AV: Mind the gap

At every security conference you will meet a colleague who surfs the Internet bareback, convinced that AV provides such little protection that they might as well plunge ahead and take their chances. They have their own alternative strategies of running VMs, regular reimaging or simply eschewing Windows altogether. While not mainstream, such sentiments do raise a legitimate question: has AV run its course and is it time to move on?

If you take ‘AV’ literally to mean a standalone anti-virus application, there is a case to be made that, like disk defragmenters, AV should be a feature, not a product. Microsoft declared as much several years ago with the release of Security Essentials.

If we use ‘AV’ as shorthand for ‘endpoint security suite’, the case for the defence is much stronger. However, the industry has a certain culpability for creating a false sense of security. Tag lines such as ‘ultimate protection’ and ‘complete security’ are more compelling than an honest statement that would read something like: ‘It will stop most of the common threats that most users will come across most of the time, but won’t do much if we haven’t seen it before. You’re still better off running it than not.’

More than one vendor touts their ability to detect unknown threats, even though AV-Comparatives showed recently [1] that no product was able to detect more than 61% of these threats.

Nevertheless, as Paul Ducklin has pointed out [2], the leading vendors all provide a level of protection and remediation that users would be ill-advised to forego. The core weakness in these products is their reliance on signatures and block lists – which are excellent for stopping what is already known, but even behavioural signatures can be bypassed by determined foes. Some vendors are now pushing new approaches, like Indicators of Compromise, yet these too are merely signatures by another name [3].

Paul also raised a key point that gets little acknowledgement from security vendors: while a sophisticated threat actor can bypass signature-based products more or less at will, the cost of doing business has risen dramatically for cybercriminals [4].

As an industry, we collectively push two falsehoods:

I believe that the second point is true for certain industries and governments. I’ve sat with incident response teams as they play whack-a-mole with compromised machines. For them, the reality is that at any given moment a certain number of their endpoints will be compromised, often by sophisticated state-sponsored attackers. As serious as that is, blanket statements such as those that compare cybercrime to the illegal drugs trade are counterproductive. As we saw in the recent Carberp takedown, cybercrime can be lucrative for some, but the risks are high, the costs of operation higher, and the logistics and required organizational skills are daunting for all but the most well financed and connected of criminal organizations.

Let’s keep up the good work and improve the industry cooperation that keeps the heat on these groups. One area we can improve is standardizing and formalizing threat sharing. There are many good industry initiatives, but the reality is that most threat data is still shared on an ad-hoc basis, bilaterally and based on personal trust relations. Let’s make sure we communicate to consumers and enterprises the value of defence in including AV.

Let’s also change the message – every security product has gaps and blind spots. To pretend otherwise is counterproductive. Changing the message won’t detract from the value of these solutions, but will give customers a realistic expectation of what they are getting and what their risks are. And remember: in our role as technologists, we play just one part. Real security will come through effective policy, legal action and political pressure on jurisdictions that provide safe harbour to bad actors.

Latest articles:

Bulletin Archive