- Apr 5, 2014
- 6,002
More and more, the question being asked about endpoint protection and anti-virus isn’t “Who should we use?” but, rather, “Do we even need anti-virus anymore?”
Traditional anti-virus refers to those anti-virus-focused clients that used to be commonplace, like Norton and McAfee. While that method of protection worked in the past, the efficacy of it is starting to decrease, and that’s why some new vendors are arguing that, overall, anti-virus is dead.
The Anti-Virus Past
Traditional anti-virus safeguards from known viruses and known malware. From a process level, every anti-virus has a unique signature or fingerprint. If you run a piece of malware or a virus through a cryptographic hashing process, it generates a new fingerprint, and the anti-virus software keeps a database of all of those fingerprints. If it sees something like a Zeus or any other virus, it says “I know what you are” and it blocks it. The problem is that each and every very time you change a virus’s source code, even by one character, it generates a new hash or cryptographic signature, which has to be updated and distributed to the endpoints.
So, now it has to store 1,000 fingerprints, then 10,000 fingerprints, then 100,000 fingerprints … As a result, that database on your local machine gets bigger and bigger and bigger. So where the original anti-virus client may have been just 10 megabytes, now it’s 100 megabytes, and it constantly has to update that database signature.
All of this is even more difficult now, not only because there are hundreds of thousands of database signatures, but also because there are polymorphic viruses that change their own code. It’s just an arms race between the virus and the anti-virus. We beat them, they beat us--it goes back and forth.
A Two-Fold Problem
Anti-virus manufacturers made good strides in offloading the databases and storing most of the signatures up in the cloud. The anti-virus would identify something suspicious, search the Internet, then come back and say whether or not it was a threat. That, however, is processor-intensive and memory-intensive, and it takes time, even with the speed of the Internet.
The problem doesn’t stop there. Because of the growing sizes of anti-virus programs, the impact on endpoint security is becoming bigger and bigger. If you look at some of the usual suspects, a lot of times the cure is worse than the disease: Your anti-virus is so big that your machine does nothing but constantly scan files for anti-virus.
What Now?
The shift is now to next-generation endpoints. There are really a finite number of ways (around 13 to 15) to compromise a Windows machine. However, there are n number of variables on those vectors. So, what “next-generation endpoint” manufacturers are doing is watching the behavior of software. If the software only has to watch for a smaller number of different processes and behaviors, then that’s much more efficient--it doesn’t have to scan every file, just track that behavior. As a result, if it can block one of those attack vectors, it can shut the whole problem down in advance.
Is Anti-Virus Dead?
Today, there are some manufacturers that will tell you that anti-virus is dead. While traditional anti-virus may not quite be dead, some would say the funeral isn’t far off. The next-generation endpoint security market is a fast growing one, and there are tons of services attached to it for customers and partners who want to get into it.
Where this really comes into play is with virtualization. Traditional anti-virus on virtual machines tends to be very problematic due to limiting factors such as disk contention, memory overhead and CPU bottlenecks.
Since Windows machines are used by 90% of the world, they’re the biggest target. However, mobile phones, other mobile devices and Macs are becoming more and more prevalent. Everybody has a mobile device, and they’re too small to run full anti-virus on, so we’re seeing a lot of small malware. This is where next-gen endpoint will really come into its own in the near future. Partners who are educated about, and able to deliver solutions around, next-gen endpoint will be ahead of the curve.
With the combination of malware analytics, application visibility firewalls, SSL decryption, security analytics suites and cloud access service brokers (CASBs) coming more into play, we can actually start watching who’s doing what, where they’re going, should they be talking to this, should they be talking to that … As we keep saying, it’s defense in depth--you can’t rely on any one thing. So, as cool as malware analytics and the new malware pieces are, they are still part of an overall security strategy that needs to be developed.
Traditional anti-virus refers to those anti-virus-focused clients that used to be commonplace, like Norton and McAfee. While that method of protection worked in the past, the efficacy of it is starting to decrease, and that’s why some new vendors are arguing that, overall, anti-virus is dead.
The Anti-Virus Past
Traditional anti-virus safeguards from known viruses and known malware. From a process level, every anti-virus has a unique signature or fingerprint. If you run a piece of malware or a virus through a cryptographic hashing process, it generates a new fingerprint, and the anti-virus software keeps a database of all of those fingerprints. If it sees something like a Zeus or any other virus, it says “I know what you are” and it blocks it. The problem is that each and every very time you change a virus’s source code, even by one character, it generates a new hash or cryptographic signature, which has to be updated and distributed to the endpoints.
So, now it has to store 1,000 fingerprints, then 10,000 fingerprints, then 100,000 fingerprints … As a result, that database on your local machine gets bigger and bigger and bigger. So where the original anti-virus client may have been just 10 megabytes, now it’s 100 megabytes, and it constantly has to update that database signature.
All of this is even more difficult now, not only because there are hundreds of thousands of database signatures, but also because there are polymorphic viruses that change their own code. It’s just an arms race between the virus and the anti-virus. We beat them, they beat us--it goes back and forth.
A Two-Fold Problem
Anti-virus manufacturers made good strides in offloading the databases and storing most of the signatures up in the cloud. The anti-virus would identify something suspicious, search the Internet, then come back and say whether or not it was a threat. That, however, is processor-intensive and memory-intensive, and it takes time, even with the speed of the Internet.
The problem doesn’t stop there. Because of the growing sizes of anti-virus programs, the impact on endpoint security is becoming bigger and bigger. If you look at some of the usual suspects, a lot of times the cure is worse than the disease: Your anti-virus is so big that your machine does nothing but constantly scan files for anti-virus.
What Now?
The shift is now to next-generation endpoints. There are really a finite number of ways (around 13 to 15) to compromise a Windows machine. However, there are n number of variables on those vectors. So, what “next-generation endpoint” manufacturers are doing is watching the behavior of software. If the software only has to watch for a smaller number of different processes and behaviors, then that’s much more efficient--it doesn’t have to scan every file, just track that behavior. As a result, if it can block one of those attack vectors, it can shut the whole problem down in advance.
Is Anti-Virus Dead?
Today, there are some manufacturers that will tell you that anti-virus is dead. While traditional anti-virus may not quite be dead, some would say the funeral isn’t far off. The next-generation endpoint security market is a fast growing one, and there are tons of services attached to it for customers and partners who want to get into it.
Where this really comes into play is with virtualization. Traditional anti-virus on virtual machines tends to be very problematic due to limiting factors such as disk contention, memory overhead and CPU bottlenecks.
Since Windows machines are used by 90% of the world, they’re the biggest target. However, mobile phones, other mobile devices and Macs are becoming more and more prevalent. Everybody has a mobile device, and they’re too small to run full anti-virus on, so we’re seeing a lot of small malware. This is where next-gen endpoint will really come into its own in the near future. Partners who are educated about, and able to deliver solutions around, next-gen endpoint will be ahead of the curve.
With the combination of malware analytics, application visibility firewalls, SSL decryption, security analytics suites and cloud access service brokers (CASBs) coming more into play, we can actually start watching who’s doing what, where they’re going, should they be talking to this, should they be talking to that … As we keep saying, it’s defense in depth--you can’t rely on any one thing. So, as cool as malware analytics and the new malware pieces are, they are still part of an overall security strategy that needs to be developed.
