Proactive security: is one technology enough?

Opinion by Lysa Myers

It's becoming a daily occurrence - another day, another article about how anti-virus is unfit for the task of protecting customers against different types of attacks.

It's becoming a daily occurrence – another day, another article about how anti-virus is unfit for the task of protecting customers against different types of attacks.

Instead, you should be applying X, Y, or Z brand-new bleeding-edge malware detection technology. Yes, there is an ever-growing tidal wave of malware, which is not going to slow down any time soon (if ever). No, anti-virus on its own is not enough (nor was it ever intended to be) for the sole protection of any network.

For that matter, neither is any other technology a panacea of protection. But does that mean we need to invest in a totally new technology at the expense of more traditional measures?

It depends, naturally, on the needs of your network or your company policy. But, barring some very uncommon set of circumstances, anti-virus is still a very useful tool that many organisations are not using to full advantage.

Traditional anti-virus is intended to do two things: identify and remove known malware. I would be hard-pressed to imagine a situation where a network has no need of identifying machines that are harbouring known malicious files – even if they have a forensics team to find out precisely what malware has done or is capable of doing, or even if they also format and re-image all machines that have been compromised.

Likewise, anti-virus is helpful for filtering known-bad content. Whether it's only filtered at the gateway or also at the desktop, it can be a way of easing network congestion.

Yet security should not stop at anti-virus, as this only attacks one aspect of information security. Proactive security requires both intelligence and containment. If anti-virus only detects known malware, what do you do about unknown malware? Many traditional AV vendors now offer fully-fledged security suites, with firewalls and various other behavioural or reputational scanning components.

If you're buying an enterprise-level anti-virus product, you are almost definitely getting some of these features, and there are plenty of other types of security companies that offer standalone versions of these types of tools, which means there are many excellent options of tools to choose from.

If you're not familiarising yourself with all the features in your existing product or the other well-established products on the market, you may not know what you already have. Those 'bleeding-edge technology' purchases may well be fruitless or redundant, trading well-tested technology for something whose weaknesses are not yet known.

If you're using all of the technology you have and you're still having more security incidents than you would like, you need to get more intelligence about what's happening in your network. Do you know how these incidents are happening? Is it a particular group or individual, or a particular type of network traffic? Can (or should) the problem be solved without resorting to additional purchases? Once you have gathered some data, you can make meaningful decisions and purchases.

Rage-quitting poorly applied protective technologies are a great way to shoot yourself in the foot. Most companies fail to both apply traditional tools and gather security incident information adequately, and criminals are easily able to slip through the cracks. Once you've covered both bases, you can make useful and informed decisions about seeking out hot, new tools.

Lysa Myers is a virus hunter for Intego


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events