We see, day after day, real and so-called security experts announcing the newest security apocalypse we face. Claiming that antivirus is a dead technology, they invite you to uninstall it and buy new next-generation technologies that will automatically collect, analyze and detect malicious intentions of attacks or data compromise from the moment they are born in the minds of the bad guys.
Sometimes they come from people more or less familiar with the topic - Is Anti-Virus Scanning/Detection Obsolete? - and you can see that most of the opinions there are not so negative, apart from the classic advertising for some AV brands. Other times they come from specialists in the field, trying to give an opinion or just sell their “stuff”.
Several days ago I came across a new opinion – AV isn’t Dead, It Just Can’t Keep Up – that comes from Lastline Labs. They claim the AV is powerless against new threats and are sustaining this opinion on submitting samples to the known website VirusTotal and reporting no AV was capable of detecting a zero-day sample, not even after days.
That doesn’t surprise me or any person that knows how VirusTotal works: they host a collection of signature-based AV engines from a collection of vendors and the sample is submitted to all of them. Of course, this works for known malware, not zero-days by definition.
If you change a string in any known malware sample it will become unknown (signature won’t match), therefore it will pass unidentified by all the dozens of engines. But this is precisely why all decent anti-malware products don’t rely only on signature engines.
They are being complemented with many other technologies that some try to “sell” under a new packaging – from behavioral analysis, pattern recognition or heuristics to advanced threat detection, collective intelligence (in the cloud or not), malware profiling, whitelisting, threat intelligence or threat correlation and a long list of others.
We can’t speak for the others but here at Bitdefender we are using at least 5-6 other “advanced” or “next generation” defenses which helps explain our good results in objective tests.
But thanks to this news I have got the opportunity to look at the Lastline ATP sandboxing technology that does the following: collects sample from its users, “detonates” them in a sandbox (usually a virtual machine) and observes them for minutes before taking a diagnostic, then updates the info about the file/process in their cloud. I suppose that we shouldn’t call it signatures, though.
But probably more concerning is when the sentiment comes from people representing known vendors, like Symantec’s VP – more info here. It certainly has made the headlines, but the people who actually read the announcement have realized that it was just marketing jiu-jitsu for a new product line and Symantec won’t close its AV division.
Bottom line we face several indisputable realities:
- Security budgets are on a rise but every day we hear about new successful attacks, with data worth millions of dollars compromised;
- Classic antivirus engines (meaning purely signature-based) fail in front of zero-day and advanced attacks;
- Malware writers are taking advantage of many undisclosed vulnerabilities abusing OS/application/protocol weaknesses in unimagined ways;
- CSO’s and CISO’s struggle to balance tight budgets, the shortage of prepared and experienced security professionals, the lack of awareness of their users and the increasing pressure of new computing models like BYOD, work from home and virtualization.
What elements are part of the solution?
1. Identify the root causes, including:
- Legacy systems – built many years ago and maintained “untouched” (and unpatched) because they work, they are “in production” and downtimes are not acceptable;
- Heterogeneous security defenses – a lot of point technologies, coming from various vendors, with the promise to solve one or several problems, real or improbable. Each requires attention, generates a multitude of events per second, and cut-away a large chunk of the precious time of skilled, expensive and rare security personnel.
- Shifting perimeters – due to the new work styles the area to defend has enlarged to a concept hard to define, including employees homes, clouds, mobile devices etc.
- Sophisticated threats appear daily, many of them well conceived, with advanced evasion techniques in order to avoid the security countermeasures
- New demands from end-users – BYOD, VDI, computing anywhere, hybrid cloud, and shadow IT.
2. Identify what is really important data (yours, your clients’, your partners’) and who is entitled to access it. Try to look at this important information from the risk perspective; what will happen if this data is altered, or disclosed, or not available?
Once you have determined what is most important:
- Tightly restrict access to this core data so people, processes, applications that don’t need it can’t get to it. You may find entire departments that have access to things they don’t need because of that “one time” years ago…
- Understand your information flows, what and where data is generated, processed, stored. Ask a thousand and one questions..
- Try to understand your network behavior, based on user profiles and their traffic patterns (are there partners or customers in China, for example).
- Select solutions that solve your real problems, not just the stuff that someone got a good 5-year price on. If you virtualize, get a security solution for virtualization; if you want to protect mobile devices, choose an MDM with enhanced security capabilities. Get the best cloud offers, negotiate SLA-s and check that they actually deliver.
- Get automated. Security people are expensive, so don’t waste their time with irrelevant information; use technology to filter the junk and present only the interesting. This is why even these so-called obsolete AV's are critical: if they stop 99.5% of the malware they allow your people to dedicate time to the 0.5% that may be new, targeted and dangerous.
And if, at the end of the day, you still believe what experts say and decide that you could turn your AV OFF, be prepared to turn it back ON in a hurry.