Sandboxing not the answer
Organisations should not try to rely on anti-virus, but what is the alternative? Chris Dye outlines some issues
The news that anti-virus is dead shouldn't have surprised anyone. The question is what's next. Especially if it came as a surprise to businesses that have been shovelling money into anti-virus for decades – often on the advice of their technology consultants.
And this is just cover for an immature industry still wedded to reactive forms of IT defence. There has been no shortage of threat intelligence reports showing just how ineffective anti-virus, which can work on known threats but is largely useless at identifying and stopping new ones, is.
With entire business models built on that approach, there is a possibility that products based on signatures and white-listing will just be rebadged.
Yet we can expect customers to demand an alternative.
While we have been relying on anti-virus to keep the bad guys out of files and documents, scant regard has been paid to ensure that the underlying structure and content of those documents is safe, secure and trustworthy.
For example, products are available that offer deeper inspection of all files coming in and out of the organisation and in storage. Such sanitised files can be trusted every time.
I'm not talking about sandboxing. While everyday files such as PDFs, MS Office docs and images are a primary threat vector for zero-day attacks and advanced persistent threats (APTs), slowing down file collaboration is something that few business users would welcome, whatever the security imperative.
But this is exactly what happens when organisations adopt sandboxing as part of their information security processes.
Isolating and inspecting files, moving and quarantining them, takes time. It takes time to confirm a file has executed, fix it or decide that it was fine, and release it once the process is complete.
This is perhaps why most organisations choose not to run sandboxing applications in-line, making them less of a proactive detection engine and more of an after-the-fact incident response measure or forensics tool.
The result is that sandboxing is not helping organisations tackle APTs and zero-day attacks.
Anti-virus is dead and sandboxing sub-optimal. Trying to keep pace with what the bad guys are doing is not only expensive and hard to predict, it is ultimately futile.
Rather than waiting until they can defend themselves against known threats, more organisations are seeking to define what "good" looks like for their business files and infrastructure.
Get real-time visibility of threats, and perhaps organisations can get back in control.
Chris Dye is vice president of strategic alliances at Glasswall Solutions