Traditional signature-based antivirus is notoriously bad at stopping newer threats such as zero-day exploits and ransomware, but it still has a place in the enterprise, experts say, as part of a multi-layer endpoint security protection strategy. The best antivirus products act as the first layer of defense, stopping the vast majority of malware attacks and leaving the broader endpoint protection software with a smaller workload to deal with.
Antivirus products create a signature for each piece of malware that is detected in the wild, but it requires someone to be infected to get the process started. “And, once an antivirus company does this, it could be days or months for all endpoints to be properly updated with the correct signature,” says Ed Metcalf, senior director of product marketing at Cylance, Inc. “By this time, a cyber attack could easily spread throughout an enterprise and cause damage or steal data.”
Research reveals the changing role of antivirus software
According to a survey of last year’s Black Hat attendees, 73% think that traditional antivirus is irrelevant or obsolete. “The perception of the blocking or protection capabilities of antivirus has certainly declined,” says Mike Spanbauer, vice president of strategy and research at NSS Labs, Inc.
Plenty of recent research supports that point of view. Recently, security company WatchGuard Technologies reported the results of a comprehensive test of traditional antivirus. They calculated how well a leading traditional antivirus product did at spotting zero-day threats by looking at customers who had both traditional antivirus and next-generation endpoint protection products installed. Traditional antivirus missed 38% of malware attacks that were caught by a next-generation platform that used a behavior-based approach.
Why is traditional, signature-based antivirus getting worse at detecting threats? “The threat landscape has evolved,” says Rob Lefferts, corporate VP of Microsoft 365. “I would avoid using the phrase ‘antivirus is dead,’ but thinking about straight-up antivirus as a solution – those days are gone.”
Not only are attackers getting better at quickly generating countless versions of existing malware, tweaked just enough to not be picked up by existing signatures, but new attacks, like fileless attacks, are showing up that won’t be picked up by traditional antivirus, he says.
Companies are aware of the problem. According to the latest SANS endpoint protection survey of IT professionals, traditional antivirus caught endpoint compromises only 47% of the time. The rest were caught by SIEMs, network analysis, advanced endpoint protection systems and other technologies.
However, only 50% of companies have acquired next-generation capabilities, and 37% have turned on that functionality. In addition, while 49% have tools to detect fileless attacks, 38% aren’t using them.
Similar findings were reported by the Ponemon Institute in a survey of IT security professionals where 70% said they were very concerned about new and unknown threats, but only 29% said their traditional signature-based antivirus provided all the protection they needed.
The case for traditional antivirus
Should companies eschew traditional antivirus in favor of newer technologies? Not according to Microsoft’s Lefferts, who says that traditional AV still has a role to play.
Behavioral analytics, sandboxing, and other advanced tools take time and use up network bandwidth and computational resources. Traditional antivirus is fast, cheap and lightweight. “If you’re counting the number of different types of malware, there are more and more polymorphic or custom attacks,” he says. “But considering the onslaught of commodity malware, it is still the vast bulk of the number of encounters that happen on a daily basis.”
Even if traditional antivirus isn’t able to stop all attacks, it can block a significant number of them at low cost. “So let’s do that,” says Lefferts. “But we certainly can’t afford to stop there, and I don’t think anyone today says we should stop there.”
Those potential threats that make it past the first line of defense can then be analyzed based on their behavioral characteristics or sent off to a sandbox for secure detonation.
Traditional antivirus is a good adjunct to the newer technologies such as those that involve behavior analytics, sandboxing and machine learning. The more advanced tools can require more processing power, which can slow down computers. If the product runs behavioral or other tests on potential threats before permitting user access, it can impact productivity. If the product allows the threats through, then tests them separately, malware has a window of opportunity to get access to enterprise systems.
Finally, when a new threat is detected, additional work is required to mitigate the threat and generate signatures to protect against the threat in the future. “The first level of defense will always be some kind of signature-based defense,” says Raja Patel, VP for corporate product at McAfee LLC. “If you already know something is bad, why do an additional layer of protection against it?”
Without that initial signature-based screening, companies will have to spend a lot more time, effort and money to handle all the threats that come in, he says. “You can image how much a security team would have to put up with.” If a threat can be caught and stopped right out of the gate, it’s the cheapest option. “Signature-based antivirus saves human effort and reduces false positives and time delays,” he says. “It’s a fantastic first layer and will be for a long time.”
Traditional antivirus, next-gen endpoint protection tools are converging
As the industry matures, enterprises are going to be able to get the full-suite of malware protection tools from a single vendor, if they don’t already. Traditional antivirus providers are adding next-gen capabilities, while the next-generation vendors are including signature-based protections in their suites.
Enterprises increasingly expect to see antivirus protection included in their next-generation endpoint solution. “Businesses don’t like to mix and match,” says Adam Kujawa, head of malware intelligence at Malwarebytes Corp. “They prefer to have one vendor to go to. So, the security solutions have multiple layers, with multiple technologies involved to maximize the amount of protection.”
Traditional antivirus vendors aren’t sitting on the sidelines, either. Instead, many are buying or building the next-generation tools that can help catch the attacks that get by signature-based defenses. “Antivirus will become extinct in the next few years unless they are able to evolve,” says Luis Corrons, PandaLabs technical director at Panda Security, a traditional antivirus vendor. “We at Panda have been fully aware of this.”
The company has had behavioral-based malware detection for several years, but even that is not enough. Many successful security breaches involve no malicious software at all, he says. “To say it crystal clear, a traditional antivirus is useless against these attacks as there is no malware involved,” he says. For example, attackers can take advantage of existing non-malicious software.
The company has recently rolled out new tools to monitor the behavior of all active applications in an enterprise. “It allows us to have full visibility of what is happening in our network,” he says.
According to the Ponemon survey, 64% of companies this year experienced one or more endpoint attacks that compromised assets or infrastructure, and 63% said that the number of attacks went up compared to last year.
Meanwhile, the average cost of a successful attack has increased from $5 million to $7.1 million, with an average cost per compromised endpoint of $440. For small- and medium-sized companies the average cost was even higher, at $763 per endpoint.
“What is worrisome is how slow many organizations have been to respond to these new tactics and adjust their security strategies,” says Satya Gupta, founder and CTO at Virsec Systems. “We’re still stuck in a mindset of guarding the perimeter and stopping what’s been seen before.”