Anti-virus under attack
The proliferation of increasingly sophisticated malware attacks has put the effectiveness of the AV industry under the microscope, writes Doug Woodburn
The advent of new "weaponised" malware is prompting security VARs and consultancies to overhaul the technologies they carry.
According to detractors, anti-virus (AV) software and other point security products such as firewalls and intrusion detection (IDS) are yesterday's men. Flame - the latest nasty strain of malware to strike - is cited as evidence of this, having evaded detection from 43 anti-virus tools.
Ross Brewer, managing director of security information event management (SIEM) vendor LogRhythm (pictured), is among those to argue that the standard defences are no longer fit for purpose.
"Because of the changes in the threat landscape, organisations recognise that the point technologies in which they have invested a huge amount of money are ineffective," he said. "It is not hard for hackers to break through and cause havoc and they need to rethink their strategy and move from a perimeter-based protective stance to a detective stance."
Mikko Hypponen, founder of AV outfit F-Secure, wrote earlier this month: "Flame was a failure for the anti-virus industry. We really should have been able to do better, but we didn't. We were out of our league, in our own game."
Discovered on 28 May, Flame is just the latest in a growing line of virulent malware that is evading traditional defences and causing VARs to evaluate their portfolios.
The virus, which is thought to have been developed by the US and Israel to steal Iranian state secrets, can record audio, screenshots, keyboard activity and network traffic.
Despite having been designed for cyberespionage purposes and initially infecting just 1,000 machines based mainly in Iran, Flame poses a potential threat to
UK enterprises, said Dave Rawle, chief technology officer of security VAR Security Partnerships.
"Flame was created by the Israeli government to determine if Iran had developed nuclear weapons," he said. "The problem is that Pandora's box has been opened. Who is to stop it being used in the same way as the RSA attack?
"It is a warning about the technologies people should have in place in 18 months - end users do not want to have to worry about the great-grandson of Flame."
Rob Swainson, sales director of security VAR Blue Cube, said his firm had added several vendors to its portfolio in response to the shifting threat landscape. He agreed that it is time for the security channel to change tack.
"AV vendors still have a job to do but some of these modern attacks are clearly evading them, so there needs to be a change in approach," he added.
Vendors tackling advanced persistent threats (APTs) and advanced evasion techniques, such as FireEye, are likely to come to the fore, Swainson said. White-listing technology from the likes of Lumension, which allows end users to control application authorisation and use on their security end points, will also gain traction, according to David Hobson, managing director of MTI-owned security integrator GSS.
The Flame attack centred on some forged digital certificates from Microsoft. Although the firm has since issued a patch in an effort to slam the door on the attackers, Flame highlights a wider need for certificate management solutions, added Swainson.
"Traditional security tools have their place and it is important not to throw the baby out with the bathwater," he said. "But there is a need for newer technologies such as FireEye and [RSA-owned] NetWitness, as well as Venafi, from a certificate management perspective."
The new wave of threats also throws into relief the need for more joined-up solutions to give end users a holistic view of their world, said Swainson. "Whereas it used to be quite closed, there is now a lot of talk about collaboration and sharing of APIs between the security vendors," he said. "This can then be correlated into SIEM solutions to get a broader view of what is happening."
Brewer at LogRhythm agreed, arguing that the biggest problem end users and resellers face today is one of information overload.
"The problem with firewalls and AV is they are single vectors and you need to look at it on a multi-vector basis. They tell you a lot of good stuff but the problem is to work out what is relevant. That is the biggest challenge customers and partners face today."
He said this dynamic will play into the hands of his firm, whose technology brings together that disparate information to decide whether or not it is just "noise"
or something against which action must be taken.
He claimed resellers could push SIEM-as-a-service to SMBs without the resources to deploy it onsite.
"As long as you are better than your neighbour, you will be OK," he said. "The problem is that the neighbours are banks that are better at vulnerability management. You do not want to be the weak link or else the hacker will jump through your window and start defacing your walls. SMBs have the same problem as anyone else and are looking for that same level of service."
AV vendors hit back
Although anti-virus sales are still growing nicely, the market for standalone AV is effectively dead, according to one of the largest operators in the market.
Rik Ferguson, director of security research and communications EMEA at AV pioneer Trend Micro, said: "AV did not die with Flame, it died a long time ago. Any company that is doing standalone AV is not offering their customers anything more than baseline protection."
Ferguson said the market has long since moved to a layered security approach, but argued that many still misunderstand what that constitutes. The traditional AV vendors have evolved beyond their roots and can now provide a total end-point security solution, he said.
"There is a lot to be said for layering best-of-breed solutions on top of each other, but some people do not realise that layered security also exists in the security products of single manufacturers. You have to realise you will not get protection from every attack and accept that compromises will happen. It is about getting actionable intelligence as fast as possible to neutralise and contain it."
According to market watcher Canalys, AV will account for more than a tenth (11.3 per cent) of an enterprise security market set to be worth $22.9bn this year, and will grow at 6.8 per cent.
Yuval Ben-Itzhak, chief technology officer at AV vendor AVG, argued that AV's demise has been over-egged.
"I have been in security for 18 years and have been hearing claims that AV is dying for 13 years. It always comes when another piece of malware reaches the headlines and it is not detected. But if you went to the doctor and they did not recognise something, you would still go again.
"AV is not at an end, and is actually becoming more sophisticated. We are continually adding new security layers and improving the engines we have in our products to provide the best protection."
Hobson at GSS (pictured) said AV is still needed to cover the old threats. "The issue with most malware is that it exploits known issues and people are still not patching properly. The Anna Kournikova virus will still infect you if your system is unpatched and AV is still needed to cover the old threats."