By Drew Robb
Anti-virus software has been the main defense against malicious programs for decades. But the sheer volume of threats is making it impossible for anti-virus software to keep up.
Over 220,000 malicious programs are found every day, according to independent IT security organization AV-Test.org (Figure 1). That number is verified by other sources such as Virus Total, which provides total malware submissions weekly.
“Most anti-virus tools use signature files to detect viruses. But it is an “after the fact” method: Only when new viruses are detected are they added to the malware lists.[/caption]
Anti-virus firms have gotten much faster. They can now detect malware and add them to their lists within an average of six hours — sometimes even within one hour. But that still leaves cybercriminals plenty of time to invade someone’s computer before they’re detected.
Anti-virus software can’t even detect all threats — usually 60 to 98 percent. Proactive detection, which catches a virus before it infects your computer, is stalled at 80 percent (Figure 2).
Technology for 1980s
The problem is that AV software was designed to address the threats of the 1980s, when viruses spread through floppy disks, says Egemen Tas, vice president of engineering at Comodo, a security software company.
He estimates that about 50 percent to 60 percent of some zero-day threats — which are previously unknown vulnerabilities — can go undetected for at least two to seven days.
With so many malware attacks hitting corporate firewalls, it’s no wonder that many get through.
That’s why some security experts think anti-virus software is obsolete.
Brian Dye, senior vice president for information security at Symantec, recently told the Wall Street Journal that anti-virus was dead.
Charles King, an analyst at Pund-IT, agrees.
“It is abundantly clear that traditional security solutions are increasingly ineffectual and that vendors’ assurances are often empty promises,” says King. “Passive security practices like setting and maintaining defensive security perimeters simply don’t work against highly aggressive and adaptable threat sources, including criminal organizations and rogue states.”
’Best and brightest’ cybercriminals
Stu Sjouwerman, CEO of KnowBe4, explains just how organized cybercriminals have gotten.
“Fully professional eastern European cyber mafias have hired the best and brightest, and are innovating malware at a furious pace,” he says. “Today, the bad guys raise a malicious website, run their attack, and then disappear after a few hours — before [anti-virus] companies have updated their malware definitions.
Sjouwerman says that a decade ago, it still made sense to “keep the bad guys out. ” Today, it’s too expensive. Figure 3 shows “good” vs. “bad” programs then and now.
Companies like Comodo and KnowBe4 advocate a completely different method to cope with the problem — a process known as “allowlist.” The opposite of “blocklist,” allowlistinvolves using only approved and safe applications on a computer or workstation.
For the Web, a primary real-time whitelist could be combined with a local whitelist to alert users about unknown and potentially dangerous domains. (Figure 4).
“Even if there is existing malware on the workstation that tries to call home, it will be blocked,” says Sjouwerman.
But allowlist isn’t necessarily the only alternative. King is a proponent of intelligence-driven security, which uses analytics to develop more of a proactive detection approach.
“As technologies continue to proliferate and networks — wired, wireless and human — become ever larger and more complex, we believe security threats will continue to grow apace,” says King. “That will put additional pressure on traditional security solutions and strategies that are already buckling and thus increase the threats to already threatened end users. “
Does this mean users should get rid of their existing anti-virus tools? Sjouwerman says no. He advises users to keep it as an additional layer of protection. But it has to be supported by other tools.
“It isn’t a one-product-fixes-all proposition,” says Sjouwerman. “Companies still should have [anti-virus] — at least for now, as well as firewalls, a strong whitelist strategy and user training.”
Meanwhile, Vincent Steckler, CEO of anti-virus firm AVAST, thinks anti-virus won’t die so much as evolve to include many more facets, particularly with consumers and small and medium businesses (SMB) where a layered security perimeter rarely exists.
“Anti-virus products are not the simple anti-virus products of past years,” says Steckler. “At the consumer and SMB level, they now incorporate firewalls, intrusion detection, heuristics, virtualization, sandboxes, and many other layers of protection, not just anti-virus.”