RSA Admin

The failure of Antivirus against recent Malware

Blog Post created by RSA Admin Employee on Aug 23, 2012

If you stay up to date on the latest trends in the security industry, you may have already known for a number of years that Antivirus technology hasn't fared well against cutting edge threats.  This is because of the necessity for a signature to be created in order for anyone to detect anything, whereas technologies like RSA NetWitness thrive on not needing a specific signature to exist in order to find abnormal or malicious activity.

 

F-Secure's Chief Research Officer, Mikko Hypponen recently wrote in a Wired article how the Antivrius industry failed with Flame, Stuxnet, and Duqu malware.  It took over 2 years for Flame to be properly discovered and identified, and it took over a year for both Stuxnet and Duqu.  With the speed at which modern attacks can be formulated and delivered, response times are expected to be closer to minutes or hours, not days, weeks, or years.

 

Traditional Antivirus methodology has been, in my opinion, rendered obsolete as a way to identify cutting edge edge threats until long after the detection would provide any meaningful value.  Risk based technologies however, provide a much better chance at detecting new threats by identifying activity that doesn't fall under baselines and does not require specific signatures that can only be obtained once a sample is analyzed.

 

I've often heard colleagues say that in the best way to find the needle in the haystack is to remove the hay.  Antivirus attempts to identify the needle with no context as to what kind of hay it might be living in.  Remove the hay and all the needles immediately become apparent.  This is an important evolution in an ever more complex networked world with a need for faster and faster response times as the so called "arms race" between malicious attackers and us defenders becomes larger.

 

This isn't to say that antivirus technology is completely useless.  It just should no longer be viewed as a primary defense system.  Used in conjunction with other technologies there are effective ways to manage current deployments without having to re-architect an entire company's IT solution.  Technologies come and go, evolve and are replaced, and this is a perfect time to put a plan in place to do just that instead of ignoring the changing landscape.

Outcomes