Debate: Anti-virus is dead
Amichai Shulman and Sarb Sembhi
Pro: Amichai Shulman, CTO of Imperva
I think that the main reason that AV is dead is that it does not fit in the threat landscape of today.
On the one hand, there is the technological issue of attackers being able to generate new malware samples with incredible speed. In that kind of environment, looking for signatures is useless.
The other side of it is the change in IT landscape. When you rely on AV you assume that you have control over the machines that access the network. But with the modern environment, and the BYOD trend, you don't have that control over the devices accessing your systems and data sources.
When viruses and malware started you had a small group of people able to generate malware and action malware, and propagation from one computer to another was done by replicating internally.
But hackers have introduced polymorphism, which takes a single sample and repackages it. Initially, it was client side polymorphism so the virus came with code that was able to generate new variations of the same virus. What AV would do would be to find that replication code.
Today, polymorphism happens on the server side and attackers almost never rely on internal replication, they just rely on infecting as many people in the same organisation using a large campaign, like water holing, phishing, or drive-by downloads
You need to think where to use AV and where not to use AV. You also need to rethink the value of AV as a security tool, and as a consequence, rethink your budget.
Anti: Sarb Sembhi, Director of Consulting Services at Incoming Thought
Is it dead? Surely if that were true Symantec would stop selling the product altogether.
For organisations that have plenty of controls in place AV will be one or two additional controls - if they host and network / border AV. However in environments where AV is the only control, it's not dead as there is no other security. It's the only control they've got so it's a vital element of their security armour.
It's the same if you look at personal users – for some AV is one of many controls, for others it is the only control, and yet there will be that last group who don't even use AV and will end up with their devices forming the basis of botnets around the world.
It's a given to say that AV products that rely only on signature-based detection are dying, but most AV companies have been using other technologies, like behavioural analytics to monitor what's going on. I believe that all large anti-virus companies will rise to the challenge or go out of business.
I can't see any big companies giving up AV just because a few people have said it's dead. There is endpoint and network antivirus and each one offers something different. It's only dead if no-one is using it.
I would challenge any large corporation to stop using AV completely as it does protect end users and provide some level of protection. The value may have diminished but it hasn't diminished completely.
As long as AV is considered as one of many tools to check off the risks, then that's OK, as it's just one of the many types of controls available.