Most headline-grabbing enterprise cyber attacks repeat the same sad story:
- Enterprise anti-virus products were deployed across the endpoint population, the most targeted asset class in the enterprise
- The anti-virus products did not prevent the attack or sound the alarm
- Attackers prowled across the victim cyber landscape undetected for weeks or months or even years
Can we answer why?
Industry Studies Document the Failure of Enterprise AV
First let’s examine the evidence and scope the problem. Malwarebytes published their real world findings from ten million scanned endpoints in an Oct. 2017 report Mapping traditional AV detection failures. Their introductory paragraph gives voice to the many doubts surfacing in the industry:
Comparative efficacy testing of anti-virus (AV) has become increasingly popular as a multitude of solutions, based on the same core technologies, have flooded the market. Those that perform well under these parameters tout the results as a stamp of approval. However, the true value of these tests is yet to be determined, as malware in the wild behaves in a manner significantly different from laboratory samples—even recently captured samples apprehended in security honeypots.
We won’t reproduce the many statistics cited in their report, but repeat a few conclusions here:
- In real-world deployments, traditional AV solutions fail to protect against even the most common forms of malware encountered in the wild.
- Endpoints with multiple traditional AV solutions installed performed only marginally better than those with a single traditional AV installed, displaying consistent weaknesses against the most common forms of cyberattacks.
- Even the four leading traditional AV solutions perform poorly in the real world, with consistent weaknesses against common ransomware, botnets, and Trojans.
The disenchantment with entrenched anti-virus products can be readily revealed with a simple google search. Ars Technica reported in a heretical piece titled “It might be time to stop using anti-virus” that browser makers including Firefox and Chrome developers had serious concerns with anti-virus products and in fact found them to be counterproductive to improved browser security. They report Google’s Project Zero investigation found serious high security vulnerabilities in a leading anti-virus product, leading to increased attack surface and risk exposure concerns with AV’s invasive instrumentation and elevated privilege level. In the final cost/benefit analysis the security value of enterprise anti-virus must justify its procurement, deployment, and operation. That value proposition has increasingly come under fire.
Enterprise AV Threat Model Has Been Broken for Some Time
The name itself, anti-virus, betrays the inadequacy of the enterprise AV threat model. Computer viruses, infectious malware that could proliferate unchecked across endpoint populations, hardly captures the modern panoply of cyberthreats. The somewhat broader term, anti-malware, is likewise inadequate, since targeted attacks need not employ malware, but may be fileless, memory-based, or living-off-the-land attacks with no malware instantiation.
But with this anti-malware mindset, early AV architectures relied upon signatures, generally cryptographic hash values essentially unique to each piece of software. This worked great initially when computer viruses were spread by floppy disk, variants were few, and mutation rates were low. But signature detection broke down as attackers upped their game, malware variants proliferated, steganography emerged, polymorphic and metamorphic strains appeared, and dark net crypting services offered FUD (fully undetectable) swizzling and obfuscation of attack code.
This dealt a defeating double whammy to the traditional anti-virus architecture:
(1) Malware became highly resistant to signature and artifact characterization, and
(2) Skilled operators evolved beyond malware reliance for targeted attacks.
The AV industry responded to this growing product deficiency and plunging efficacy rates by promoting its new and improved next generation anti-virus (NGAV). NGAV architectures vary by vendor, but generally incorporate behavioral analysis, cloud-based delivery, machine learning and artificial intelligence, and more automated response. These NGAV products have been around for years now, but as the study above indicates, the situation shows continuing product ineffectiveness against both common and advanced threats.
Not just the threat model itself, but the underlying model assumptions contribute to the failure of the AV/NGAV industry. The industry model has been based on the implicit assumptions that:
a) threats are largely preventable (i.e. negligible false negatives),
b) that these attack preventions can be provided automatically without user or security staff engagement (i.e. entirely autonomously), and
c) that prudent prevention actions will not backfire (i.e. negligible false positives or operational inconvenience).
Those three assumptions are necessary claims to tout these products to the consumer market, where many of these players also compete, but they are as false there as in the enterprise space. None of these assumptions are valid against real targeted threats by skilled adversaries in global cyberspace. And as the studies indicate, these presumptions often fail against even garden variety maladies and pedestrian opponents.
Compromise Is Inevitable, Defense Collapse Should Not Be
It does not matter how formidable your cyber defenses are, they will be breached. Indeed, for any sufficiently large enterprise, they probably are breached, in a continual state of partial compromise. For example, the National Security Agency (NSA) represents the pinnacle of cyber expertise and security consciousness. Yet Edward Snowden exfiltrated millions of classified NSA documents. Not to be outdone, another NSA contractor, Harold Martin, exfiltrated 50 terabytes of classified information from NSA and went undetected for not just years but entire decades. Compromise is inevitable—there will never be perfect users or impregnable sites, systems, and networks—but abject, complete, and utter pwnage is not the inescapable consequence.
Well-architected defenses and disciplined cyber defense teams can display dynamic resilience to the unfolding transient penetrations and tactical frictions of continuous cyberspace conflict. Defense will never be perfect but it can be effective. Risk assessment, defense appraisal, strategic adaptation and tactical refinement will be repetitive and ceaseless by the defenders, as attackers relentlessly evolve ploys, tools, and stratagems. Your enterprise is on the target list of growing numbers of state sponsors, criminal syndicates, and insider opportunists. Enterprise AV has been a struggling paradigm for some time now, with waning technological adequacy and declining threat relevance, and must be substantially reimagined, not just replaced if it is to retain its role in a strong cyber defense. Or it could be relegated to legacy status, ensconced in a nice display case at the computer history museum alongside floppy disk viruses. Time for a new deal.