Detection vs. Protection and the Game of WordsBy Mike Rothman
Any time you go after an entrenched technology, there will be pushback. So it’s not surprising that some folks believe that imperva’s anti-virus study is garbage.
this makes it pretty clear that the product a customer installs is very much a different thing from the program that virustotal uses - they will in most cases behave very differently and so the results that virustotal spits out cannot be considered representative of what actual users of anti-malware products will experience.
Normally I won’t link to anything on the anti-virus-rants blog because I object to kurt’s lack of capitalization. But in this case, he underscores a reality that every security professional needs to deal with. There is detection and then there is protection. You can be protected from a malware attack without having technology to detect the malware. That means you have a synergistic (or complimentary) control in place to protect the device. For example, you may not have a signature to block a 0-day, but you’ve implemented application white listing on that public kiosk, so the malware can’t install. Protection without detection. Imagine that.
So kurt’s general issue is railing against the industry marketing machine for vilifying the AV vendors because they can’t actually detect enough malware. His point is that endpoint protection involves more than just anti-virus detection. As such, many of those malware samples (tested by Technion through VirusTotal) would not necessarily compromise a device because other controls in the suite would provide the protection. he’s right. And yes, my lack of capitalization is an homage to kurt. ;-)
But then he swings at Rob Graham about Rob’s defense of the testing methodology. Rob’s point is that the methodology is fine. The AV agents don’t detect a lot of the malware and that is how many folks deploy the anti-virus engines as part of a security gateway or UTM. In that scenario, Rob is right as well.
Though we continue to avoid the elephant in the room, and that’s the marketing spin. You know, the game of words. Imperva spun this story as an indictment of endpoint protection, when it was really validating what should already be common knowledge. Standalone anti-virus is not going to catch much malware. You can decompose words and try to infer Imperva’s intent, but that’s pointless. The marketing folks at Imperva are good at what they do and I don’t begrudge them for spinning the results of the study. It’s their job. They try to create urgency for their employer’s technology by favorably positioning data points to tell their story.
As I’ve said many times before. Don’t hate the playas, hate the game.