"If you pick the average person off the street and ask them about information security, most of them will likely associate the term with the antivirus software on their computers. Most "civilians" are unfamiliar with terms such as "HIPS," "IDS," "IPS" and the vast assortment of other security products commonly in use. Those sorts of things operate behind the scenes. But, AV packages are widely deployed and are often offered free of charge when you buy a new computer -- at least for the first 30 days.
But, as the malware war continues to escalate, it is reasonable to question the level of effectiveness that antivirus software, as a category, brings to the table.
"When last I looked, there were 78,500,000 unique instances of malware, according to AV-Test.org," said Paul Henry, security and forensic analyst at Lumension, a Scottsdale, Ariz.-based endpoint security company. "How in the world is anyone going to keep up with the signatures to inspect that large of a database?
According to a survey released by FireEye, a Milpitas, Calif.-based company that specializes in defense against advanced targeted threats, malware that can slip through signature-based detection has nearly quadrupled in the past year alone.
"The problem with signature-based defenses is a scaling issue," explained Ali Mesdaq, security researcher at FireEye. "There are so many new exploits coming out every day that the signature databases can't scale to that level. Some sort of technology development will be needed before they will be able to handle the rapid increase in volume."
Meanwhile, a separate survey, conducted by Carbon Black, a Sterling, Va.-based vendor that focuses on security-related data collection, suggests that in most cases, just about any bug will be able to be detected by at least one of 43 antivirus packages on the market today. The bad news is that an effective matchup between the specific bug and the specific AV package on your customers' systems is nearly coincidental.
The Carbon Black team then tested how long it would take for the individual AV packages to catch up with the ones they had missed. "The results were a big surprise to us," said CEO Mike Viscuso. "What we found was that if an antivirus package did not detect the virus within the first week, it probably never would."
Carbon Black's Viscuso estimates that virus traffic is growing at a rate of 783,000 new samples each day. Therefore, whatever signatures are missed on any given day will have to compete with all the new ones coming online tomorrow and the next day. Viscuso added that even if you could somehow keep up with the growth, the resulting performance hit on the individual machines would be far worse than the market would bear.
"That leads us to believe that customers should leverage the signature databases of multiple AV packages, as opposed to just one," said Viscuso. "In many cases, the AV products don't allow you to run more than one on a single machine. So, channel partners and customers should use a service that can scan all those binaries so that even if your particular antivirus isn't catching it, maybe the other one will."
Henry, from Lumension, argues that many machines are not adequately protected because we are relying on failed technologies that are erroneously considered to be a best practice.
"Firewalls are another example," he said. "For the last 20 years, we've used things like port-centric firewalls. If they wanted to block somebody from going to the Internet, we would block port 80. So, that just means the bad guys need to reconfigure their software to use port 79 because they left port 79 open."
Henry suggests that enterprises move towards a positive model for security in which they identify what is allowed to run, as opposed to a negative model for security in which they identify what is not allowed to run -- as is the case with antivirus.
"In a white-listing environment you have to approve a given piece of software, or even a script, to run in this environment," he said. "Beyond that, you also have to validate that nothing is changed with that piece of software. In other words, the signature for that software needs to be trusted. If it's not trusted, then it's not allowed to run. It's more work to deploy software in an environment like this. The administrative burden is a lot higher than just turning on antivirus. But, the level of security is much improved."
Henry added that, despite his point of view, the market for antivirus products will remain strong because AV technology is typically required by standards bodies. "If they went out and just did white listing, they would be non-compliant," he said.
"I'm not saying throw away antivirus," Henry added. "I'm saying complement antivirus with white listing. It's simply a smarter way to go."
Meanwhile, Cameron Camp, a security researcher with AV vendor ESET, says that antivirus might not solve the complete needs of IT security, but it is one more component in a strategy of defense in depth.
"Endpoint security is not a silver bullet, but that does not mean that you shouldn't put a lock on your front door," he said. "You really have to get inside the mind of this kind of attacker and understand what it is that they are after. Look for uncharacteristic exfiltration -- especially exfiltration that peaks during non-business hours that are probably business hours in the country to which the data is going."
Camp points to IDS and IPS devices as an important component in defense in depth. "Most people don't need super-fast deep packet inspection. But, even less expensive IDS and IPS devices provide a level of security, just like endpoint products provide a level of security. By having these sprinkled throughout your environment, you stand a vastly superior chance of detecting problems and collecting evidence. You want to demonstrate that you've done due diligence, and that goes very far with investors."
PUBLISHED OCT. 3, 2012 "
