A few weeks ago I was speaking to a client about the need for antivirus as called for in the Payment Card Industry Data Security standards (PCIDSS) Requirement 5: Protect all systems against malware and regularly update antivirus software or programs. He made an unusual statement, “We don’t use antivirus.”
Having been in IT and cybersecurity for many years I knew this was eventually coming, but it was the first time I’d seen it in a real-world implementation. Here are some facts:
- Malware authors regularly update their skills and products to more efficiently evade traditional antivirus solutions.
- Signature based antivirus only protects against a percentage of all malware…the percentage that has already been discovered and analyzed.
- New zero-day threats occur regularly.
- Software on a system that is intended to protect that system must run within the constraints of the operating system.
- IoT (Internet of Things) devices are becoming more ubiquitous and do NOT run traditional antivirus.
For just a bit of history the end of antivirus has been predicted, and debunked, for over 10 years. Although it’s clear that antivirus, or the antivirus industry, won’t be disappearing next week, both are certainly in decline and won’t be around forever. In fact one cybersecurity company has predicated that 2019 will be the year “third party antivirus products will be generally acknowledged as dead.”
Where do we go from here?
- Harden your systems. Make sure end user devices and servers are deployed using images with a baseline security configuration and kept up to date with an automated solution such as Microsoft System Center Configuration Manager (learn more in our SCCM class).
- Don’t throw out your antivirus just yet. But do make sure your AV has behavior based and heuristic analysis for combatting zero-day threats.
- Use other technologies that protect systems when they are inside your network. Many vendors sell physical appliances that block malware at the network perimeter.
- Keep an eye on the latest technologies in this space that use cloud-based systems for real time analysis and machine learning to determine whether something is a threat before it affects your systems.
- Make sure your users are aware of and regularly tested to protect them from falling prey to social engineering attacks that may result in a malware infection.
- Finally, create a Written Information Security Program (WISP) based on the NIST Cybersecurity Program. The best way to protect your organization from these threats is using defense in depth… built around the NIST Cybersecurity Framework.