Much like the paperless office, which we talked about for years but then just seemed to happen one fine day, our recent chant that antivirus is dead will also just seem to happen one fine day. But we are not quite there yet. Reason: we are looking for the next generation endpoint protection technology to replace the once trusty AV but comprehensive protection is a long, long ways away.
What’s missing in the protection dialog is the trusty detection part, which AV did very well. One must very reliably detect a threat in order to protect and prevent against it, because, for one, false positives can be quite disruptive. AV has the distinct advantage of looking for the known. As do similar pattern-based detection techniques like IOCs (just more complex signatures) and whitelisting.
However, today’s advanced, yet common TTPs like memory injection can readily bypass these techniques. Furthermore, over 90% of cyber attacks today are discovered to use previously unknown malware or, more importantly, is targeted, one-off malware. We will learn over the coming days the TTPs of the attack against VTech that was disclosed this week – my guess it will bolster the prevailing truth that AV doesn’t work any more.
While we will not abandon alternative endpoint protection technologies, we currently must rely on, and in fact demand, robust endpoint detection capabilities. We would argue that any recipe for robust detection must incorporate the data triad: operating system events (what is currently happening), memory forensics (what can potentially happen, given memory is the true place where malware must execute), and threat intel (what we do know has happened previously – why ignore the known?).
Interestingly, this is a big data problem that requires, not one over another but, a convergence of several current detection approaches: behavioral analytics, machine learning, and case-based, heuristic reasoning. En route to protection, we will experience an added benefit of robust detection by virtue of detecting anomalous behaviors by insiders where no malware is in play.