Last week’s article in the New York Times is highlighting an issue most IT and ICS professionals have known for a while: Anti-Virus sucks. Anti-Virus rarely works against new threats, detection mechanisms can be easily fooled, and as this paper by Feng Xue from Blackhat 2008 illustrates, Anti-Virus programs can even be used as virus transmission vectors.
The concept of ‘Anti-Virus’, a tool that systematically prevents, detects, and eradicates all computer based viruses is no longer valid. What we have instead is a reasonable risk reduction from known threats, and the capability to respond to new threats in a manageable, standard, and timely manner.
So what should an Anti-Virus company focus on now as their key deliverable to customers?
There are going to be a lot of answers to that question. I’m starting down the track that Anti-Virus companies should think more about incident response than the ineffective signatures. How quickly can they respond when there is suspicious activity on a network, how swiftly do they analyze the threat, and come up with an effective response?
I’m not saying replace anti-virus. On the contrary, AV has a good place in security simply because it is automated protection against well known conditions. Without it, the security folks would be swamped in ordinary mass-market virus infection, and might miss important signals of an more advanced compromise.
The combination of imperfect prevention and effective response is the route that electricity providers have taken in power operations. For instance, transmission protection is handled by protective relays that watch for electrical conditions that are known or predicted to cause failure. But, transmission engineers also have a contingent of smart people, capable of analyzing electrical conditions and responding to unforeseen electrical events.
Maybe this is the future of AV, maybe it isn’t. But I find it fun to think about on stressful afternoons before S4.