Q&A with Immunet’s Oliver Friedrichsby Steve Ragan - Oct 9 2009, 21:00
In August, The Tech Herald wrote an editorial about a newcomer to the anti-Malware scene, a company called Immunet. Immunet, with their cloud-based protection offering Immunet Protect, is the brainchild of two former Symantec executives. One of them, Oliver Friedrichs, answered several of our questions, directly related to our previous coverage.
The original editorial, which questioned whether Immunet was the first to offer cloud-based protections, caught the attention of Friedrichs, and the email communications related to it are what led to this Q&A.
There is a gap between the editorial, the subsequent review of Immunet Protect, and this Q&A. The reason is mostly due to lack of time.
Immunet recently pushed a new version of Immunet Protect, which among other things offers improvements to the application updater, fixes for the core cloud protocol, and support for Windows 7. This rollout kept Oliver busy, but he still managed to chat once things calmed down some.
As the Q&A offers some interesting insight into the company, we’re decided to run it.
The Tech Herald (TTH): Why did you start Immunet?
Oliver Friedrichs (OF): I had just left my former employer (Symantec) at the end of June, 2008 and I began to think - What is the biggest unsolved security problem? We were just starting to see a rapid increase in virus variants, and the problem was getting worse every month.
Due to heavy investment from criminals and the sheer profits that can be made by these groups, the severity and types of threats were rapidly evolving faster than vendors could respond. It quickly became apparent to me that the virus problem could not be contained using conventional approaches. Industry reviews prove that out - today's leading products detect less than 40% of new threats. If seatbelts only helped you 40% of the time we would have a serious problem. These numbers are a little known fact by most.
TTH: The terms "Community Based Protection", "Cloud Computing", and "Collective Intelligence" are used extensively to describe Immunet Protect. I recently wrote that you were not the first company to use these technologies as a method of protection. Why do you not agree with this?
OF: I would argue that the devil is in the details. The terms “Community”, “Cloud” and “Collective Intelligence” can mean many different things. I will fully admit that there have been other cloud solutions and other collective intelligence approaches. Our statement that we are 'first' is meant to encompass the Community invitation system, Cloud and Collective intelligence combined. We still feel that we are first with this combined approach.
We feel that community based trust networks are a new approach to solving this problem that have not been fully explored. Anyone can amass a user-base and call them a community; but what vendors call 'Community' today are not really communities. They just include their entire user base and call it a community.
One endpoint is in no way related to another. There is no relationship; and therefore you cannot watch threats spread across personal and relationship boundaries. By introducing a social-graph into the equation you are able to approach this problem from a different perspective.
TTH: What is it that you do that makes you so unique as a company? Why is Immunet Protect so unique and different from other cloud or community-based offerings online, free, or paid?
OF: Our goal is to develop the smallest, fastest and most effective AntiVirus product. Our product today is only 4 megabytes and we will make every attempt to keep it small by continuing to move decision making to the cloud.
In the big world of AntiVirus products there are only two products that would come close (the others being PrevX and Panda Cloud AntiVirus). By using cloud computing we are able to reduce the virus analysis process from what takes days or weeks in a traditional AntiVirus company to minutes. This is an important factor when today's threats are relevant for only a few days.
Another differentiator is our Community based approach to solving this problem. Our approach allows you to build a protection network; one that ties you together with your friends, family and co-workers in an effort to make them safer. Our first foray is an invitation system, much like Facebook or LinkedIn. We will continue to build on this and introduce some novel new features to protect you better in the near future.
In addition, we have built the foundation of an AntiVirus company on a fraction of the cost, a fraction of the resources, and by using the latest advances in computing and internetworking. We are not burdened by decades of legacy technologies and infrastructure.
While this sounds obvious, it is a huge advantage and allows us to enter a space that is filled by large competitors who cannot innovate or move quickly due to these limitations. This allows us to dramatically reduce the cost of delivering protection to our users and deliver both a free product today and a low cost premium product in the future.
TTH: The community aspect of the Immunet site centers on inviting friends from Facebook, or contacts from Yahoo, Google, or other email sources to join the program. Will there be more to it? If so, what is coming that will add to what is already live in the Beta program?
OF: Yes, absolutely. What we've released to date is a foot in the door. We needed to launch the product in order to solicit feed on both our desktop component and the web site itself. We plan to expand these capabilities to develop protection features around your personal community, as well as to report on what is being seen within your network.
