There has been a lot of recent debate about whether anti-virus software is actually worth having. Various tests have shown that, despite vendor claims to the contrary, anti-virus programs often detect less than 50% of the malware out there, raising question marks over just how effective the technology really is.
In fact, Donald Crombie, information security manager at the City of Edinburgh Council, which has outsourced the management of its IT infrastructure to BT, even cites one presentation at a conference he went to recently, where the speaker warned of average detection rates as low as seven to 11%.
Kevin O’Reilly, a security researcher at consultancy Corsaire, believes that it is difficult to verify any statistics with certainty because they are based on historical data samples. This means that detection rates will vary significantly on a day-to-day, month-by-month basis, based on when – and if – fixes for zero-day exploits have been found.
| "The [AV] model is flawed in the sense that it has never been able to protect against all malware, and the industry has always been in an arms race with those writing it" |
| Kevin O’Reilly, Corsaire |
Claims made by many anti-virus software vendors of malware detection rates in the high 90% range should thus be taken with a huge pinch of salt, he says. O’Reilly cites the case of users who were hit with ‘blue screens of death’ after trying to introduce Microsoft security updates onto their Windows XP machines last year.
“Microsoft got a lot of negative publicity about it, but when the situation was investigated more thoroughly, the reality was that the PCs concerned were infected with a rootkit. The updates didn’t break uninfected machines, but the sheer number affected was a wake-up call about the extent of the problem”, O’Reilly says.
A Reactionary Business
The challenge, however, is that the anti-virus sector is, by default, a reactionary business. “To some extent, the model is flawed in the sense that it has never been able to protect against all malware, and the industry has always been in an arms race with those writing it”, O’Reilly explains.
Despite the challenges, experts are not advising that the technology be thrown in the trash bin with a despairing sigh. One possible solution is to adopt a more layered approach and employ different anti-virus engines on the desktop, email server and/or network gateway. This, of course, will cost you.
Edinburgh Council, for example, uses McAfee’s anti-virus tools on its client PCs, while using both McAfee and Kaspersky Lab’s offerings for email scanning. “You’d be daft to try and rely on one provider”, Crombie says. “If you can scan your emails with products from two or three providers, you get a bit more protection, so it’s a layered approach.”
Just as important, he argues, is locking down the PC estate and minimizing the number of users that have administrative rights. “If [users] could install any software they wanted, it would be more of a risk to me than removing the AV solution”, Crombie explains. “I still feel that traditional AV has a place, even if it is only picking up between seven and 11% of viruses, but it’s only one component of a larger security strategy.”
| "If you can scan your emails with products from two or three providers, you get a bit more protection, so it’s a layered approach" |
| Donald Crombie, City of Edinburgh Council |
Ruggero Contu, a principal research analyst at Gartner, agrees. While he too would advise organizations against simply ditching their anti-virus software, he places greater importance on fixing vulnerabilities in their systems – particularly their externally facing websites – as well as ensuring that they are configured properly.
“By having a closer focus on configuration and vulnerability management, you can detect any issues and, once you’ve sorted them out, there’s simply less chance that your systems will be affected by malware in the first place”, he says.
The Russian Doll Offering
Another option is to employ a broader-based end point security platform. Although it is still possible to purchase standalone anti-virus tools if desired, the technology is increasingly being absorbed into larger composite suites, which include everything from encryption software to anti-phishing and mobile data protection programs.
As swelling levels of competition in the anti-virus market have resulted in pricing pressure, vendors have increasingly looked for other means of maintaining margins. This has often resulted in vendors either freezing – or slightly increasing – pricing, while offering additional functionality.
This has led to the progressive adoption of suites at the expense of more traditional standalone software – a market that, although certainly not dead, is increasingly considered to be commodity, with products in some instances even becoming downloadable for free.
