IDC, October 1, 2003
Finjan Software: Closing the Window of Vulnerability
| By Brian E. Burke
Research Manager, Security Products
Team: Security and Business Continuity
Organizations are increasingly asking for more proactive virus-detection techniques following the worldwide damage caused by high-profile viruses such as Nimda, Goner, Code Red, Klez, and, most recently, Bugbear. The amount and severity of threats coming into corporate networks have risen dramatically over the past several years. Forward-looking organizations are beginning to realize they cannot rely upon reactive signature-based antivirus technology alone.
These companies know they have very limited protection from new attacks until their antivirus vendor receives the new attack sample, creates a new patch (or signature), and delivers that patch to the antivirus product's database. To put it into simple terms, a company (or many companies) is often made the "sacrificial lamb" by becoming the first infected by an unknown virus before a signature can be deployed to combat the specific virus. This study discusses the emerging use of real-time behavior analysis technologies and how Finjan Software can help an organization close the "window of vulnerability" - the period of time spanning when a new attack is launched until an appropriate antivirus signature/patch is delivered. IDC believes the market for proactive virus-detection technologies will be driven by the following factors:
•According to a recent IDC survey, an alarming 90% of large organizations reported a virus incident over the past year (see Privacy and Security: Friend or Faux? IDC's Security Technology Survey for 2001, IDC # 25684 , October 2001).
•Hacking and worm attacks on wireless networks will increase over the next few years. Attacks on corporate computer systems, both wired and wireless, will continue to get more sophisticated and target multiple vulnerabilities in the network.
•In the near future, more destructive and harder to detect "blended threats" or "hybrid worms" will become increasingly more common as hackers and crackers become more sophisticated and viruses and malicious code become more difficult to detect.
•IDC believes the integration of real-time behavior analysis technologies with traditional signature-based antivirus technologies will allow for a greater degree of accuracy in detecting both known and unknown threats.
In This Study
This study describes the next-generation virus- and malicious code-detection products, the expansion of traditional signature-based antivirus software, the new risks associated with blended and hybrid attacks, and, finally, how one company - Finjan Software - is addressing all of these issues with a comprehensive, proactive solution.
Finjan Software protects PCs by inspecting the behavior of code downloaded from the Internet. Centrally managed, the Finjan solutions allow companies to tailor security policies for departments and individual users, enabling secure content management. Using Finjan's unique security policies, companies can "allow" trusted Web applications or services and scan all other Web content for malicious behavior. This approach allows trusted content to flow freely into the corporate network while all other unknown content is checked before it can enter the network.
Finjan Product Family
•SurfinGate for E-Mail delivers a patented, real-time content-inspection process to proactively block malicious behaviors of inbound and outbound mail traffic. SurfinGate for E-Mail defends against new, unknown attacks and new variants and is the only gateway solution that is not dependent upon signature database updates. SurfinGate for E-Mail eases the administration of several security products by offering multiple lines of defense in one solution and provides complete email security for today's ebusinesses.
•SurfinGate for Web features a Web content security platform for known and unknown viruses and malicious code attacks on PCs. With its policy-based management, SurfinGate for Web provides the best way for companies to manage and control active content downloaded into their organizations. SurfinGate also features an option to include McAfee antivirus scanning for known attacks. By integrating Finjan's best-in-breed, proactive behavior inspection and antivirus scanning, SurfinGate provides complete Web security for corporate PCs.
•SurfinShield Corporate offers a proactive defense against new, unknown malicious code attacks coming from email and the Web. SurfinShield is a centrally managed enterprise PC solution that monitors the behavior of programs in its "sandbox." SurfinShield's proactive sandbox enforces security policies to automatically block malicious activity before damage can be inflicted. Examples of security policy violations include attempts to delete files, open network connections, or access the system registry. Behavior-based security is the most effective approach against today's most dangerous Internet threats, which include blended worm attacks and targeted attacks on PCs.
•SurfinGuard Pro is a personal sandbox security utility that proactively monitors executable programs for malicious behavior. SurfinGuard Pro runs executables in a protected sandbox environment and automatically blocks any hidden Trojan or worm that breaches security rules. With no antivirus database updates required, SurfinGuard users can open executable files with the peace of mind that they are protected.
•Finjan Mirage enables companies to control the access, authorization, and distribution of sensitive documents internally and externally. It allows trusted users to view critical business information and intellectual property unimpeded while preventing unauthorized users from viewing, digitally distributing, and physically copying them. Mirage protects information in native HTML and PDF formats.
Believing that security is best achieved through multiple layers of protection, Finjan offers an integrated best-in-breed solution of proactive and traditional security technologies, including proactive malicious mobile code and active content defense from Finjan, along with McAfee antivirus protection and SurfControl URL filtering.
