The Slow Death of Antivirus
Financially motivated malware is forcing anti-malware vendors to dramatically change their strategies – from remodeling their antivirus labs to the way they market their solutions. At least that is the take of Andrew Jaquith, Yankee Group analyst, who discussed this critical need for change during his SOURCE Boston talk: “Not Dead But Twitching – Antivirus Succumbs to the Scourge of Modern Malware.”
In an industry where security vendors self-congratulate and loudly beat their chests about what they claim to protect against, Jaquith states that current AV protection models are failing as zero day exploits become more sophisticated and malware creators become further incentivized by financial gain.
“Everyone is losing ground,” he said. “Public bravado belies private anguish.”
Jaquith talked about neosploit designer malware (one signature, one victim) and low-and-slow malware feeding denial of service-type attacks against AV labs as just two reasons that these labs need to consider changing their models.
“Most of the antivirus labs prioritize what they go after based on the infections they hear about,” Jaquith said. He went on to say that is only further driving the attackers to send a lot of tiny viruses and change the signature and content enough to slip under the radar.
Despite years of security investments, enterprises are still at a 99 percent penetration rate for antivirus and 63 percent of enterprises suffered a malware outbreak that impaired business. Vendors themselves are citing that they’ve had more malware samples in the last year than in the previous 10 years combined. Throwing more security research engineer bodies at the problem is not going to solve it.
“Today’s antivirus model is losing effectiveness,” Jaquith said. “The enemy is using its infinite ability to scale against the limited capabilities of the AV lab.”
But the biggest problem, he states, is that anti-malware industry itself, calling out the industry’s unwillingness to admit it is losing the battle, to band together, to hush the marketeers and to truly measure the effectiveness of anti-malware efforts.
“Either no one is telling or no one knows – how come no vendors can tell us what percent of anti-malware customers have actually been infected?” he asked.
Herd intelligence (using every endpoint as a collector) with behavior blocking, and taking the old antivirus prevention strategy and leveraging it as a detection strategy are solutions that he suggests.
“Security people think of prevention, detection and response. What AV is good at is protection and how it is marketed. If what you market is silver bullets you are damning yourself to live and die by prevention while the industry is moving to detection and response,” he said.
During his talk, Jaquith cited several vendors who claim to stop “all” malware threats or protect against “any viruses.” There’s a danger in that, he said, as no vendor can guarantee to stop all threats with antivirus solutions, especially with the mounting offenses that malware creators are taking against the AV labs. He pushed for more responsible marketing among all anti-malware vendors.
“Part of this is about the industry growing up. Some of this is tough love but it’s meant to suggest we’ll get beyond the silver bullet.”
– Jennifer Leggio