EY GISS

Why Your Antivirus is Not Enough Anymore

By: Scott Robertson, Vice President, Asia Pacific at WatchGuard Technologies

For years, you’ve probably been told that you need antivirus to protect your computer. However, with newer and more malicious security threats emerging every day, you may need to rethink your approach to managing security. The new breeds of malware are more advanced and resistant to the conventional defenses and attackers have gotten smarter over time. Therefore, your antivirus software alone may not be enough to combat such malware. Security controls needs to evolve just as targeted threats have.

Malware authors have started using evasive techniques to ensure that their programs don’t get easily detected. More importantly, they often leverage zero day vulnerabilities – flaws for which no patch is available yet and no signature has been written. Modern malware is often ‘persistent’ and designed to stick around in the network for as long as possible. These new strains of advanced malware are often referred to as Advanced Persistent Threats (APTs). To deal with such advanced threats, you need to deploy more advanced mechanisms.

Is Anti-Virus Losing its Value?

Recent incidents have shown how attackers have found their ways to sidestep traditional antivirus technologies to carry out security breaches and steal data. The security breaches suffered by the New York Times and US retailer Target demonstrate the enormous impact such security breaches can have. Soon after the attack, Target suffered a 50% loss in sales, the stock price plummeted and many of the shoppers vowed never shop at the store again.

The next generation malware is stealthy and persistent, and has the capability to conceal itself within the enterprise network traffic. It uses techniques such as encrypted communication channels, kernel-level rootkits, and sophisticated evasion capabilities to get past a network’s defenses. This is almost like an arms race. Whenever defenders introduce new detection techniques, attackers look for new ways to bypass them.

The traditional antivirus approach, which is used to prevent, detect and remove or disarm malicious computer programs and malware threats can only protect against the bad software that we already know exists. Engineers and code writers are deployed by security companies to regularly analyze infected files and release patches or updates to deal with new threats as they emerge. But essentially, antivirus is a reactive technology i.e. it only alerts you of something that is already on your computer, once it is discovered. This approach may work well against known viruses, but may not be reliable for dealing with newly-released viruses.

Dealing with Advanced Threats

Organizations that are serious about protecting data, intellectual property and reputation must look for multi-layered security solutions with advanced capabilities to deal with advanced persistent threats (APTs) that are emerging on the security landscape. Any company that relies only on antivirus to secure its end points could be exposing itself to huge risk.

An effective security strategy must include in depth defense and detection capability, an APT incident response plan and recovery strategy. Security solutions have to be more proactive in detecting any suspect piece of code that enters the network and provide the IT team with clear, actionable information. Effective tools have to be deployed to monitor and analyze all files and spot any evasion techniques used by malware. You need to adopt a comprehensive approach such as UTM (Unified Threat Management) with capability to get the deepest level of visibility into malware behavior.

While antivirus and intrusion prevention are still a necessary part of any company’s defence, they need to be supplemented with new advanced detection capabilities including:

Sandbox in the cloud with full system emulation – with the ability to analyze multiple file types

The ability to go beyond the sandbox to detect different forms of advanced evasions.

Visibility so that your network operations staff and IT team get clear alerts of all detected malware and explanations of why each file is considered malicious.

Not just detection, but the ability to proactively take action and block bad files.

Security solutions need to continuously evolve to stay ahead of the new threats. Enterprises must look for providers that offer advanced capabilities for proactively detecting and blocking APTs even before they can cause any damage.