In my last post I used a recent group test report by NSS Labs on anti-malware products to recap what I think are critical points in considering endpoint protection strategies. Today I want to make what may be to some a disruptive recommendation based on those points: It is time to take a hard look at your approach to antivirus software. Specifically, you need to take a hard look at what you are running and how much you are paying for it.
The evidence for this recommendation is everywhere. We are fast approaching 9 million signatures, yet the NSS Labs study stated that cybercriminals have between a 10% – 45% chance of getting past your AV with Web Malware and between a 25% – 97% chance of compromising your machines using exploits. The AV vendors have seen the cracks in their offerings and have added all sorts of new wrinkles to their endpoint protection suites over time. Each new layer added some value but because they still relied on some form of prior knowledge, the detection gap was never closed. This resulted in agents that carry too large a footprint and often noticeably affect endpoint performance. As attacks continue to evolve, more layers – and the associated complexities and performance hits – were added.
Gartner Distinguished Analyst John Pescatore noted this in a blog post titled “Twelve Word Tuesday: More Layers of Flawed Shingles Leads to Roof Collapse, Not Fewer Leaks” which stated “Adding levels of ineffective security: really only spending (not defense) in depth.”
You must consider just how much you are paying for something that has demonstrated declining performance. Those extra layers likely cost you something, but I would suggest that a dollar spent is not resulting in a dollar of protection. The NSS Labs report would suggest that with AV software you do not get what you pay for, as Microsoft’s Security essentials performed on par or better with other name brands. For those of you who do not know, MS Essentials is free.
I may be a dumb country boy, but I understand that free is a good price to pay when I can get the same value. I switched my personal machines to MS Essentials and have had stellar performance. I find it telling that Sophos just announced a free version of their AV software for the Mac. Economics would teach us that the relative scarcity of Mac AV products would allow Sophos to charge a premium, but instead they are charging nothing. I would argue that this is a good indicator of where the AV market is heading.
Before you run with the dumb country boy thing, I do understand that MS Essentials and the Sophos Mac offering are intended for home use and do not have the centralized command and control components needed for a large enterprise. However, as AV software continues its inexorable march to commoditization, it seems foolish to burn sizable chunks of security budget on unnecessarily bloated AV suites. Market forces should dictate that large enterprises should be able to get AV protection that meets foundational needs at a commoditized price.
I offer two recommendations. First, put your AV on a diet. Peel off some of the extra layers that bog down the agent and affect user performance. Either push your current AV vendor to provide you a streamlined and more efficient version or consider an alternative vendor willing to provide the best coverage-to-price ratio you can negotiate. Treat AV is a commodity and pay accordingly – we have reached the point where good enough is good enough.
Second, heed all of the evidence that surrounds you and accept that attacks get through your shields and move toward a tool that will detect those attacks. (Full disclosure: Triumfant falls under this category). Such a tool will provide you the backstop you need to confidently shed the extra layers of your current AV offering and offer detection for zero day attacks and the advanced persistent threat.
This is not trading some layers for others, even if it appears so at first blush. Whether you keep your bloated AV or trim down, the NSS Labs report and others like it all prove that attacks are getting through, so you must make the mental jump toward embracing a detection tool regardless. The key is to leverage the protections offered by a detection solution and remove the AV layers that are delivering diminishing returns. Furthermore, a solution like Triumfant requires no prior knowledge (such as signatures) and therefore should have a much smaller and efficient footprint on the endpoint. You get the protections you require with a reduced burden on the endpoint. You also start the inevitable process of reducing your reliance on signature based shields.
Make no mistake – the AV vendors know this day is coming and they will respond with a fusillade of FUD that will epic in its scope and ferocity. That is because the AV market has been a cash cow that will not be ceded without a fight. But the evidence is real and the problem gets worse by the day.
It is time to rethink your AV strategy and make some bold steps toward adapting your endpoint protections to the new realities of the attacks you face today.