Anti-virus is basically dead, at least according to the biggest anti-virus vendor. The good news is that signature-based AV has actually been dead for a long time; even the big players have been broadening their capabilities to assess, prevent, detect, and investigate advanced malware on endpoints and servers. There has been a tremendous amount of activity and innovation in protecting endpoint and servers, driven by necessity:
Endpoint protection has become the punching bag of security. For every successful attack, the blame seems to point directly to a failure of endpoint protection. Not that this is totally unjustified — most solutions for endpoint protection have failed to keep pace with attackers.
But hygiene and awareness alone will not deter advanced attackers very long. We frequently say advanced attackers are only as advanced as they need to be: they take the path of least resistance. But the converse is also true. When these adversaries need advanced techniques, they use them. Traditional malware defenses such as antivirus don’t stand much chance against a zero-day attack.
Our Advanced Endpoint and Server Protection paper highlights the changes in threat management resulting from these advanced attackers using advanced tactics. We discuss changes in prevention, as well as advances in both detection and investigation. This is really a call to action to rethink how you deal with advanced adversaries, and ultimately how you protect your devices.
Advanced adversaries require organizations to rethink how they manage threats. The idea that targeted attacks can be prevented consistently is a pipe dream, so organizations need to shift away from largely ineffective legacy technologies for protecting endpoints and servers. More specifically this means devoting more resources and investing in innovative approaches to blocking attacks in the first place, including advanced heuristics, application control, and isolation technologies.
But even with significant investment in innovative prevention, a persistent attacker will still compromise your devices. This highlights the necessity of shifting security investment toward detecting and investigating attacks.
We would like to thank the companies who have licensed this content (in alphabetical order): Bit9 + Carbon Black; Cisco/Sourcefire; and Trusteer, an IBM Company. We make this point frequently, but without security companies understanding and getting behind our Totally Transparent Research model, you wouldn’t be able to enjoy our research.