Antivirus software to protect corporate systems from malware is like a flu shot. You should have it, but it won't likely protect you from every strain of the flu.
"Antivirus is great for blocking known threats, but the issue has grown past viruses," said Ryan O’Leary, vice president of the Threat Research Center at WhiteHat Security. "Malware and vulnerabilities in the network or application can lead to far greater compromise."
Worse yet, new threats are being crafted faster than traditional antivirus can keep up.
“We as an industry need to recognize that defaulting to an antivirus and firewall mentality is leaving yourself wide open to compromise," O’Leary said. "Companies need to take a more holistic approach to their security program and start looking at application, network and malware issues that could compromise their entire company.”
Nir Polak, CEO at Exabeam, said malware is only the first step in a security breach -- its job is to steal a credential and use that to create a new, valid identity it can use to access the corporate network.
“So, detecting the malware is a good thing, but it’s almost always too late," Polak said. By the time the antivirus system has detected the malware, the hacker has already jumped off that machine and is in the network with a new identity. Anti-malware software is necessary, but it’s not a complete solution, by a long shot."
Rick Grinnell of Glasswing Ventures agreed: “If the shot or the [antivirus] solution isn’t protecting against the right strain or matching malware pattern, then the patient or user will be left vulnerable to infection or attack."
Grinnell argued that companies now need to augment antivirus protection with behavioral analytics, artificial intelligence and other technologies to stitch together a more robust defense.
Antivirus and pattern matching worked well 15 to 20 years ago, because Symantec (Norton) and McAfee were protecting a predominantly Wintel world from a small number of slow-moving viruses, Grinnell said.
With the growth of the internet, increasingly vulnerable software and more sophisticated attack techniques, malware exploded in the early 2000s, starting with the ILOVEYOU worm, which infected millions of machines. Even then, antivirus vendors offered protection that was relevant through the end of the decade.
Nir Polak, CEO at Exabeam
Grinnell said about half of all breaches today can’t be detected by antivirus. To fight back against more sophisticated threats, antivirus software vendors added behavioral and white-listing options -- some of them difficult to deploy -- to try and block malicious activity.
That's only spurred attackers to come up with ever more complex methods, Grinnell added.
Now what?
To catch the newer attacks, more sophisticated machine learning and artificial intelligence defenses have been rolled out.
“These solutions can quickly learn and adapt to fast changing malware types, and can often find needle in the haystack problems, where bad behavior is masquerading in a normal traffic pattern emanating from an authenticated user account using an approved application,” Grinnell said.
“So what if the strains don’t match what’s in the real world? That’s why behavioral analytics are an important piece of the puzzle. Behavioral analytics will look for surges in traffic or anomalies—something outside the boundaries of what is considered normal,” he added.
“Greater intelligence on the available data will help organizations make more educated decisions — something that traditional antivirus is not allowing for,” he said.
Another problem now is that exploits can target an increasingly diverse set of systems, many of which do not have the power to run any native security software, he said. That's why security has to be layered, with some pieces running on endpoints, others, in the network.
A truly optimized approach requires looking not only at the data flowing in and out, but also at the behavioral activities of users, machines, applications and data, with external threat intelligence incorporated.
“Some of the newer vendors in the security market are leveraging advanced artificial intelligence to find the most sophisticated evolving malware that antivirus could never pattern match, and block these attacks before they can go live,” Grinnell said. “Other vendors are using behavioral models coupled with crowd-sourced data and teams of human experts to identify exploits as they are in the early stages to provide fast response, before major damage can be done.”
Who's doing protection right? Grinnell pointed to Cylance, Crowdstrike and Carbon Black, with Symantec and McAfee looking to regain prominence. Other companies such as Palo Alto Networks and IBM are also leveraging advanced machine learning and A.I. in their products.
Not over yet
Antivirus vendors aren’t ready to call it quits on their products.
“Indeed, the medicine analogy is very informative,” said Avi Rembaum, vice president of security solutions at Check Point Software. "New strains of infections appear. Existing medications do not treat these new forms. And yet, if an older strain should infect someone, and that someone has not developed anti-bodies for that older strain, the older medication remains relevant."
Rembaum argued that antivirus should remain in the security toolbox. “We should look no further than penicillin and aspirin. They remain relevant today and will continue to be relevant for the foreseeable future, even though they might not treat the latest variant of the flu.
“It is important to remember that security has and always will be a multi-layered approach," Rembaum said. "Advanced threat prevention is required to prevent advanced attacks.” He pointed to Check Point SandBlast is an example of such a technology.
Phil Neray, vice president of industrial cybersecurity at CyberX, said antivirus isn't dead any more than firewalls are dead. “It's just that it isn't sufficient on its own anymore, because it can't protect against modern threats like targeted attacks, fileless malware, and polymorphic malware,” he said.
One area in which antivirus isn't dead (because it was never born) is non-traditional endpoints like IoT, IIoT and Industrial Control System (ICS) devices, Neray said. “These devices don't have sufficient machine resources to run antivirus agents, so you need to rely on other defenses such as network behavioral analysis and agentless vulnerability assessments to protect them.”
Corey Nachreiner, CTO at WatchGuard Technologies, said that relying on signatures or known malware patterns to stop threats is no longer enough. “So, while signature-based antivirus solutions might be dying, antivirus solutions in general are just as important as ever."
What's old is new
Today, even less sophisticated criminals use tricks to make old malware look new again, at least at a binary level, he said. Among those evasion techniques: “packing and crypting.” With packing tools, attackers take a well-known malicious trojan, which would be easy to detect, and jumble it up on a binary level so that the original antivirus signature no longer matches.
“...Even though the trojan remains the same, it can evade basic antivirus detection," Nachreiner said. "Furthermore, attackers are automating this process so that their malware delivery servers repack malware continuously as they target new victims."
The result: hundreds of thousands of new malware samples every day that signature-based detection may not catch. "...The industry has realized that reactive, pattern-based malware detection technologies are no longer going to cut it," he said. "New anti-malware controls need to focus more on proactive detection techniques.
“The answer lies in new technologies that can find the human beings behind the attacks," said Sam Curry, chief product officer at Cybereason. "Just as nails are needed in building a house, antivirus is needed in a company; but neither nails in construction nor antivirus in IT commands or should command a premium."
Antivirus can help get the “hygiene” right, but the actual fight takes place elsewhere, he said. The best way to stop attackers -- and reduce corporate risk -- comes from something else altogether.
Curry said behavioral data (from endpoints, the network, users and applications) is key, with endpoint behavioral data the most important. That's where A.I. comes in.
“Artificial intelligence is a much abused term, but the principle of using learning, adapting software and algorithms, from machine learning and data mining techniques to more sophisticated expert systems and artificial intelligence is critical for getting an edge in cyber conflict,” he said. “Right now, the attackers enjoy all the leverage and asymmetry in cyber conflict. Behavioral data, combined with automation and effective forms of machine learning, data science and artificial intelligence hold the key to reversing the asymmetry and giving the defenders the leverage in cyber conflict."