Anti-virus is dead - but ghosts get chased

News by Tim Ring

Symantec declares AV dead. Not everyone agrees, though FireEye researchers say most malware is gone before AV starts looking.

The message ‘anti-virus is dead' may finally get heard by corporate leaders and businesses after it was pronounced in public by Brian Dye, senior VP for information security at anti-virus pioneer firm Symantec which suppliers Norton AV software.

Dye's declaration, reported in the Wall Street Journal on May 4, has provoked a strong reaction and some criticism from security experts, who say users still need to hear the message that cyber attacks require a broad range of defence technologies - but question Symantec's reasons for saying it.

Dye told the Wall Street Journal that anti-virus "is dead. We don't think of anti-virus as a money maker in any way." His comments were quickly clarified in a statement to journalists by Symantec that admitted "the era of AV-only is over” but said: “Symantec led the first era of security with anti-virus, and it continues to be an important part of our portfolio.”

Reacting to Dye's comments, leading industry expert Brian Honan, head of BH Consulting, said the message that anti-virus alone is inadequate still needs to be spread.

He told “The amount of times I go out and talk to clients and they go, ‘well I'm secure, I have anti-virus software'. It's good that they should be made aware that there is more to security than just anti-virus software.”

Cyber expert John Walker, a visiting professor with Nottingham-Trent University's School of Science and Technology, agreed. He told SC: “The message definitely needs to be pushed out there. The people I would like to hear this would be those at the high level in the businesses, those who are responsible for running the business to start to say, ‘I've just heard this on the news', and ask those below them the right questions – ‘does this provide us with security or, if not, what's the exposure'?”

Symantec has publicised the failings of AV as it moves towards a broader range of threat protection products, after ousting its CEO Steve Bennett in March.

But experts are concerned that the theme ‘anti-virus is dead' may push people too far towards using solely intelligence-based security incident detection and response tools.

Leading industry expert Ruggero Contu, research director at Gartner, emphasised that AV and anti-malware defences still play a role.

He told SC via email: “While it is true that the effectiveness of traditional anti-malware controls has gradually been decreasing over time, particularly as a result of the rise of advanced targeted attacks, there is still the need for endpoint anti-virus tools.”

Contu added: “Organisations' security posture should include processes and tools that go beyond the traditional endpoint security stance and try to leverage threat intelligence, APT and a comprehensive vulnerability management approach.”

John Walker said: “Anti-virus or anti-malware still has a part to play so what shouldn't be taken from that statement is ‘OK, we throw it away and don't use it,' because it still provides an element of protection. Security is holistic, it's all of the above and more, utilising everything in the toolset, not depending on a tool in the toolset.”

Brian Honan agreed: “Anti-virus will still play a role. In today's threat environment you need a multi-layered defensive strategy.”

But Honan also questioned the wisdom of Dye's comments saying: “That statement won't come as a surprise to people within the security industry. But it may come as a surprise to consumers or those who may already be Symantec customers, who have now been told the products they've been buying from Symantec and who they recognise Symantec for, are effectively dead.”

Walker said: “What people need to do is hear a message that's not based on vendor speak or competitive advantage; they need to hear a message that's consistent. They should be telling businesses the truth about anti-virus and what it means in real terms and giving them some positive direction. What we don't need is vendor scaremongering to get their own advantage.”

The inadequacy of ‘AV-only' was emphasised in a May 5 blog by FireEye's Zheng Bu and Rob Rachwald who pointed out that 82 per cent of malware disappears after one hour. “With the half-life of malware being so short, we can draw the conclusion that the function signature-based AV serves has become more akin to ghost hunting than threat detection and prevention,” they said.

They explained: “Malware is developed, QA'd against the latest AV signatures, released, and once it is picked up by AV sensors and shared among vendors—the malware dies. The process takes a few days at most. By contrast, anti-virus vendors work in a process that takes a few days to a few weeks. Examining the two ‘supply chains', you quickly see why anti-virus is inherently behind the curve – doomed to chasing ghosts.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews