SAN FRANCISCO -- It's unmistakable: Infosec pros have long heard the death rattle of signature-based antivirus (AV). With the amount of malware currently in circulation -- and rising exponentially by the day – it's simply not feasible for AV vendors to keep up with signatures. But it may not be a good idea to pull the life support completely, said four panelists at RSA Conference 2011, and, in any event, the death of standard antivirus may not be security pros' biggest problem.
[Standard] antivirus is not effective anymore.
chief technology officerTrend Micro Inc.
Comprised of top-level representatives from four of the largest antivirus vendors -- McAfee Inc., Symantec Corp., Kaspersky Lab ZAO and Trend Micro Inc. -- the panel for the "Death of Signature-Based Antivirus" session had a vested interest in the viability of AV. However, the members were also candid about the state of the technology.
"[Standard] antivirus is not effective anymore," said Raimund Genes, chief technology officer at Tokyo-based Trend Micro.
But, while it may no longer be effective on its own, signature-based AV may not be finished, either. Stephen Trilling, senior vice president of security technology and response at Symantec, made the point that "signatures are still effective for mass-spreading worms" like Conficker.
Nikolay Grebennikov, chief technology officer for Kaspersky, also rejected the idea of pulling the plug completely, asserting that "[signatures are] completely ineffective as the only layer [of endpoint security], but as one of the layers, [they're] effective."
Thus, while signatures do help prevent a great number of infections, they must be used in conjunction with up-and-coming antimalware technologies, agreed the panelists, such as heuristics and behavior-based detection, in order for enterprises to maintain a reasonable level of endpoint protection.
In addition to these emerging technologies, whitelisting also came to the fore as a possible solution to the ever-decreasing competency of standard AV, though it isn't a silver bullet either. According to George Kurtz, worldwide chief technology officer and executive vice president for McAfee, whitelisting is "perfect for fixed-function devices" such as point-of-sale appliances, but can be false-positive prone for applications or devices that are constantly changing, both in the information they handle and the personnel who connect to them.
Enter the X factor in the equation -- the one aspect of security lock-down that will always present an issue, no matter how airtight the technological measures -- the humans who interact with the machines.
If users got a pop-up that said, 'You will be infected. Please click here,' they'd click on it.
worldwide chief technology officer and executive vice presidentMcAfee Inc.
"If users got a pop-up that said, 'You will be infected. Please click here,' they'd click on it," Kurtz said. Genes echoed his sentiments: "We have to accept that 100% [technological protection] is not possible." He went on to stress that security pros must help users to understand the security problems their organizations face in order to raise security to the next level.
One session attendee, a vice president and information security officer for a large financial institution who wished to remain unnamed, corroborated the panel's take on employee awareness.
"The decay of AV is nothing new," he said. "We've been dealing with that for the last five to seven years." In 2010, however, he said approximately one third of his time was spent cleaning up employee messes created by their personal Internet usage. "Inside users cost me more money and more time [than anything else]. And none of it has anything to do with corporate activity."
Lisa Phifer, president of Chester Springs, Pa.-based security consulting firm Core Competence Inc., said she agreed with the panelists who said that, in five years, protecting the endpoint will be easier because not only are they getting simpler, but there are also more types of endpoints, meaning they require different exploits.
"The days of signature-based antimalware as the exclusive form of endpoint protection are long gone," Phifer said. Instead, she added, endpoint protection requires a comprehensive multi-layered strategy.
However, she didn't agree with panelists who said signature-based antimalware is just for disinfection, not prevention, because the evolution of cloud-based antimalware will likely include signature-based antimalware as part of the process to ensure the last mile Internet pipeline provided by ISPs is malware-free.