One thing I hear all the time is how “antivirus is dead”… “antivirus is worthless”… “antivirus is easy to bypass”… I myself am guilty of saying some of these things, most notably that it’s easy to bypass and only catches known threats, and these statements are true. BUT, I think we are doing ourselves and our clients a disservice by saying that antivirus is worthless.
Now, I will preface this with the fact that any pentester worth his/her salt can get past most Antivirus/Antimalware (AV/AM) software… and if us good guys can do it, so can the bad guys, it’s just the truth of the world we live in. BUT, to say that it’s worthless to run AV/AM I think sends the wrong message, as ALL security software and hardware can be or will be bypassed in some way shape or form. But for some reason, AV/AM seems to take the brunt of the ridicule from infosec pros… we have contests for how many we can bypass, we take pride in being able to migrate our exploit processes to the AV/AM processes, etc., and while all this is fun, I think it’s important for businesses and IT departments to realize that just because we can dance all over and around AV/AM, doesn’t mean that you need to chuck it in the trash quite yet.
What everyone that listens to us infosec types needs to take into context is the concept of defense in layers (also called defense in depth).
AV/AM will catch the low hanging fruit, and trust me, there are plenty of so called hackers out there willing to take advantage of you if you do not protect yourselves from the basics. This means you NEED to run AV/AM software, just like to NEED to run a firewall. Just try and pass a security audit of any kind if you don’t. But these are just the basics, and don’t take my word for it, just see what happened to the Bangladesh bank that decided it didn’t need the basics: http://www.reuters.com/article/us-usa-fed-bangladesh-idUSKCN0XI1UO?il=0
I know that AV/AM is flawed and that it’s a “reverse looking” technology, meaning that it needs to match a known signature to detect that something is bad, but this is same (for the most part) for Threat Intelligence, Intrusion Detection, Spam Filtering, etc., but the key in understanding how to harness these technologies to improve our detection and response times. More on that in a few…
What all businesses, small, medium and enterprises alike, need to understand is that it’s not the individual technologies that are “worthless”, it’s the idea that you can prevent an attack/breach that is in my opinion, laughable. A determined attacker, be it an adversary or pentester, has an unfair advantage on you and your business, and given enough time and funding, WILL get in. It’s not a question of IF, just a question of WHEN. If you think you can prevent an attack by JUST having AV/AM, or JUST having a firewall, you are in need of a serious wakeup call (and probably a good pen test).
But just because you really can’t prevent an attack does that mean you should not prepare yourself for an attack? Of course not. You should, and AV/AM is just part of that preparation. I liken it to the lock on your front door… just because I can easily pick that lock, I don’t think anyone would question the advice that you should still lock your front door. As my Dad used to say “locks keep the honest people out” 🙂
Now, once I pick that lock, depending on your individual risk tolerance, you make have more defenses in place… a monitored alarm system, cameras and a dvr, a pit bull, firearms… you get the picture. These “layers” of home defense are no different that the layers you need in your infosec arsenal… AV/AM software, a Security and Event Management System, an Intrusion Prevention/Detection System, a Deception and Active Response System. Some or all of these these things (and many, many more) are needed depending on your business, perceived risk, tolerance for risk, and your threats and vulnerabilities.
This is where I see a lot of businesses fall down on their security efforts. I will be writing a future article called “The Fog of Cybersecurity” that will address this in detail, but for now realize that most businesses want to just purchase a product that has a red light for when they have been hacked, and a green light for when they are secure. Unfortunately, it does work like that.
Information security is made up of prevention, detection and response, and you need to build your information security program with all these things in mind. AV/AM can play a key role, not only from a basic prevention method, but also a detection and response mechanism, paired with the right tools in your infosec arsenal. Numerous alerts from your AV/AM engine can mean you have a misconfiguration or vulnerability in your infrastructure that you need to lock down, or a single user with many AV/AM alerts can indicate not only compromise, but a need for some additional training.
So while you may hear people (including myself) hate on AV/AM (and with the recent issues with Symantec, who can blame us?), realize that it’s just a part of what you need as defense in depth strategy. Although I speak only for myself here, I truly believe that most infosec professionals disdain for traditional AV/AM comes from us wanting to constantly improve the level of our industry as a whole. We strive everyday to make infosec better, and we can’t do that by resting on our laurels. We must push not only ourselves, but our vendors and clients to be the very best they can, because let’s face it, the bad guys are constantly upping their game.
Until next time, please do run AV/AM software and keep it updated and patched. Just don’t rely on it as your sole defense.