Antivirus – Stick a Fork In It?
I am sure by now you have heard the rhetoric statement that Antivirus is DEAD. There has been quote after quote by many technology and security leaders over the last year making the claim. Many facts and figures have been published and according to industry statistics, if your Antivirus software captures 30% of the malware that it encounters, it is doing well. But how can this be, it is still the mandatory requirement for any security audit, regulation and IT department. If it truly is dead, what does that mean for endpoint protection?
What all of this really means is that the way we have been doing it for the last 20 years no longer works and it needs to be fixed. Traditional endpoint security software is a reactive solution designed to stop threats that it is aware of. This is better known as blacklisting. On a regular basis (usually daily) it downloads new virus definitions from various sources to keep its catalogue of known threats up to date. Through continuous scanning and monitoring it stops malicious code when it is discovered. This method has been the accepted method for endpoint and server malware protection since its advent and over time has become almost completely ineffective.
The catalyst for this is two fold. The first is the sophistication of malicious code. While endpoint protection has remained static for the most part, the code it is designed to protect our computers from has become intelligent. New characteristics such as the ability to morph and change signature on the fly have made new threats virtually undetectable. By the time a definition for new code is released, the damage has been done and the signature has changed. Malware has also become intelligent by using common communication ports on the network to move invisibly, receiving commands from a command and control server over the internet. This allows pivoting on the network and data exfiltration to be controlled by a human on the outside.
The second reason that traditional endpoint security has been exposed is due to the mobile worker. In the past, most workers were tied to a desk and when they were mobile, connectivity was not nearly as ubiquitous as it is today. Now users are always connected, and in many cases without the protection of enterprise network security. Attackers have seen this as an opportunity, understanding that the perimeter in most cases is not the best entry point, as it is tightly secure. The endpoint can easily be compromised with a combination of phishing to trick the user and modern malware to gain access. Once the malware has infected the workstation, all an attacker has to do is wait for the user to walk them in the door. Once in, they take advantage of operating system vulnerabilities and pivot their way through the network until they find what they want. The modern attack is from the inside out, and traditional approaches will not cut it.
Like the revolution that has occurred in network security related to advanced persistent threats (ATPs) by ushering in technologies such as next generation firewalls and sandboxing, a revolution is underway at the endpoint. Whitelisting is a necessary approach, the concept of allowing what you know and stopping what you don’t is critical to ensuring that endpoints are not vulnerable to zero day attacks. Big data techniques, behavioral analyses and event correlation are all critical components for detecting malicious activity that, on the surface, appears to be harmless. The next generation of endpoint security will include all of the above techniques and organizations seeking to replace or update their existing endpoint strategy should ensure that the solution they choose includes these capabilities at the endpoint (the entry point) and the server (the target).
Antivirus as we know it may be dead, but endpoint protection is far from it. It has just begun to catch up with the threats that we face today.