Google Security Guru Labels Antivirus Apps As Ineffective ‘Magic’
Google’s Platform Integrity team manager Darren Bilby preached cyber-security heresy at the recent Kiwicon hacking conference in Wellington, New Zealand. Tasked with investigation of highly sophisticated attacks, including the 2009 Operation Aurora campaign, Bilby lumped enterprise antivirus into a collection of ineffective tools installed to tick a compliance check box, but at the expense of real security:
We need to stop investing in those things we have shown do not work. … Antivirus does some useful things, but in reality, it is more like a canary in the coal mine. It is worse than that. It’s like we are standing around the dead canary saying ‘Thank god it inhaled all the poisonous gas.
Google security gurus aren’t the first to weigh in against enterprise antivirus, or to draw unflattering analogies, in this case to a dead canary. Another highly skilled security team, FireEye Mandiant, likened static defenses such as enterprise antivirus to that notoriously failed World War II defense, the Maginot Line:
Like the Maginot Line, today’s cyber defenses are fast becoming a relic in today’s threat landscape. Organizations spend billions of dollars every year on IT security. But attackers are easily outflanking these defenses with clever, fast-moving attacks.
An example of this was given by a Cisco managed security services executive speaking at a conference in Poland. Their team had spotted anomalous activity on one of their enterprise client’s networks, and reported the suspected server compromise to the client. To the Cisco team’s amazement, the client simply ran an antivirus scan on the server, found no detections, and placed it back into service. Horrified, the Cisco team conferenced in the client to their monitoring console and was able to show the attacker conducting a live remote session at that very moment, complete with typing errors and reissue of commands to the compromised server. Finally convinced, the client took the server down and fully re-imaged it—the enterprise antivirus had been a futile distraction—it had not served the client and it had not deterred the attacker.
So Is It Time to Ditch Enterprise Antivirus Already?
I am not yet ready to declare an end to the age of enterprise antivirus. But I know that companies need to invest in detection and response capabilities to complement traditional antivirus. But increasingly I wonder who is complementing whom. Skilled targeted attackers will always successfully evade antivirus defenses, so against your greatest cyber threats, enterprise antivirus is essentially useless. As Darren Bilby stated, it does do some useful things, but it does not provide the endpoint defense you need. So, don’t let it distract you from the highest priority cyber-security investments, and don’t let it distract you from security measures that do fundamentally help.
Proven cyber defense measures include:
- Configuration hardening of networks and endpoints
- Identity management with strong authentication
- Application controls
- Continuous network and endpoint monitoring, constant vigilance
- Strong encryption and data security
- Staff education and training
- Continual threat re-assessment, penetration testing, red/blue teaming
In contrast to Bilby’s criticism of enterprise antivirus, none of the above bullets are ‘magic’. They are simply the ongoing hard work of adequate enterprise cyber-security.