This article in the New York Times puts very succinctly what many of us in the industry have been saying for several years:
The antivirus industry has a dirty little secret: its products are often not very good at stopping viruses.
Consumers and businesses spend billions of dollars every year on antivirus software. But these programs rarely, if ever, block freshly minted computer viruses, experts say, because the virus creators move too quickly. That is prompting start-ups and other companies to get creative about new approaches to computer security.…… The antivirus industry has grown as well, but experts say it is falling behind. By the time its products are able to block new viruses, it is often too late. The bad guys have already had their fun, siphoning out a company’s trade secrets, erasing data or emptying a consumer’s bank account.
A new study by Imperva, a data security firm in Redwood City, Calif., and students from the Technion-Israel Institute of Technology is the latest confirmation of this. Amichai Shulman, Imperva’s chief technology officer, and a group of researchers collected and analyzed 82 new computer viruses and put them up against more than 40 antivirus products, made by top companies like Microsoft, Symantec, McAfee and Kaspersky Lab. They found that the initial detection rate was less than 5 percent.
Happy New Year! It’s time for some fresh thinking in security.
If you read the study you would know that this was an exceptionally poorly constructed test that used stupidly flawed techniques to arrive at a marketing conclusion. With zero days being less than .1% of the threats out there it, and an 82 sample set test using amateur hobbyist techniques for sample selection, the conclusions are unsupported. You can’t read the actual test and take Imperva seriously.
I’ve managed recovery for a few 0-day attacks. We had excellent AV product coverage, but it did no good. It’s an ‘academic’ argument as to how often these attacks happen, but it’s clear they do happen and when they do the impact is frightening.
The only one solution for o-day attacks against any infrastructure : human brain + experience = ethical hackers, recruited from gray hackers and converted to defence cyber space!
I don’t thing one can realistically hope to defend their enterprise environment (customer or employer) by recruiting ethical hackers, although I’m certainly not opposed to using smart ethical hackers to fight battles. These days I tend to think more along the lines of hardening platforms to reduce the need for signature-based updates. This approach has its challenges too, but its a good place to devote some careful planning.
Anyone have any thoughts about whitelisting solutions like Bit9?