If you are a cybersecurity professional, you’ve probably read the quote, “AV is dead” hundreds or even thousands of times. The thought here is that antivirus software is no longer effective at blocking modern exploits and malware, thus its useful lifespan is effectively over.
Now when any technology is declared “dead”, it's usually an industry analyst (like me) who makes this type of provocative statement. I remember the analyst declaration “mainframe is dead” from the early 1990s, and the more recent refrain portending the death of the PC. In this case, however, many people attribute the “AV is dead” soundbite to a former Symantec VP quote in the Wall Street Journal, seemingly giving it more credibility. After all, if Symantec — the market leader — thinks AV is dead than it sure as heck must be.
Not even close!
First let me weigh in on the infamous Symantec quote. The interview took place during Symantec’s customer event (SymantecVision), which I happened to be attending at the time. What the Symantec executive actually said was something like, “signature-based antivirus alone is dead” (personally, I don’t think many people would disagree with this statement). Unfortunately, the quote was summarized in the WSJ and taken out of context from that point forward.
My colleagues Doug Cahill, Kyle Prigmore and I are just wrapping up a research project on next-generation endpoint security in which we interviewed dozens of enterprise organizations (i.e. more than 1,000 employees) on their current practices, challenges, requirements, and future plans for endpoint security. Admittedly this is not a statistically significant sample size, but I believe these discussions gave us a good understanding of what’s happening in this area. As for AV, here’s a few of the things we learned:
- Most enterprise organizations continue to run AV today. Yes, some have plans or are contemplating AV replacements with a “next-generation” alternative (i.e. Carbon Black, Cylance, Invincea, SentinelOne, etc.) but these are exceptions and not the rule. It is likely however that more organizations will seek out supplemental endpoint security technologies in the future and may eventually replace basic AV.
- While “next-generation endpoint security technologies” are certainly gaining market momentum and visibility, most organizations haven’t considered any type of AV alternative yet. This is especially true with organizations in the small enterprise and mid-market category.
- Many organizations still believe that AV is effective for detecting and blocking exploits and malware attacks. In a 2014 ESG research project on endpoint security, 49% of the cybersecurity and IT professionals surveyed rated the AV software used by their organizations as, “very effective, while 39% claim that it is “somewhat effective.” Sure, things have changed since 2014 but I don’t believe there has been a radical shift of opinion.
- About half of the organizations we recently interviewed have not tested and do not use the advanced features resident in their AV software. These features, such as in-memory scanning, behavior-based heuristics, and threat intelligence integration, were designed to detect and block sophisticated cyber-attacks but for some reason, enterprises regularly seek AV alternatives before even kicking the advanced feature tires.
- Aside from eschewing AV advanced features, many organizations delegate day-to-day AV management to IT operations groups that typically have less cybersecurity skill and experience than the core infosec team. The folks we interviewed readily admitted that this situation is suboptimal for endpoint defense.
It is worth noting that all of the AV vendors I meet with recognize that endpoint security requirements are changing and are making accommodations for this. Sophos purchased SurfRight to add protection capabilities against sophisticated exploits. Webroot provides multi-layered defenses to block attacks and rollback endpoints to a known good state. Intel Security, Symantec, and Trend have integrated cloud-based analytics and network protection into their endpoint security products.
To be clear, I am not suggesting that there is no need for next-generation endpoint technologies, as many products do go above and beyond AV with innovative new capabilities. My point is that it doesn’t make sense to throw the AV baby out with the endpoint security bath water — especially when organizations haven’t even investigated whether their AV products can be configured in a way that makes them more effective. In my humble opinion, it’s worth understanding what your existing AV can do and where your AV vendor plans to take its products before pulling the endpoint security plug.