CSO & CIO, October 29, 2018 with comments by Satya Gupta;
Antivirus software doesn't stop malware, nor can it keep up with new malware or variants of known malware, but it still plays a role in an overall endpoint protection strategy.
New threats get past traditional antivirus with predictable reliability, which includes zero-day exploits and ransomware. But antivirus (A/V) solutions still provide a first layer of defense that companies are wise to keep, such as blocking malware attacks consisting of known threats that signatures can successfully identify.
The limitations of antivirus (A/V)
Most companies realize the limitations of antivirus. It’s protections are limited in that it’s only able to identify and stop malware that is already seen and familiar, and in that sense, A/V functions in hindsight. The process of keeping endpoints up to date with signatures can take days, weeks or months after a threat is identified, leaving a gap in protection. And because it can only recognize known threats, A/V software is not capable of blocking new and sophisticated attacks such as fileless attacks, which by definition, are designed to bypass these signatures.
According to last year’s Black Hat attendees, 73% feel traditional antivirus no longer serves a purpose. A/V missed 38% of malware attacks this year, up from 30% in 2016. Bad actors are getting better all the time at avoiding detection by developing variants of malware they know will sidestep A/V systems.
Newer technologies, such as behavioral or artificial intelligence analytics may be more equipped to detect some of these more advanced attacks, though they miss many as well.
Even though aware, many companies still not protecting themselves enough
Companies know these are concerns. In a Ponemon Institute report this month that poll IT professionals, 79% said they were worried about new and unknown threats. Surprisingly though, 29% still said their traditional signature-based A/V was all the protection they needed, even in this high-risk environment.
Not only that, many companies aren’t even using some of the solutions they’ve acquired. The latest SANS endpoint protection survey* shows traditional A/V caught only 47% of endpoint compromises. SIEMs, network analysis and other endpoint protection systems and technologies caught remaining attacks. Still, just 50% of companies have acquired these more advanced technologies, and of those, only 37% are using those functions. Of the 49% of companies who have tools to detect fileless attacks, only 38% of those aren’t using those.
Why you still need antivirus software
Still, A/V software is not obsolete. A layered approach to security remains the best approach and A/V has a place in those layers. While it’s not effective at catching the zero-day and newer attacks, A/V serves well in a first line of defense by detecting a good portion of the “noise” at lower cost while relieving other resources of that more routine task.
The larger takeaway may be the data that shows that even though companies are worried about the dangerous attacks out there, many remain knowingly under protected. Satya Gupta, founder and CTO at Virsec Systems says, "What is worrisome is how slow many organizations have been to respond to these new tactics and adjust their security strategies. We’re still stuck in a mindset of guarding the perimeter and stopping what’s been seen before."