It was all the rage in 2004, but times and threats have moved on. Phil Muncaster investigates what role anti-virus should play in cybersecurity policy today.
Ask any non-IT expert to tell you what they know about cybersecurity and they’ll probably start with anti-virus (AV). However, how relevant is it in the context of today’s threat landscape?
A revealing report from Redscan – covering the past 15 years – claimed that Google searches for AV have declined from a peak in around 2005 to virtually nothing today. The big-name AV brands have suffered similarly, but is this because AV is by now well-known and the benefits well-understood, or that IT security buyers and users no longer believe it has the right stuff to keep them secure?
On the other hand, the report revealed increasing interest over the past few years via searches for terms such as SIEM, cloud computing, AI and security, IoT security and threat hunting. Like many things from 2005, AV seems a little dated amongst this new breed, but experts argue that with the right kind of layered approach it can still add value for organizations.
A Brief History of AV
The history of AV is indivisible from that of the threat landscape. Over two decades ago, when the industry was in its early days, AV meant signature-based protection for desktop computers against known viruses and worms, introduced mainly by floppy disks. What few threats existed tended to come from script kiddies out to prove a point rather than financially-motivated cyber-criminals and nation states, meaning that weekly updates were enough to keep users protected.
Today things are very different. An explosion in connectivity, endpoints and cloud platforms has helped to foment a cybercrime underground estimated to be worth $1.5tn annually. Hackers are able to circumvent signature-based detection using techniques such as code obfuscation, polymorphism and fileless techniques, forcing AV makers to adapt, according to Frost & Sullivan analyst, Swetha Krishnamoorthi.
“New malware is released every 24 hours. Advanced Persistent Threats, zero-day attacks, social engineering-based targeted attacks and more require complex, multi-layered solutions to enable detection and remediation,” she tells Infosecurity. “In response, AV solutions started using a heuristics-based approach. A combination of machine learning, behavior monitoring and automation is used to flag suspicious behavior and proactively shield networks from new and unrecognized malware.”
To these behavioral techniques, AV vendors have also added firewall and host intrusion prevention/detection capabilities, according to SANS Institute instructor, Ian Reynolds.
“As the market matured and threats grew more complicated, the race to add extra, non-AV functionality grew,” he explains. “This was largely driven by a need to differentiate products from those of the next vendor.”
"A combination of machine learning, behavior monitoring and automation is used"
Is It Still Useful?
So how effective have these efforts at modernizing AV actually been? One 2018 poll of 660 IT security pros claimed that AV products missed an average of 57% of attacks, with respondents citing high false positives and alerts as adding extra challenges for stretched IT teams. Despite the bad press, however, AV is still useful, according to the experts.
“Despite the rise of ‘next gen’ security technologies, traditional AV that is based heavily on signature-based detection remains an important form of defense,” Redscan technical director, Andy Kays, tells Infosecurity. “These solutions are quick to implement and have a low-false positive rate.”
For Reynolds, AV may even be a core requirement for compliance purposes. “In the case of PCI-DSS, AV is still written into the standard. The UK government requires any business it trades with to hold a Cyber Essentials certification, which lists AV as one of the three malware protection options available,” he explains. “No CISO wants to be the one who decided to drop AV and then suffer a compromise that would have been stopped by standard AV protection.”
However, it is fair to say that AV shouldn’t be used in isolation. When Symantec SVP Brian Dye famously said “anti-virus is dead” back in 2014, he really meant that increasingly it needs to be used alongside other tools to be effective.
“An effective security strategy should be based on the concept of defense-in-depth where, rather than relying on one control, there is a layering of controls to combat threats,” Gartner analyst Ruggeru Contu tells Infosecurity. “However, an AV strategy should not just be focused on detecting threats. Similar to the broader approach of an enterprise security strategy, AV and its main detection and focus should be deployed alongside a broader adaptive security focus, trying also to respond to attacks as fast as possible, and predict threats through threat intelligence.”
"No CISO wants to be the one who decided to drop AV and then suffer a compromise"
From Prevention to Detection and Response
The ability to detect and respond rather than trying to block threats outright, as traditional AV does, is a key task for modern security teams, in light of the sheer volume and sophistication of current threats. Experts now agree that there is no such thing as 100% protection, and the disintegration of the traditional enterprise perimeter has only made this more certain. In this new landscape, speed of response and visibility into threats are key. That’s why SIEM platforms are still a critical complement to AV, according to SANS Institute’s Reynolds.
Yet there are also caveats to implementing advanced tools like endpoint detection and response (EDR) alongside AV, adds Kays.
“Buyers should be prepared for the fact that invariably advanced tools need a higher degree of maintenance and monitoring to ensure that they remain as effective as possible,” he argues.
“This includes the need to baseline technologies to each IT environment, in order to help each solution understand what is normal and what is not. In the case of EDR, security teams must also create watch lists to support threat hunting activities as well as playbooks to help automate incident response – such as isolating infected machines from a network.”
What Happens Next?
As far back as 2007, news articles were asking whether AV had a future. While such sentiments may make for interesting reading, they’re predicated on the notion that a single form of cyber-defense can be a silver bullet for all threats. Security vendors would certainly like to have you believe that’s true, but it flies in the face of best practice approaches which demand layered security.
“AV solutions offer the best first line of defense and hence, cannot be done away with,” warns Frost’s Krishnamoorthi. “They offer a faster and lightweight alternative for performing functions such as sandboxing, behavioral analytics and more.”
In choosing which technologies to layer up alongside AV, no two organizations are the same and CISOs should first consider which threats pose the greatest risk to their IT systems and data.
“Security leaders need to pay close attention to the detection methodologies used by the latest tools, such as whether they are rules-, correlation- or analytics-based,” says Kays. “Each methodology has its own pros and cons, particularly with regards to threat visibility and coverage.”
This task will arguably become increasingly easy as the market continues to mature and AV capabilities are baked into endpoint protection platforms.
“From a vendor perspective, it may be simpler to sell one security stack to the business rather than component parts,” says Reynolds. “Vendors took this route in the past when HIPS/HIDS were add-ons for the core AV products and if it brings unified management and reporting, this may bring benefits to both the business and the vendors.”
He adds that autonomous detection driven by machine learning capabilities continues to develop in the AV industry, as will integration with incident response and forensic tools to help businesses proactively hunt down malware and other threats in the future.
"As part of broader security strategy, AV will evolve towards new scenarios and infrastructures"
For Gartner’s Contu, traditional AV must be part of an integrated approach because that’s the way threats are heading.
“AV has become part of an effort towards tackling a broader set of increasingly integrated threats, such as phishing, ransomware and fileless attacks,” he concludes. “AV, as part of broader security strategy, will evolve towards new scenarios and infrastructures to be protected, such as cloud computing, mobile computing and IT-OT convergence.”
A simple analysis of Google searches may therefore not be doing the anti-virus industry justice. These products, at their core, remain a vital part of enterprise IT security, and will continue to be so long into the future.
Anti-Virus Through the Ages
- 1971 - First known computer virus appears, dubbed ‘Creeper’
- 1983 - Fred Cohen coins the term ‘computer virus’ in academic paper
- 1986 - First widespread infection, via ‘Brain’ virus
- 1987 - John McAfee releases first AV product, VirusScan
- 1991 - Symantec releases the first version of Norton AntiVirus
- 1994 - AV-TEST reports 28,613 unique samples in malware database
- ~2014+ - Vendors promote ‘next-gen’ AV featuring machine learning, behavioral detection, etc
- 2019 - In September 2019, AV-TEST recorded over 952 million virus samples