Rob Rachwald and Zheng Bu at FireEye came up with some interesting observations: "At FireEye, we look at hundreds of malware samples daily, and, in a recent talk at RSA Conference, Zheng Bu, vice president of research at FireEye presented some interesting data that security teams should consider as they think about their AV initiatives. Looking at nearly half a million malware samples over two years, our researchers discovered that the average lifespan of a piece of malware is very short. The chart below compares how many hours (X axis) malware lives against the total pool of malware samples (Y axis) to show just how quickly they disappear:
Our data shows an interesting picture: most malware remains active for no more than two hours when FireEye is detecting it. To be precise, our analysis showed that in 2013:
- 82 percent of malware disappears after one hour
- 70 percent of malware only exists once
With the half-life of malware being so short, we can draw the conclusion that the function signature-based AV serves has become more akin to ghost hunting than threat detection and prevention."
This observation makes the case for much more modern strategies for threat protection. Here is an article on Darkreading that presents basically my approach to endpoint security: Think 'Positive' (in other words: whitelisting): http://www.darkreading.com/endpoint/a-new-approach-to-endpoint-security-think-positive/a/d-id/1251085