Feb 25 2015

Anti-virus Is Not Enough

It used to be, when you bought a new computer for home or deployed a new machine in an office environment, the only security commonly deployed was an anti-virus package. You had your choice of any number of the popular vendor offerings, as the big dogs were all too eager to bundle their software with a PC builder’s machine to get a foothold. McAfee, Norton and Symantec were quite prevalent, and the yearly subscriptions became the norm. And these and other firms preyed on fear tactics to sell more and more, and as people bought into the hype, everyone thought their machines were now safe.

That was then, this is now.

Anti-virus Is Dead!

Well, not exactly, but if you continue to rely only on signature based solutions, such as anti-virus, then you are leaving your systems vulnerable to advanced threats. By some estimates, millions of new pieces of malware are created every year. In 2011, Kaspersky estimated seeing 70,000 new instances per day. That works out to over 25 million per year, and things have likely only accelerated since that time. While many of these pieces are simply variants of existing malware a good portion is new stuff. So it’s simply a matter of numbers to understand why anti-virus is a losing game. With so many new pieces of malware it is impossible for any one anti-virus vendor to keep up.

Subscription services such as VirusTotal up the anti-virus game a little. It leverages the power of many different anti-viruses (I think currently around 50) in a virtualized environment to scan a suspicious file. Results are given as a percentage of positive detections over total scan engines used. But again, end-point security software that utilizes this cloud based scanning approach has flaws. With so many detection engines, many of which are from very small companies, how can we be sure a positive match is really positive? What threshold is used to perform follow on actions or provide alerting? 1/50? 5/50? 10? To high and you may miss a real positive but too low and you could have to deal with many false positives. You are also at the mercy of the cloud company to keep all of these engines fully up to date.

It is worth noting that many large companies, Fortune 500 firms, have an interesting approach when it comes to breaches and vulnerabilities. They basically expect that they will have their systems compromised, that no matter what security, what software they put in place, things are going to happen and they won’t be able to keep all the bad things out. So they’ve basically begun to expect insurgents, and are moving toward an approach of planning out how rapidly a solution can be deployed in order to minimize damage. It may work for them, but it does not have to work for everyone. Perhaps one cannot identify, isolate and eliminate all threats to their environment, and we can agree that every firm, especially in light of the Sony fiasco, should have a planned-out, well-rehearsed threat management and response plan. But, should you live in a mindset where you expect you are going to be breached?

For the record, I am not totally against anti-virus. It should still have a place in any organizations overall defense in depth strategy. Signature based solutions are quick and efficient (although sometimes the software itself is not). Also, for the malware that these major anti-virus companies have identified, the removal is generally pretty easy. But new tools are needed to deal with more advanced threats. What we are advocating is not a passive “we will be defeated” position. Nor are we suggesting that IT teams put all of their eggs solely in the AV basket. On the contrary, what we’d recommend is a multi-faceted approach that leverages the strengths, capabilities and features of a number of different product suites in order to build a more diverse and robust enterprise defense mechanism.

Real time end-point monitoring, looking beyond just files themselves, is becoming a more popular and powerful method to detect unknown threats. While heuristics and behavioral monitoring have been around for a long time, new approaches have made these methods much more reliable and less likely to create false positives. By understanding how malware works compared against normal software behavior, many inferences can be made when certain behaviors are observed. This is one approach that Heilig Defense‘s Correlate end-point solution takes. It uses a holistic view of the end-point to make a determination if something is normal or out of the ordinary. Coupled with patent-pending APT detection technology, Correlate is able to look deeper and understand the system better.