The death of anti-virus

Symantec's announcement that 'anti-virus is dead' shouldn't surprise anyone. What's shocking is how long it took to admit it.

The death of anti-virus
The death of anti-virus

For 25 years now, anti-virus vendors have been promising near-enough 100 percent protection … and now, all of a sudden, it's 45 percent.

What looks like a bold announcement is really just cover for an immature industry still completely wedded to reactive forms of IT defence. There has been no shortage of threat intelligence reports from companies such as NTT Com Security showing just how ineffective the world's most commonly adopted security control really is.  Symantec no doubt recognised that corporates were unlikely to carry on spending hard pressed security budgets on technologies that are, depending which report you read, perhaps only 17 percent effective.

The fatal flaw of anti-virus is its reactive nature, based on swatting down known threats but largely useless in identifying and stopping new ones. With entire business models built on that approach, however, there is a real possibility that current solutions based on signatures and white listing will just be re-badged. I can't think of any reason why companies would or should accept this.

If anti-virus is ‘dead' then it's time to demand an alternative. While we have been relying on anti-virus to keep the bad guys out of our files and documents, scant regard has been paid to ensuring that the actual underlying structure and content of those documents is safe, secure and trustworthy. Adopting a ‘signature-based approach' means the bad guys set the agenda. Is it any wonder then that anti-virus companies are now having to come clean – admitting that such a reactive stance is all but ineffective in a world where exploits are often specifically written for each new target? Your information and intellectual property is worth this kind of investment by criminals; whilst an investment in anti-virus solutions (and many organisations have more than one product installed ‘just to be sure') is all but wasted.

What if, as a CISO, you could announce to your board when they hear that anti-virus is dead that you are only allowing into your organisation files and documents which are known to be 100 percent good against your own defined policies and controls?  That you already had a plan to replace redundant anti-virus with a solution that offers a deep inspection of every file coming in and out of the organisation and in storage, and have sanitised files that you can trust every time?

And what is this alternative? – Well, it's not sandboxing.

The files we use every day such as PDFs, MS Office docs and images are a primary threat vector for zero-day attacks and advanced persistent threats (APTs). Organisations need to manage this risk, but slowing down file collaboration is something that few business users would welcome – whatever the security imperative. But this is exactly what happens when organisations adopt sandboxing as part of their information security processes. Isolating and inspecting files takes time – time to move and quarantine the file, time to confirm something  ‘bad' has executed, fix it or decide that it was fine all along, and then release it once this process is complete.

Although examining files in a safe environment is a pragmatic approach, there is no avoiding the fact that it disrupts workflow and slows down business. This is perhaps why the majority of organisations choose not to run sandboxing applications in-line, making them less of a proactive detection engine and more of an after–the-fact incident response measure or forensics tool. The result is that sandboxing is not helping organisations actively tackle APT and zero-day attacks – issues high on most organisations' list of information security and risk priorities.

So if anti-virus is dead and sandboxing sub-optimal, proactive protection must be the future. Trying to keep pace with what the bad guys are doing is not only expensive and hard to predict, it is ultimately futile. Rather than waiting until they can defend themselves against known threats, more and more organisations are seeking to define what ‘good' looks like for their specific business files and infrastructure – refocusing their investment on proactive defence. Combine this with the latest solutions and services that give real-time visibility to threats and perhaps organisations can get back in control – not only of their risk but also of their spending on ‘dead' technology to fight a very live threat.

by Greg Sim, Glasswall Solutions