As we've seen in other domains, once social graphs exist, it is possible to use them in a number of very interesting ways. We have not seen this done much in the context of security yet.
TTH: How many people does Immunet employ? I ask because there does not seem to be a lab of sorts, and only the CEO (yourself) and the VP (Alfred) are listed.
OF: We are a small company (less than 10 people); but we have found that teams of between 5-10 people can produce extraordinary results. We have seen companies invest tens of millions of dollars into ideas that were replicated by a startup of 10 people in about a third of the time and a fraction of the budget.
TTH: Your competition routinely mentions how many researchers and samples they process, as well as detection lab locations across the globe. What is the number of researchers employed by Immunet? How many samples are you processing in a day or month, and where are your labs?
OF: One of the biggest shifts happening in the AntiVirus space right now is the move from human analysis to automation. A human analyst can analyze at the very high end, about 40 viruses a day. Given that we see 40,000 a day today, this is an impossible feat, and would require 1000 analysts. Clearly nobody has that many. Enter automated classification technologies.
Immunet is heavily driven by the automated classification of viruses. These are technologies that we have built over the past year. Everyone at Immunet has the ability to do malware research, and does so, when it is needed. We do manual analysis on a subset of threats, but the majority are handled in an automated fashion. The list of recent detections that you see on our web site, for example, is a window into that (http://www.immunet.com).
TTH: Related to the previous question, since you are in the cloud, are you automating the detection and processing of malicious processes and applications? I ask because it is well-known that some of your competition does so, and that they employ large teams to help back the automated process.
OF: Yes, we do use similar approaches. I would argue that it doesn't require a large team however.
TTH: After using Immunet Protect, the detection over the cloud seems to be based on DNS queries with three crypto hashes, which suggests the use of MD5 or SHA hashes, which are only able to detect one Malware per signature. Is this correct? If not, can you explain how the cloud detection works?
OF: Our beta product uses a custom authenticated protocol that we have layered over DNS to perform fingerprint lookups. Today we support the three that you mention; but we will also be introducing some new generic fingerprint formats in the near future that will better deal with polymorphic and metamorphic threats.
Cloud AV technologies with fixed signatures work well today, especially because the signatures can be produced within seconds, but as more and more threats change on every install, the detection technologies themselves need to improve to detect that. Fingerprints (or detections) are one way in which we protect you immediately, but we also collect additional meta-data on the applications that you have installed (nothing that would affect your privacy however). These attributes also allow us to classify applications in the cloud.
TTH: Immunet Protect is community based. Related to the previous question, what is the criteria for something to be flagged? For example, is a file seen many times malicious or benign?
OF: We have a number of approaches to data analysis that reside in the cloud.
The great thing about moving decision making off of the desktop is that we can constantly refine and tune our algorithms without large software updates. We keep many of these techniques to ourselves, but here is one example.
If you run one of a number of other security products (McAfee, AVG and Norton for example), we will see when those products detect a file as a threat and provide this information to Immunet. There is a specific event that gets sent to Immunet when this happens. This then benefits the whole Immunet Protect community. It is similar to the SANS Dshield or Symantec DeepSight approach for Intrusion Detection events.
It is a true community based approach to AntiVirus and it allows us to get good visibility into threats seen by our user population. Many of our users run Immunet Protect alongside AVG for example. AVG relies on a traditional detection model and Immunet Protect adds real time cloud AntiVirus functionality to it. Since AVG and Immunet Protect are both free, it is a good combination. The same goes for Microsoft Security Essentials, which also does not provide real time cloud based protection.
TTH: Again on the topic of detection, is Immunet Protect using any generic signatures or heuristic layers in its protection offering? In the cloud, are you using a multi-scanning format? For example, are you using engines from several vendors to scan a file or process for malicious activity? If not, is the detection completely community, or user, driven?
OF: The initial beta did not provide generic detection, but we are testing this as we speak. A challenge with generic detection is keeping false positives low. You want a broad reach, but a low false positive rate. Stay tuned for improvements in our detection ability over the coming months. Our goal is provide industry leading protection while remaining as small and nimble as we are.
We use a number of techniques to classify threats in the cloud. Some vendors do share their AV engines with each other in order to help with this classification, and we participate in this sharing, but that is only one method of many that can be used for classification. I've already mentioned some of these approaches above, and expect to see us talk more about them in the future.