A few days ago, while announcing their new Advanced Threat Protection initiative, Piero DePaoli, Symantec’s director of product marketing has made a provocative statement, proclaiming that ‘AV is dead’. His colleague Brian Dye said that antivirus software only catches around 45% of malware attacks, and that the company is shifting its focus towards responding to attacks instead of protecting against them.
Making such bold claims to promote new products or technologies is a common marketing tactic, we have even done something like that ourselves a couple of years ago, quite successfully. However, is there any substance behind this claim? Does it mean that, even armed with the modern IT security solutions, we’re still left unprotected from attackers and our only salvation is the future product from Symantec?
First, let’s clarify an simple terminology issue. A modern endpoint protection product is no longer just an antivirus. In fact, it would be safe to say that traditional signature-based antivirus programs (which first appeared over 20 years ago) are already dead for ages, since nobody makes traditional computer viruses (that is, self-replicating pieces of code that spread by embedding into other programs, boot sectors or data files) anymore.
Modern attacks against IT security have evolved into Advanced Persistent Threats, which are complex combinations of different attack vectors, including infected media, network exploits, software vulnerability attacks and social engineering. “Traditional” malware, such as Trojan programs and worms, still plays a central role in those attacks, however.
Modern IT security solutions have obviously evolved as well. Even ordinary users using a modern consumer antivirus program know very well that it includes not just a malware detection engine, but a firewall for protection from network attacks, some form of application control to stop Trojans, device control to prevent data leaks and so on. They also rely on cloud-based reputation services for application black- or whitelisting. We simply keep calling this kind of software an “antivirus”, just as we still call those powerful little computers in our pockets “phones”.
Yes, an antivirus alone is not capable of protecting against modern security threats. The only viable approach for developing efficient IT security is a multi-layered design combining endpoint protection, firewalls (although these are becoming less important since modern IT no longer has a rigid perimeter), database and application security, identity management and information rights management. Security experts have been talking about it years ago. And for years, security vendors have been working on developing more sophisticated, more versatile, more integrated solutions to fight those threats.
The latest trend in this evolution is the so-called Real-time Security Intelligence, where security solutions are becoming a mix of software and services, relying heavily on big data analytics and external sources of real-time security information, such as zero day attacks. For more information have a look at this blog post. The topic will also be prominently featured at the EIC 2014, and there is an in-depth report on it in the works.
As advanced persistent threats become more advanced and persistent coordinated, another aspect of a security application suite becomes more important: it’s no longer enough to offer protection against different attack vectors separately. A more integrated solution with tighter coupling between different modules and with centralized management and monitoring will necessarily provide more reliable detection and protection against those threats. In this regard, Symantec is actually lagging behind many other vendors that already offer technologies like sandboxing or reputation analysis, and in better-integrated packages. A notable example here would be Kaspersky Lab, which offers a single-vendor solution with the level of integration nearly impossible to achieve by technology acquisitions or partnerships.
So, is Antivirus really dead? Yes, and it’s been buried many times in the past.
Should we worry about it? Not really, since it keeps resurrecting with new technologies and functions, while somehow still keeping its familiar name. So, don’t be fooled by bold marketing claims, but look for multi-layered and tightly-coupled security solutions, they are still relevant and won’t go away any time soon.