As Contu says, “Standalone offerings have not disappeared altogether, but the trend now is towards suites, because customers can get more functionality for a good price.”
| "Standalone offerings have not disappeared altogether, but the trend now is towards suites because customers can get more functionality for a good price" |
| Ruggero Contu, Gartner |
To illustrate the point, Contu cites Gartner’s “Security Software Markets, Worldwide, 2008–2015 2Q Update” report, which valued the overall endpoint protection platform space at $3.03 billion last year. Predicted growth rates of 7.4% this year would see the sector hit $3.25 billion while, by 2015, it would be worth an estimated $3.7 billion.
“It’s a highly competitive market where there has been consolidation and competition, which has led to pricing pressures, especially at the enterprise level. But in spite of this, it’s a growing market, partly due to the addition of new capabilities”, Contu says.
A similar kind of consolidation has taken place in the appliance space. Unified threat management devices, which first appeared on the market in the mid-2000s and are effectively multi-function firewalls that are intended to protect the gateway, now come with a raft of additional functionality on top of their more traditional anti-virus scanning tools.
A Master of No Trades
But Corsaire’s O’Reilly warns potential customers to be wary of the hype surrounding UTM technology. “The real strength and truth in the marketing is that they’re convenient solutions. And they probably are, but that can come at a price”, he says. “While historically, enterprises have used more than one best-of-breed product to give them a layered defense, the danger is that, if they go for a jack-of-all-trades, it could be master of none.”
The issue is that, when fighting against malware, UTM devices are “only as good as their AV component”, which means that it is important to check the origins and quality of these often anonymous products using league tables such as those produced by AV Test.
One organization that is very happy with its choice of UTM is Oxford University’s Somerville College. It opted to replace its existing Cisco firewall, Tipping Point intrusion prevention system and Websense web and email content filtering packages with a single UTM – Fortinet FortiGate-3016B. A FortiAnalyzer 400B box was also added to the network for monitoring and reporting purposes.
Chris Bamber, the College’s IT systems manager, explains the rationale: “When we looked at renewing, it became apparent that if we used a UTM, it would work out slightly cheaper, but money was the not key issue. We’re a very small IT department of two looking after a lot of users and so anything that can reduce the management overhead is probably worth more to me than any savings.”
The advantage of the UTM in this context was that “if you’ve got to log onto a firewall, an IPS box, etc., it all takes time, whereas if everything can be checked in one box it saves a lot [of time]”, he adds.
| "AV is part of our security profile, but it’s by no means the be-all-and-end-all" |
| Chris Bamber, Oxford University |
The College does not rely solely on anti-virus software at the gateway level to protect against malware, however. On the one hand, it locks down its computer room and desktop PCs, which are used by both admin and academic personnel and run Sophos anti-virus programs.
On the other, it has segregated its network into six VLans to separate out high and low-risk communities – the former includes mobile users in the shape of both students and lecturers. They too are required to run College anti-virus tools on their client devices, while more anti-virus software is also found at the email server level.
“We’re using AV and other anti-malware software so we’re not really relying on AV alone”, Bamber says. “AV is part of our security profile, but it’s by no means the be-all-and-end-all. I wouldn’t want to put all of my eggs in one basket in that way.”
AV on the Move
It is exactly this mobile device sector that is considered ripe for growth in anti-virus license sales over the next year or so. To illustrate the point, Ian Kilpatrick, managing director at specialist security distributor Wick Hill, cites a study undertaken by researchers Canalys.
The research found that a huge 86% of small to medium-sized businesses had no enterprise-wide smartphone security in place, even though the majority recognized that this lack of protection was a major issue. Many smartphone devices do not currently come with anti-malware protection as the default, and any software that is provided could best be described as basic.
The problem, says Kilpatrick however, is that “a lot of smartphones have the same functionality as a laptop did a couple of years ago, but they’re an even bigger threat in some ways because people use them for both personal and business activities”.
As a result, he concludes: “The number of devices is mushrooming and we’ve started seeing a significant growth in awareness lately, so we expect the [smartphone anti-virus] market to really start moving here in the next year to 18 months.”