By: Rob Cheng, PC Pitstop Founder/CEO
In May 2014, Symantec, the world’s leading antivirus maker, famously said that antivirus is dead. The following month, June 2014, the tech consulting giant Gartner echoed the sentiment, stating that it is impossible to develop a signature for an attack that nobody has seen before. Fast-forward two years, and ransomware is close to becoming a household word, attacking and anonymously extorting ransoms from consumers, businesses and government agencies alike. Is antivirus really dead?
Ransomware payments in 2015 reported to the FBI came to $24m. That number jumped to over $200m in the first quarter of 2016. The ransoms paid are like oxygen to a wildfire. As long as the ransoms paid continue to grow, so will ransomware threats with each iteration gaining in force and sophistication.
The antivirus industry began in the late 1980s as software to fix and clean after a virus attack, a process frequently called remediation. Later, the industry would add real-time protection to block threats from executing, creating a critical and essential layer of security. The real-time protection, however, relied on the same black list (also known as signatures) as the remediation. The unfortunate ramification of this architecture is that real-time protection can only prevent a virus that had been previously detected.
Ransomware encrypts endpoint and network files and after completion demands the ransom. Ransomware makes obsolete the remediation and blacklist approach of the security industry. However, ransomware does not make obsolete antivirus, only this outmoded architecture. Antivirus is not dead. In fact, it is needed more now than ever.
Ransomware is illegal and one of the most profitable businesses on earth. Other popular strains of malware are on the decline, as the cyber terrorists flock to their new goldmine. The current response from the security industry to this rising danger is to backup, detect, respond and pray. The emphasis is on prayer.
Our society is dependent on technology and computing. Ransomware is a threat to how our society functions. We cannot sit back and react to this threat. We must proactively thwart the ransomware threat, or one day it could destroy the technological fabric of our society.
Whitelisting, also known as application controls, is the ideological opposite of blacklisting. Instead of tracking and categorizing the bad applications in the world, the whitelist tracks the good ones. The Google Play Store and the Apple App Store are two popular examples of whitelisting in the real world. It is possible for malware to infiltrate the Play Store or the App Store, but not to the same degree as the ransomware threat in front of us. Not even close.
The potential of whitelisting is enormous. Not only does it stop the ransomware epidemic in its tracks, it also protects against polymorphic viruses and advanced persistent threats such as a spy that wants to infiltrate a particular government agency or high-value enterprise.
Sadly, the state of whitelisting is not mature. Many corporations have implemented whitelisting and later discontinued the effort. Whitelisting in the governmental and enterprise spaces has a poor reputation. The underlying issue can be summarized in two words: false positives. The problem riddling current whitelisting solutions is that they far too frequently identify good programs as bad. The responsibility for resolving the ‘false positive’ issue falls on IT staff and not on the whitelist provider.
The good news is that whitelisting is software that can be improved over time. Right now, we are on version 1.0. When looking at the threats in front of us, and the potential solutions, the ultimate solution is the evolution of the whitelist to commercial grade software with vastly reduced false positives.
In conclusion, antivirus is not dead. To be sure, it is wholly ineffective against modern threats, but just like any software it must adapt to the marketplace and the threats to its existence. The answers lies in abandoning the blacklist approach in favor of the whitelist that has been successfully deployed in many other similar ecosystems.