In a sensational letter to the WSJ two months ago, a Symantec official declared anti-virus to be dead. Well, it’s about time. Antivirus has been kept on artificial life support for too long now, and it’s finally time to put it out of its misery.
Twenty five years ago, anti-virus was an emerging technology. It was basically software that looked for string patterns within computer files that were identified as part of a previously identified “virus”. Many did not believe such software was necessary, and some even speculated that the sporadic viruses (as malware was called at that time) that surfaced from time to time were actually created and magically distributed by the new start-up companies that tried to push AV technologies. Those trying to avoid the unnecessary expense on a strange technology said that by using a calendar of expected virus outbreaks (which they obtained from an obscure BBS), they could avoid the potential damage by just turning off their computers on certain days. Soon enough though, everyone had to acknowledge that AV was in fact the best technology at hand to avoid malware damages incurred by (almost) harmless pranks like Ping Pong or more serious BIOS obliterating programs like CIH. Believe it or not, the first AV updates were pushed to customers by physical media through standard ( non-”e-” ) mail.
Twenty or so years have passed since then, and today enterprise computers are all connected to enterprise networks, enterprise networks to one another through the Internet, and lo-and-behold there are those sneaky devices that jump between networks (we fondly call them mobile devices and BYOD). AV solutions have adapted to many of these changes over the years. Vendors are now able to process huge amounts of files and almost automatically find the distinguishing patterns that will become part of the next AV signature update. Pattern matching engines have become more powerful (to accommodate the larger set patterns) and complex (to look inside different file formats like compressed archives). But at its heart, the technology has remained the same – looking for string patterns of previously observed software that was somehow identified as malware.
In a simple study we performed in the second half of 2012, we tested the ability of 40 different AV solutions to detect a random set of malware samples collected from places all over the web. We repeated the experiment with the same set of samples on a weekly basis for 6 weeks. Results were depressing to anyone who relied on AV as their primary protection for enterprise data. Only one of the products used was able to detect all samples AFTER 6 weeks. None of them were able to detect all of the samples in the first week. Other parameters we measured in our study only amplified this dismaying picture. It turned out that AV software was adapting to all but the change in the threat model.
AV technology was effective years ago when virus coding was the practice of a few. Most malware relied on self-replication within networks back then, and most infections were transmitted through physical interaction. It was therefore crucial for that computing model to be end-point centric, where the most valuable data always resided on a user’s workstation.
Today’s threat landscape is quite different. Malware variants are generated on an ad hoc basis by programs and servers all over the world, and distribution is achieved mostly through infected hosts or through email messages. Attackers almost never use the same malware sample twice, so detecting its signature becomes useless at precisely the same moment it is created, which is usually hours or days after infections have already started to occur. However, this is not the saddest thing that could happen to AV software. BYOD is and unmanaged end-point security are. If it wasn’t bad enough that AV software lost its effectiveness with managed devices, it has (inherently) no value for unmanaged devices connected to your network. In a threat landscape where most of your valuable assets are not tied to a specific end-point but rather stored in your data center – physical or virtual – a solution that does not affect the threat coming from unmanaged devices has a reduced effectiveness.
Modern security solutions operate on the basis of the assumption that some end-points within the organization network have been compromised by malware. Some try to identify infected machines within the network, and some try to mitigate the effect of such compromise by closely protecting the data repositories. At times, such solutions even interact together in order to isolate infected machines from sensitive data repositories in a fast and effective way. AV has served us well for 20 years but it’s time to say goodbye and move on. Enterprises must re-purpose much of their AV budgets into a modern solution. The only thing I wonder is what the next security technology we need to retire is. (For some thoughts, please refer to my recent research report).
By Amichai Shulman, CTO, Imperva
Imperva, pioneering the third pillar of enterprise security, fills the gaps in endpoint and network security by directly protecting high-value applications and data assets in physical and virtual data centers. With an integrated security platform built specifically for modern threats, Imperva data center security provides the visibility and control needed to neutralize attack, theft, and fraud from inside and outside the organization, mitigate risk, and streamline compliance. Over 3,100 customers in more than 75 countries rely on our SecureSphere® platform to safeguard their business. Imperva is headquartered in Redwood Shores, California. Learn more: www.imperva.com.