Antivirus Isn’t Dead, But It’s No Panacea

It should come as no surprise that antivirus solutions on their own are not equipped to deal with many of the threats we see today. Norton Antivirus stated as much back in 2014 when it famously declared, “Antivirus is dead.” The claim was not an indication that such products would be discontinued, but more an admission that protections need to evolve to keep up with increasingly sophisticated threats. A Norton representative asserted that traditional antivirus detected only 45% of all attacks. Even by 2014 standards, that figure seems optimistic. Today, more conservative estimates put the number at somewhere between 20-40%.

Despite antivirus being deployed globally on virtually every endpoint, breaches are still on the rise. Detecting and preventing malicious activity remains vital, but many of the sophisticated attacks we see today can penetrate PCs despite the presence of up to date antivirus solutions. Antivirus’s roots go back to 1987. It’s based on binary signatures i.e. hashes used to identify specific files. Signatures have become less effective over time as modern threats are able to constantly evolve to evade such detections.

If antivirus is no longer effective against many of today’s threats, why is it still the first line of defense for most organizations? One reason is due to the nature of regulatory, governance and compliance regulations, which mandate its use. Antivirus products have also evolved over time to include features such as heuristics, or the ability to identify threats which have no matching signature, but are similar to ones that do. Unfortunately, these have a very high false positive rate, and result in bloated installations that consume unnecessary hard drive space and CPU cycles. Vendors have also built portfolios of security solutions that rely on the installation of their own antivirus product, resulting in a form of lock-in for customers.

The prevailing reliance on antivirus protection results in a number of security issues which need to be addressed. Regulatory compliance alone doesn’t guarantee a network is adequately secured. Organizations may be PCI-DSS or HIPAA compliant, yet still need to seek additional controls to mitigate any remaining gaps in the security net. Additionally, as the amount of time and resources taken up by modern antivirus scans has climbed steadily over the years, vendors now allow users to skip or postpone scans. This essentially cancels the basic protection offered by these solutions. Users have also been lulled into believing that network security is only the responsibility of specific teams within an organization. The truth is that we all have a part to play.

If organizations are serious about addressing their security gaps, a number of steps need to be taken. While malware itself is a problem, understanding how it reaches your network is equally important. Most malware is delivered by exploits, programming bugs or vulnerabilities that let an attacker take control over your machine. Preventing these exploits is key to ramping up security efficacy, as is the ability to protect against unknown threats.

First and foremost, users must be educated to never open any attachments or click a link from a source that they can’t absolutely verify. Many seemingly innocent or legitimate-appearing entities turn out not to be so innocent after all. The best protection is to not allow an attacker an “in” to your system in the first place.

Once inside your system, an attacker can use any number of freely available tools to change the hash of a file, rendering your signature-based protections ineffective. Cloud services can then allow files to be uploaded, having first confirmed if antivirus vendors still identify a file as malicious.

Obviously, solutions that look at other indicators such as behavior and traffic patterns are needed. They should lean towards preventing attacks as a first course of action, with detection supplementing those cases which manage to slip through the gaps. Such protection is needed everywhere: endpoints, mobile devices, data centers, cloud, even IoT devices and SCADA.

So how can organizations move forward and focus on what really matters? Antivirus solutions are largely commoditized; they all work more or less the same way and achieve similar results. It doesn’t make a lot of sense to incorporate modern security controls based on how well they integrate with older, less effective products. Wipe the slate clean and evaluate which solutions provide the best protection, then come back and slot antivirus into the mix. By the same token, the main focus should not be on how much installation space is required by modern solutions or even how much CPU or memory they utilize. Newer products offer far greater protection than traditional controls, and such questions do not provide an apples-to-apples comparison.

Antivirus does have its place in network security. It’s a quick and efficient method of identifying known threats, thereby reducing the amount of processing required by more advanced protections. As part of a multi-layered security strategy, antivirus still makes a lot of sense. What’s often needed is for organizations to break out of the mentality of “that’s how we’ve always done things” i.e. relying solely on antivirus, and prioritize solutions that will offer the greatest protection.