The European Agency Network Information Security Agency (ENISA) warned today that antivirus programs only work to prevent 30% of attacks and instructed companies to be more diligent about protecting themselves. “Antivirus only works in 30% of cases to prevent cyber attacks, so it is necessary for security and technology go far beyond what has been done so far in the EU,” explained ENISA’s executive director. (Ironically, this hasn’t been covered by the English media yet. The article above was sent to me by a Spanish colleague.)
By contrast, in the US, rather than warning about the shortcomings of antivirus, the FBI warned of a "new" virus attack. Specifically, on 17 September, they cited a "new trend in which cyber criminal actors are using spam and phishing e-mails, keystroke loggers, and Remote Access Trojans (RAT) to compromise financial institution networks and obtain employee login credentials." Of course, a different version of the same old attack is not really new.
Is ENISA’s directive part of a growing trend away from antivirus? It seems so. This snippet from a hacker forum highlights the fundamental problem with antivirus and the ease of evasion:
When Flame was made public, Mikko Hyponnen’s famous mea culpa was quoted repeatedly across the internet: “Flame was a failure for the antivirus industry. We really should have been able to do better. But we didn’t. We were out of our league, in our own game.”In just the last two weeks, two articles have appeared questioning the efficacy of antivirus. First, MIT’s Technology Review wrote, “The Antivirus Era Is Over.”
In his blog, Neil MacDonald asks, “Is Antivirus Obsolete?”
Both articles argue you need it but by itself antivirus is not enough. Fair enough: You want to have an antivirus because it provides signatures to protect you against the high volume of the known malware attacks. But what about the hardcore hackers who write new stuff daily? You need to take them into account when securing your stuff. Hardcore hackers are not reusing exploits, they are finding them and writing their own payloads. Consequently, they are ahead of the antivirus industry until the hack is found and gets patched.
Some recommend expanding endpoint protection. Not enough. With an industry built on evasion, modern data protection policies should be all about spotting aberrant behavior and whitelisting. A good policy for an organization will be to monitor for unknowns and unwanted behavior, but audit all activity for a period of time. Reviewing audits based on business events. Banks, for example, look for audit trail of users while those users are on vacation, so they know there shouldn’t be activity. In this way, you can ensure complete control of your data access.