Yesterday, I talked about how the vast majority of APT cyber attacks appear to be caused by spear-phishing email. It would seem to follow that the primary advice to protect one’s computer and network, after reinforcing education on telling the difference between spear phishing and legitimate emails, would be to make sure your security software, especially your antivirus (AV) software, is up to date. That still stands, but recent findings from Imperva put a question mark on whether or not AV is the right security solution in today’s cyber landscape.
The Imperva report, “Assessing the Effectiveness of Anti-Virus Solutions,” analyzed more than 80 unreported viruses against more than 40 antivirus solutions and found that zero antivirus solutions were able to detect previously unreported viruses and that 75 percent of solutions took up to a month or longer to update signatures. Although the report hasn’t gone live as of this writing, I think it is important to point out this finding:
Enterprises waste far too much on antivirus. In 2011, Gartner reported that consumers spent $4.52 billion on antivirus while enterprises spent $2.9 billion, a total of $7.4 billion or nearly a third of the total of $25.4 billion spent on software security. This massive expenditure no longer enjoys a return on investment and both consumers and enterprises should look into freeware.
In fact, although Imperva did not find a single antivirus product that provided optimal protection, the best solutions available included two freeware antivirus products.
In a release, Amichai Shulman, CTO at Imperva, stated:
Enterprise security has drawn an imaginary line with its anti-virus solutions, but the reality is that every single newly created virus subverts these solutions without challenge. We cannot continue to invest billions of dollars into anti-virus solutions that provide the illusion of security, especially when freeware solutions outperform paid subscriptions.
This isn’t the first time someone in the security industry has questioned whether or not AV solutions have reached the end of their lifecycle. This past summer, Mikko Hypponen, chief research officer of F-Secure, wrote a piece published in Ars Technica with the same question about the effectiveness of AV:
The truth is, consumer-grade antivirus products can’t protect against targeted malware created by well-resourced nation-states with bulging budgets. They can protect you against run-of-the-mill malware: banking trojans, keystroke loggers, and e-mail worms. But targeted attacks like these go to great lengths to avoid antivirus products on purpose. And the zero-day exploits used in these attacks are unknown to antivirus companies by definition. As far as we can tell, before releasing their malicious codes to attack victims, the attackers tested them against all of the relevant antivirus products on the market to make sure that the malware wouldn’t be detected.
Does this mean that we should ditch AV? Of course not, but we should question how the security solution budget is spent and what other points we can protect on our networks.