The demand for more proactive virus-detection technologies has been heightened due to the rash of Web-based viruses (e.g., Nimda, Code Red, and Bugbear) and malicious mobile code that have escaped traditional (signature-based) virus measures. This problem is primarily due to the fact that the viruses are unknown or that customers have failed to update signature files. Unlike traditional viruses, which rely on the user to spread the infected files, these new threats - often called blended threats - are automated and are always scanning the Internet and local networks for vulnerabilities and other computers to infect, meaning they spread without user interaction. Blended threats are employing dangerous new techniques that signal what is to come from worm writers in the near future.
Given the prolific speed at which viruses spread today, they often sneak past traditional antivirus software and entrench themselves in desktop and server systems before antivirus vendors can post an appropriate signature. Because blended threats are designed to get past point-solution security systems, IDC believes there will be a strong push toward a "layered security" approach, which will be better able to combat blended threats. Proactive behavior-based analysis is increasingly becoming a vital need in an organization's layered security architecture.
Viruses continue to be, by a wide margin, the most common threat facing corporations today. According to a recent IDC survey of 325 firms across the United States, 90% of large organization (1,000+ employees) said that they had experienced a virus attack. Of the organizations that experienced a virus attack, 30% reported that the virus was detected but not immediately repelled (see Figure 1). This response indicates that even virus attacks that are detected can still cause harm. The rate at which virus attacks were not detected at all was 13.5% - obviously high enough to be a major concern to IT organizations. When these two types of virus incidents are added together, results show that an alarming 43.5% of viruses pose risks to organizations.
The Web has quickly become an additional concern for corporate virus infection. With a growing number of employees accessing the Web to carry out everyday business activities, virus writers are increasingly looking to the Web as another means of virus distribution. Web sites rely on various embedded programs such as Java and ActiveX controls to create their unique look and feel. These programs can run automatically when the site is viewed by the user, allowing a virus to be embedded on a Web page and infect a user viewing that particular page. Many companies block Java from coming through their firewalls; unfortunately, this move can restrict potentially business-related applets.
Real-time behavior analysis identifies and analyzes downloaded code as it enters the network. All characteristics of the code are examined for security violations on the fly. Any code that violates the corporate security policies is logged and blocked at the gateway, while end users are notified with an on-screen alert. Examples of security policy violations include attempts to delete files, open network connections, and access the registry.
The secure content management (SCM) software market achieved a level of $2.7 billion in 2002, representing an impressive 34% growth over 2001. IDC currently forecasts that this market will reach $6.4 billion in 2007, representing a compound annual growth rate (CAGR) of 19%. The SCM market includes antivirus software, Web-filtering software, email-scanning software, and malicious mobile code detection.
IDC believes more complex and wide-reaching approaches to breaching corporate security will follow in 2003 as hackers and crackers become more sophisticated and viruses and malicious code become more difficult to detect. Traditional signature-based antivirus technologies and real-time behavior analysis technologies will be increasingly used as complement to one another - the traditional antivirus approach providing protection from known threats and the real-time behavior analysis technologies providing protection from unknown threats. IDC believes the integration of real-time behavior analysis technologies with traditional signature-based antivirus technologies will allow for a greater degree of accuracy in detecting both known and unknown threats.
IDC believes that Finjan is well positioned to take advantage of the growing demand for proactive virus-detection solutions. By providing real-time behavior analysis on traffic entering the corporate network, Finjan's unique product set provides a valuable complement to traditional perimeter security products.
This IDC study describes the next-generation virus and malicious code detection products, the expansion of traditional signature-based antivirus software, the new risks associated with blended and hybrid attacks, and, finally, how one company - Finjan Software - is addressing all of these issues with a comprehensive, proactive solution.
"Finjan has been the worldwide leader in proactive malicious mobile code detection since 1996," said Brian Burke, research manager, Security Products, at IDC. "They are the experts on proactive security strategies, closing the window of vulnerability and protecting organizations against current and new attacks by next-generation viruses, worms, and malicious mobile code."
This IDC research document was published as part of an IDC continuous intelligence service, providing written research, analyst interactions, telebriefings, and conferences. Visit www.idc.com to learn more about IDC subscription and consulting services. To view a list of IDC offices worldwide, visit www.idc.com/offices . Please contact the IDC Hotline at 800.343.4952, ext. 7988 (or +1.508.988.7988) or email@example.com for information on applying the price of this document toward the purchase of an IDC service or for information on additional copies or Web rights.
Copyright 2002 IDC. Reproduction is forbidden unless authorized. All rights reserved.