAfee and Symantec, are offering SaaS-based products as well.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
US Counterintelligence Director & Fmr. Europol Leader Talk Election Security
Kelly Sheridan, Staff Editor, Dark Reading,  10/16/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-26895
PUBLISHED: 2020-10-21
Prior to 0.10.0-beta, LND (Lightning Network Daemon) would have accepted a counterparty high-S signature and broadcast tx-relay invalid local commitment/HTLC transactions. This can be exploited by any peer with an open channel regardless of the victim situation (e.g., routing node, payment-receiver,...
CVE-2020-26896
PUBLISHED: 2020-10-21
Prior to 0.11.0-beta, LND (Lightning Network Daemon) had a vulnerability in its invoice database. While claiming on-chain a received HTLC output, it didn't verify that the corresponding outgoing off-chain HTLC was already settled before releasing the preimage. In the case of a hash-and-amount collis...
CVE-2020-5790
PUBLISHED: 2020-10-20
Cross-site request forgery in Nagios XI 5.7.3 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link.
CVE-2020-5791
PUBLISHED: 2020-10-20
Improper neutralization of special elements used in an OS command in Nagios XI 5.7.3 allows a remote, authenticated admin user to execute operating system commands with the privileges of the apache user.
CVE-2020-5792
PUBLISHED: 2020-10-20
Improper neutralization of argument delimiters in a command in Nagios XI 5.7.3 allows a remote, authenticated admin user to write to arbitrary files and ultimately execute code with the privileges of the apache user.