Over the past few months I had the opportunity to attend several awesome conferences and meetups. One concept that keeps rearing its head is that “antivirus is dead.” I’m guessing this comes up a lot because of it’s reliance on a reactive signature-based approach. As most of us probably know this method doesn’t work because signatures are in response to current attacks instead of being proactive. All a person has to do is take an existing attack and change the signature so that it isn’t detected anymore. It’s your classic cat & mouse game.
Well maybe back in the old days when we had to look at that smug Norton guy on the face of all the boxes in Micro Center, the cat & mouse issue was true however vendors have continued to evolve their products (e.g., the incorporation of behavior-based detection) to address the ever changing attack techniques. Yeah, antivirus products might be behind the leading edge of attacks but at least they help us in keeping up. I liken the issues we have with antivirus with the complaints we have with passwords. Yes, passwords suck at providing perfect security and we all know that. But guess what … they do a pretty decent job of keeping most people away from what they shouldn’t have access to. Want more security? Then come up with a better authentication solution that industry (and the rest of the world) will follow.
A recent post over on the SANS Computer Forensics blog by Rob Lee further cemented the “antivirus is dead” concept. Rob detailed how he led a team of whitehats through a simple attack sequence developed for one of his classes. And guess what … the antivirus systems didn’t flick one bit. This article really hit hard because I had been working on this post detailing on how antivirus was in fact NOT dead. Although Rob’s research and conclusions make sense in his specific scenario, I still believe that antivirus is NOT dead for the vast majority of us. I guess my litmus test is that I would never bet my career on telling a large government customer to forgo implementing any antivirus solution.
There are plenty of ways around antivirus but I stick by the fact that it will at a minimum catch much of the low-hanging fruit that novices or automated attack tools use. In the best cases, data captured through antivirus tools also complements the data gathered from other network- and host-based security and non-security systems to paint a clearer operational picture of the entire enterprise. With a better understanding of what’s going on in the environment, analysts can more easily discover anomalies that might have been harder to find otherwise.
I’ve also seen antivirus used as a stop-gap between when vendors disclose a vulnerability or exploit and when they distribute a patch. The vendor simply distributes a new attack signature and enterprise admins that quickly push it out are able to lower the risk of attacks against their infrastructure almost immediately. Someone could still change the attack sequence and you get into the traditional cat & mouse game again but at least this keeps the enterprise ahead of HD Moore’s law.
It’s easy to just to sit back and say antivirus is dead because it doesn’t provide the perfect solution … but it’s a lot harder to live without it. Antivirus isn’t the proverbial “silver bullet” however used as part of a comprehensive defense-in-depth strategy it will continue to benefit corporate and personal environments for some time.
Would you recommend to your big government clients to forgo running ANY antivirus solutions? If so, let us know what your arguments would be in the comments below. Today’s post pic is from from UXSuccess.com.