IT security industry collaboration could eliminate 90% of malware

Cloud-based malware identification and information sharing capabilities could eliminate up to 90% of malware, says Eugene Kaspersky, chief executive of Kaspersky Lab.

Cloud-based malware identification and information sharing capabilities could eliminate up to 90% of malware, says Eugene Kaspersky, chief executive and co-founder of Kaspersky Lab.

This approach, if adopted across the IT security industry, will shut down most producers of simple malware, which accounts for the bulk of all malware, he says.

By identifying malware and blocking it within minutes rather than hours or days of it being planted on the web, security firms can reduce the number of initial infections so much that it will destroy the business model of most cyber criminals, he told attendees of Infosecurity Europe 2011 in London.

"The number of initial infections will be so low that it will cost cybercriminals more to develop the malware than they are able to recoup," said Kaspersky.

Stopping the cyber criminals

The past five years have been the golden age of cyber crime, but cloud-based technologies are the light at the end of tunnel, he said.

Cyber crime has proliferated because of the high return on investment, the low barriers to entry and the low risk of prosecution by authorities which are limited in their ability to act across international borders.

In 2007, Kaspersky Lab was seeing five new malware samples every two minutes, but in 2010, that had increased to one new sample every two seconds.

The vision does require across-industry participation and the most noticeable impact will be in the consumer space, but enterprise will still benefit, Kaspersky told Computer Weekly.

By eliminating the bulk of malware, he says, enterprises will be able to focus on the more complex and targeted attacks that are typically script-based or polymorphic.

Fast response to malware

Kaspersky Lab is one of only a handful of security suppliers to have implemented cloud-based fast responses to new malware using "fingerprints" gathered from customers who have agreed to become part of the information-gathering network.

This provides almost instant security rating for all web-based applications, and any app that displays suspicious behaviour can be block and shut down within minutes of its appearance.

So far only Symantec, McAfee, Trend Micro, Sophos and Eset have similar capabilities, but Kaspersky believes all top suppliers will follow suit.

"Just as they have all followed the practices of whitelisting and sandboxing, they will follow in rapid blocking using cloud because of market pressures," he says.

Once this is achieved, Kaspersky believes the barriers to entry will be raised for cyber criminals, making it a lot more difficult and expensive for them to operate.

As an interim measure, he says this approach will be effective in reducing the volume of threats until more effective approaches can be developed.

Even though relatively few security suppliers are using this approach, from monitoring the underground forums, we know cyber criminals are feeling the effects," says Kaspersky.

Longer-term solutions, he believes, are likely to include an internet Interpol and internet passports.

An internet Interpol would enable cross-border operations by law enforcement organisations, he says, and web-based infections could be dramatically reduced by requiring anyone posting content to first present a valid internet passport.

Read more on IT risk management