Recently, Symantec’s Senior VP for Information Security, Brian Dye, made headlines when he proclaimed that AV “is dead”. This, of course, created quite a bit of buzz in the press, presumably achieving the goal of the proclamation. Even with all the buzz, I’m not entirely sure that we’re having the appropriate follow-on discussion as a community. Allow me to explain.
If we think about what anti-virus is conceptually, it is a means or an approach to detect and contain malicious code. This is a noble goal and something we ought to be doing. If that is the case, then why are AV detection and containment rates well below 25%? I think the answer lies in the fact that the attackers have changed with the times, whereas AV methodologies and techniques are largely stuck in the 1990s. I believe that the main challenge with AV is that, like all signature-based technologies, it is designed to look for “known knowns”.
I’ve discussed the difference between “known knowns” and “unknown unknowns” in previous blog posts. We should, of course, be looking for what we know is bad. We would be crazy not to do that. These are the “known knowns”. In practice, however, the “known knowns” turn out to be only a portion of the attacks that compromise organizations. The most interesting activity lies in the “unknown unknowns”, and it is in this “pile” that we find the attacks that AV cannot detect (and thus cannot contain), including attacks that do not involve any malware at all.
Is it easy to find the “unknown unknowns”? Of course not. But that doesn’t mean that we shouldn’t try, and that we shouldn’t develop methodologies and techniques for that purpose. Put another way, the attackers have changed their game, and we need to change ours. We need to work harder on developing reliable ways to detect and contain anomalous behavior and activity. That is the only way to supplement the signature-based approaches of the past and increase detection and containment rates.
The question isn’t so much whether or not AV is dead. Rather, the question would seem to be whether detection and containment of malware can be done in a more effective way. I believe the answer to that question is yes.
If we think about what anti-virus is conceptually, it is a means or an approach to detect and contain malicious code. This is a noble goal and something we ought to be doing. If that is the case, then why are AV detection and containment rates well below 25%? I think the answer lies in the fact that the attackers have changed with the times, whereas AV methodologies and techniques are largely stuck in the 1990s. I believe that the main challenge with AV is that, like all signature-based technologies, it is designed to look for “known knowns”.
I’ve discussed the difference between “known knowns” and “unknown unknowns” in previous blog posts. We should, of course, be looking for what we know is bad. We would be crazy not to do that. These are the “known knowns”. In practice, however, the “known knowns” turn out to be only a portion of the attacks that compromise organizations. The most interesting activity lies in the “unknown unknowns”, and it is in this “pile” that we find the attacks that AV cannot detect (and thus cannot contain), including attacks that do not involve any malware at all.
Is it easy to find the “unknown unknowns”? Of course not. But that doesn’t mean that we shouldn’t try, and that we shouldn’t develop methodologies and techniques for that purpose. Put another way, the attackers have changed their game, and we need to change ours. We need to work harder on developing reliable ways to detect and contain anomalous behavior and activity. That is the only way to supplement the signature-based approaches of the past and increase detection and containment rates.
The question isn’t so much whether or not AV is dead. Rather, the question would seem to be whether detection and containment of malware can be done in a more effective way. I believe the answer to that question is yes.
No comments:
Post a Comment