Current Filter: Network>>>>>Opinion>

   

Reports that antivirus is dead have been surfacing frequently over the past several years, usually from organisations proposing their newest, most innovative protection against cyber-attacks - the most high profile example being the recent Wall Street Journal interview with Brian Dye, VP of Symantec.

The death-cry often refers to the changing threat landscape and the emergence of advanced persistent threats (APTs) - apparently AV can't possibly protect against these increasingly complex, targeted attacks.

While APTs and targeted attacks get most media attention, the fact remains that common, commodity malware still exists in force. A large volume of attackers are not sophisticated and are opportunistically trying to make some money. For these attackers, using commodity malware in high volumes is much cheaper and easier than using a specially crafted, targeted attack on a handful of organisations.

Targeted attacks are so much more expensive for attackers because they lose their effectiveness each time they are deployed. The element of surprise is vital to success, which is why zero-day exploits are valuable on the black market. If the attacker doesn't have to use an expensive targeted attack then why would they?

There are still 10-year old viruses being used by attackers simply because they work. According to HP's 2015 Cyber Risk Report, "44 per cent of known breaches in company network security were the result of well-known techniques". Some targeted and advanced threats even use commodity malware as an initial network entry point. If everyone were to remove standard endpoint antivirus protection because they believed it was dead, attackers would have a field day.

Once we understand that known threats are still an issue, signature-based antivirus is the most cost effective (even free) and reliable way to stop these threats. Traditional antivirus solutions are good at detecting most commodity malware and can offer even better detection rates when combined through multi-scanning. Protecting yourself from targeted and advanced threats is much easier if you at least have baseline protection against known threats. In addition, many unknown threats are variants of existing known threats, and heuristic algorithms in antivirus products have become highly competent at detecting them.

Between the first report of the death of antivirus and today, the idea of antivirus itself has been evolving from the traditional signature-based engine. Antivirus is now anti-malware and it encompasses anti-spyware, anti-grayware, anti-exploit kits, and all manner of PUA/PUP warnings which can be just as dangerous to an organisation. Our own solution found that 3.3 per cent of devices contained previously undetected malware and PUAs, indicating that the efforts anti-malware vendors are making in this direction are more than warranted.

This isn't to say that APT protection isn't good and necessary for enterprise-level companies, but it shouldn't come at the cost of a well-managed and enforced endpoint security policy that includes 'boring' technologies like antivirus and a personal firewall. I like to use the analogy of a brand new luxury car; while it may come with a fancy high-tech alarm to prevent theft, the owner will still lock the doors and close the windows as general best practice. APT protection is like the high-tech alarm while endpoint anti-malware protection is analogous to locking the door - much less impressive to tell your friends about but still an effective line of defence against casual thieves looking for a quick win.

Antivirus isn't dead, and neither are the many other security solutions that in isolation simply cannot prevent 100 per cent of attacks. In IT security there is no silver bullet. Security teams need to employ diversified, layered methods in their approach to protecting their organisations in order to block different types of threats and mitigate a variety of risks. NC