Anti-virus is an oft-maligned tool in infosec. It clearly mitigates some risks. It also clearly misses many risks. But the discussion often misses some important questions: What is AV? What role should it play in our infosec posture? How do we measure if it is doing its role?
Originally, anti-virus were simple signatures to detect viruses. Now, as Kurt Wismer points out in his blog (debating AV effectiveness with security experts), the term AV is used to describe multiple different types of technologies. There are signatures, heuristics, and, more recently, a pseudo-white list system. AV detects anomalies. AV detects malware. AV prevents malware execution. AV prevents non-executed malware from spreading. AV maintains a baseline of the system. AV may address viruses, worms, rootkits, botnet clients, phishing scams, adware, or any combination. It may monitor the network the file system, and/or specific services such as http or email. AV has become a catch-all, defining almost any host-based technology. Because it is ingrained in even non-infosec minds that AV is necessary, everything is now AV.
However, this ubiquity prevents AV from being effectively incorporated into an overarching infosec strategy. How can we possibly hope to use AV to do a specific job when it could potentially be doing so many jobs? I've blogged previously (The Chicken and the Pig - Three Security Genres) on the different roles in information security. AV straddles those responsibilities. AV could be an integral part of your detection. It could be part of your defensive prevention. It could be used to deal with phishing attacks, untargeted self-propagating malware, drive-by web attacks, or strict white-listing of all code run on hosts. It could be used to simply weed out general attacks or an attempt to stay abreast of the most modern, evolving attacks.
AV is not a catch-all. Just because the name covers multiple technologies does not mean that buying it covers you in so many different ways. So what is a company to do? Specific AV capabilities must be identified and targeted at specific company needs:
- Understand what assets you have to protect and what threats you face. You can take no action on your infosec posture without knowing this.
- Understand what technology is incorporated in the AV you have deployed (or are considering deploying). Understand in real terms what threats the AV is designed to address. What is it expected to detect? What is it expected to block? More importantly, what will it not detect and block?
- What other technologies or means do you have to address the gaps in your AV?
- Are the AV's capabilities redundant with capabilities you already have?
Measuring the effectiveness of AV is an area where research is needed. While there are ways to measure it, they are not particularly targeted at any specific capability of the AV, nor are they targeted at any specific threat actor (or asset to protect). As we start to understand and articulate the individual technologies and capabilities provided by AV, we can align them to threat actor types and provide effective measures which explain what type of return on investment can be expected from deploying a specific AV tool in a specific scenario to protect a specific asset from a specific threat. Also, these metrics should have their temporal properties measured as all attacks and defenses happen over time.
It's time for AV to evolve, not necessarily technologically, but in our consciousness. It can no longer be a generic catch-all for things that sit on host. Instead, the specific technologies and capabilities need to be promoted so that they can be applied as a clear part of an infosec posture rather than a generic Band-Aid.