When you’re running a data center, uptime is money. Any program that bogs down your computing resources or slows down business-critical resources represents an unwelcome drain—especially if it fails to function as intended. Here’s a problem: most antivirus products fall under this unfortunate category.
Finding a server protection solution that works for the data center can be difficult. That’s why SentinelOne has provided a guide for data center security in the form of our latest white paper. In short, information security products need to adhere to two fundamental axioms in order to operate in the data center: they need to function without slowing down the enterprise, and they need offer a real defense against bad actors.
It’s Time to Rethink Server Protection in Data Center Security
There are several reasons why antivirus, as it’s currently conceived, isn’t a great fit for data center security. First of all, most data centers are running partially virtualized environments, with one physical server running several VMs. When antivirus programs update their signatures or run scans on multiple VMs on the same machine at the same time, it bogs down the physical server immensely—a phenomenon known as an AV storm. Although these can be lessened by only scanning at staggered intervals, true protection from malware demands continuous monitoring.
Second of all, many antivirus programs don’t work as intended, in that they do an inconsistent job of protecting servers from viruses. As an example, many more advanced kinds of AV try to ensnare malware programs by tempting them into a sandboxed environment. These environments are like a roach motel for malware. If a malicious program deploys its payload inside a sandbox, it won’t come out, nor will it harm any critical systems.
That’s if the program is working as intended, of course. In practice, many new malicious programs now contain sensors that allow them to sense if they’re in a sandbox, and pass through them without executing. These traps can also break in other ways. Notably, ESET’s antivirus software actually contained a vulnerability that would have allowed hackers to attack its sandbox directly and gain control of the program.
Signatures Can Easily Be Rewritten
Let’s say that you decide to return to fundamentals, and choose a more traditional form of signature-based antivirus protection. More pitfalls await you—from our white paper:
“It is very easy to change malware to beat signature based detection—so easy, in fact, that some enterprising criminals have monetized the signature-evasion process. Using a so-called “crypting” service, bad actors will run different versions of their malicious software against all well-known signature-based AV programs. They will then tweak the software in an iterative manner until it is completely undetectable.”
The picture looks bleak. Traditional forms of malware can be outgunned by the equivalent of a random number generator. More advanced versions can also be fooled, if they aren’t broken themselves, and both forms of antivirus can hog resources within a server farm. To be honest, this picture doesn’t even scratch the surface of the ways in which criminals can bypass the perimeter, and evade traditional AV. Lest we end this piece on a down note, however, we’d like to add that SentinelOne has created a server protection platform that does fulfill the fundamental axioms of information protection and data center security.
Understanding the Future
Because SentinelOne’s critical server protection platform runs out-of-band, it provides administrators with the benefits of continuous monitoring, but spares them the headaches of AV storms. What’s more, our solution doesn’t rely on signatures in order to identify malware. Rather, it looks at the way a program behaves. Malicious activities are much more difficult to conceal than malicious identities, and even the most advanced malware/ransomware variants cannot escape our notice.