Palo Alto Networks CTO: anti-virus technology can't stop targeted attacks

News by Dan Raywood

Anti-virus is dead because it is unable to detect attacks properly and is incapable of working on mobile devices, according to Nir Zuk, founder and CTO of Palo Alto Networks.

Anti-virus is dead because it is unable to detect attacks properly and is incapable of working on mobile devices, according to Nir Zuk, founder and CTO of Palo Alto Networks.

Zuk told SC magazine that the "15-year-old technology is unable to detect everything on the network" and "does not run on mobile devices".

He added: “Why does it not detect? Because attacks are very different, they are so widespread and, because of that, vendors see them and assume they are bad.

“This was good a few years ago when anti-virus vendors would see an attack and assume that it was propagated to as many machines as possible. But now they are targeted and the attacks are against a small number of companies and to a single user, so anti-virus cannot detect them.

“The attacker can pick up targets by finding out who works for a company via LinkedIn, what they like from Facebook and make them go to a website or receive an attachment from a trusted person - and there is nothing that anti-virus can do about it.”

Zuk said there is a gap in the mobile security market and solutions will come from new companies. “In the same way that Microsoft leads on the OS but is not a mobile or internet player, [mobile] is ruled by Apple and Google. But the market is so big that new vendors will come in,” he said.

David Harley, chief executive of Small Blue-Green World, said it was hard to defend the position that "anti-virus doesn't detect anything", and a more reasonable argument would be that "anti-virus doesn't detect everything".

“Then I would have agreed with [Zuk] and so would every other researcher in the anti-virus business. But then, I have yet to see any '100 per cent' solutions. A totally generic solution may get close to blocking 100 per cent of threats, but will discard some ‘true positive' objects,” he added.

“Personally (and in principle) I'd rather advocate a sound combination of defensive layers than advocate the substitution of one non-panacea for another, as vendors in other security spaces sometimes seem to. Actually, a modern anti-virus solution is already a compromise between malware-specific and generic detection, but I still wouldn't advocate anti-virus as a sole solution, any more than I would IPS, or whitelisting, or a firewall.”

Harley also disagreed with the assumption that anti-virus technology does not bother to block non-generic, targeted attacks.

He said: “The sheer number of malicious attacks does mean that anti-virus labs have to prioritise to some extent, but that prioritisation is rather more complex than that and it is far from the only factor in detection. The relationship between a given binary and other malware families, for instance, is a big factor in determining whether that binary is detected at a time when there is no malware-specific detection for it.

“It's quite possible that a single, targeted attack won't be detected initially by many or any anti-virus solutions, especially if it involves the combination of a zero-day and the use of multi-scanning to tweak the binary until no common engine detects it, but to dismiss anti-virus on those grounds is to throw out a whole generation of babies with a very small quantity of bathwater.

“The fact that anti-virus is focused on malicious binaries does make it less effective in attack scenarios that are more generic in nature, but that's why you need multi-layering. Horses for courses.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews