Security-in-depth is rarely discussed without including desktop antivirus with antivirus software being a cornerstone of corporate network protection since the advent of the computer virus. The danger that antivirus software presents is that within most organizations it presents the last line of defense so any threat capable of breaching this defense has the ability to wreak havoc within the enterprise.
Although antivirus has long been known to be vulnerable, the rather sudden downturn in effectiveness of this security control has caught most organizations off guard and looking for new alternatives to protecting their networks from an ever increasing number of malware threats.
A recent study by Google noted that, at best, antivirus scanners caught only 25% of malicious content. This begs the question, “Why is traditional signature based antivirus failing?”
The inherent issue with antivirus is the signature-based approach to identifying possible malicious code. These signatures once manageable by antivirus vendors are now beyond their ability to keep up with the mass volume of malware that is being produced daily.
A recent Sophos presentation noted three years ago new virus signature definitions were approximately 3000 per day. Today those totals are closer to 300,000 new virus signatures per day. Obviously this negates any ability for antivirus vendors to be able to quickly respond to new virus threats. The increased lag time between identifying the virus in the wild and having a new signature definition has left most organizations vulnerable to these threats and looking for new alternatives.
The reason for this rapid shift is simple; hackers have perfected malware creation and antivirus evasion. Attackers can take a newly written virus or even an old virus, quickly build a new version, and run the virus through a scanner such as VirusTotal until it passes all antivirus scanners. The attackers now have a new and fresh virus that can bypass current signature-based technology.
Organizations are increasingly looking to take antivirus away from the desktop as the primary protection against viruses, and instead are looking for reputation-based malware controls that live on the network edge. There is also a strong push for cloud based aggregation of malware threat models to feed rapid identification and remediation of new malware threats. This aggregation leverages what is being seen across the globe and uploading those reputational characteristics quickly to block new threats before they become problems within the network.
These new approaches are pushing antivirus appliances to the edge of the network as part of the infrastructure before it reaches the desktop. This approach was recently validated with Cisco’s $2.7B purchase of Sourcefire.
Sourcefire, best known for the popular IDS tool Snort, also has a robust anti-malware detection tool called Advanced Malware Protection (AMP). Enterprises have to defend against increasingly sophisticated attacks and are looking at these defenses from the point of entry into the network. This new approach allows a more robust look at possible viruses, investigation of an infection, the tract of the virus in the enterprise, as well as providing remediation. This is all being done within the appliance.
Although desktop antivirus still has a place in a defense-in-depth strategy its relevance has diminished rapidly and substantially. This has left most organizations scrambling to find new alternatives to this age old problem.
What is clear in all of this is the fact that effective antivirus in the future is not signature-based and will live at the point-of-entry on the network where reputation and cloud based databases will make fast determinations on whether an attachment or web link etc. will be allowed to be delivered to the desktop. This is a rapidly changing environment and one in which more solutions will come to market driven by enterprises increasingly adopting this new defense-in-depth approach to antivirus.