Malware is a cloud-scale problem

The old downloadable signature file method of anti-malware protection is flawed in today's era of cloud-scale malware threats, say a new generation of vendors. I caught up recently with Gerhard Eschelbeck, CTO of Webroot, to learn more.

Having been one of the many victims of McAfee.com's 'false-positive' problem back in April, I've been wondering whether there's a better way of protecting against malware, as some of the commentary at the time seemed to imply. My quest at the time led to an interview during London's InfoSec show with Gerhard Eschelbeck, CTO of anti-malware vendor Webroot, and previously one of the founding members of Qualys.

Webroot provides web and email security as a cloud service, delivered from the company's own network of data centers, supplemented by Amazon capacity at times of peak load. Its use of the cloud goes further than that of McAfee.com, Symantec Norton and others, for whom the cloud is solely a distribution mechanism to keep subscribers' software up-to-date. In common with other SaaS anti-malware providers, Webroot uses what Eschelbeck calls a "multi-tier" model, in which the protection is provided primarily by software running in the cloud, in addition to having a component that runs on the client machine.

"There's always a need for a last layer of protection on the desktop," he explained. But there are two reasons why it's no longer practical to run the whole protection layer from the desktop, as older anti-malware architectures do.

First of all, there's the sheer scale of the threat. Malware are being computer generated around the clock all over the world, he explained, which leads to huge numbers of new examples appearing — currently 40,000 a day, and rising to a projected 100,000 per day next year. In the face of that onslaught, "There's no way the signature file approach can scale," he said. "We're reaching physical limits on the desktop — and on servers as well — to protect [those devices]."

The escalation in numbers means that occasional false positives will continue to be a fact of life in the anti-malware industry, whatever methods are used. But a methodology that requires product teams to push a single downloadable signature file every few days inevitably increases the risk, he said. "The more signatures you add, the more chance you have of an error." Once a problem file has gone out to the desktop, you then have to produce and download a new signature file to eliminate the error, whereas a cloud-based application can be corrected much more quickly. "If a false positive takes place in the cloud, it can be fixed instantly. The cloud will have false positives, but the ability to fix it is different."

The second reason for running the protection software mainly in the cloud is simply because that's where the threat is coming from today. Signature files date back to an era when most devices were standalone or running on local area networks with no connections to the outside world apart from the occasional dial-up modem. "Ten, fifteen years ago, the main infection vectors were through the floppy disk, the USB stick. Today the main vector is through the Web."

So the multi-tier defence model takes the battle as close as possible to the source of the threat, and allows the anti-malware vendors to fight a cloud-scale enemy with a cloud-scale arsenal. "You have a global view — compared to a myopic view on the desktop," said Eschelbeck. It's possible to analyze macro data such as traffic flows, and to counter threats without having to worry about the CPU constraints of individual machines.

The next frontier is to co-ordinate what's happening on the desktop with what's happening in the cloud and have information passing in real-time between desktops and cloud resources — moving from a multi-tier approach to more of a real-time fabric. That's next-generation, said Eschelbeck, but on the way.

The other question that surfaces is, why allow the threats to reach the desktop at all? If today's threats originate in the cloud, then why not clean the data stream before it gets anywhere near the end device? This after all is the principle followed by cloud-based email threat protection services such as MessageLabs and Postini. Eschelbeck agreed it was something that broadband providers perhaps ought to look at. "They maybe need to think about offering a clean pipe in the future."