In Anti-Virus, Who Can You Trust?

Written by

Officials and security researchers have named anti-virus vendors as the new weak link in enterprise and government networks. They claim that sensitive files of the U.S. National Security Agency, the Republic of Korea Armed Forces and U.S. companies were targeted and exfiltrated thanks to the software that should be protecting the endpoint.

Anti-virus solutions have been around since the mid-1980s. We gave them file system permissions to scan every file. Then we allowed access OS processes to scan active code. Then we allowed vendors to take our data to the cloud for “enhanced” security.

The irony is that for years we’ve been paying vendors to protect our endpoints. All the while, they serve as the perfect indexer for our sensitive data. By giving anti-virus vendors privileged access to our systems, they have full access to our data.

In the light of recent events, which vendors can you trust? What technology should you deploy and how should you configure it? Managing your risk with common sense is the only prudent and secure IT solution, and understanding that risk is key.

Security software is typically the most privileged access software in your network environment. If you work in a sensitive industry or in government, the DNA of the company may be an important factor and an indicator about its motives. It's prudent to consider factors such as: what does any outbound data include, how is that data pushed out, and is the sharing of metadata optional or mandated?

Software with deep system access needs to be fully understood - especially when it can be configured to push sensitive data - meta or complete - elsewhere. Humans will always be in the loop, creating the environment for a simple software configuration to betray you.

So you must look at your software vendors and the configuration of their products with a mindset that some human, somewhere is going to screw something up. With this perspective, you might choose a different default configuration for your privileged components. 

Use network monitoring tools to inspect your outbound traffic with a vendor’s product installed. Understand what it’s sending in its “phone home” connections. You can use your firewall or specific, detailed analysis tools like Wireshark or Little Snitch.

Another approach would be to minimize your attack surface area by keeping malicious content off your network, thus reducing the need for privileged security tools on your network. Isolating the browser in the cloud is one strategy. A remote browser keeps all web code off the user’s endpoint.

When arbitrary code from the web doesn’t reach the endpoint, the burden on your anti-virus solution is reduced - or eliminated. This not only improves the composition of your network, it reduces your reliance on vendors that require deep system access. 

If you follow this approach, you may find that the balance shifts back in your favor. Away from cybersecurity vendors forcing you to abide by their requirements, to you, and your ability to provide access to the web without jeopardizing your data or your organization.

What’s hot on Infosecurity Magazine?