The threat landscape is changing, AV fails to adjust
A recent testing conducted by NSS Labs presented us with some deplorable results: of the seven antivirus products tested two weeks after the IE bug used for breaching Google was revealed, only McAfee stopped both the original attack AND a new variant. The results are even sadder when you know that AVG’s solution hasn’t managed to block even the original attack code.
Since the publication of the report, AVG has defended its product by saying that the testing methodology used by the lab was flawed and that it does detect the original attack, but has made no such claims regarding the variant.
These results have once again put the spotlight on the assertion that can be heard here and there from various security experts: anti-virus products are patently inadequate, and even IDS and Web proxies that scan content are not enough to protect a network from advanced persistent threats.
It takes just one exploitable vulnerability, and the criminals are in. They can then plant malicious software and proceed with stealing information and/or data.
“The security industry’s going to have to think about selling solutions that actually work with this type of environment,” said Alex Stamos with Isec Partners. “Basically nothing that people have bought over the last 16 years is going to help them stop a single guy sitting at a computer who is a Windows shellcode person targeting one person, and spending months to break into that computer.”
According to InfoWorld, NSS President Rick Moy is of the opinion that antivirus companies “should be implementing more vulnerability-based detection. There’s a little too much focus on the malware payload.”
Most people agree that new systems for detecting malware are needed. White-listing, cloud-based security, and other new approaches might or might not do the trick, but additional efforts will have to be made by operating system and client software vendors – they will have to start writing more secure code.
But there is another need that should not be swept under the carpet any longer: companies must take responsibility, invest into employee education, stop making compliance the top priority and leave the security teams to go back to their true work and start thinking of ways to detect and respond to these new intrusions – and do it fast.
The fact of the matter is that to respond to a threat presented by motivated, resourceful human attackers, enterprises will have to employ equally motivated and resourceful human defenders. No matter how fast and advanced technology is, the human mind is still the most versatile and creative processor there is.