Why antivirus has endured as a primary layer of defense — 30 years into the cat vs. mouse chase

Antivirus software, also known as antimalware, has come a long, long way since it was born in the late 1980’s to combat then nascent computer viruses during a time when a minority of families had a home computer.

One notable company’s journey in the space started in 1987 when three young men, Peter Paško, Rudolf Hrubý, and Miroslav Trnka, built one of the earliest antivirus prototypes while working out of a house in the former Czechoslovakia. A few years later they formally launched ESET in the central European country of Slovakia in the city of Bratislava.

Related article: NSA super weapons fuel cyber attacks

ESET has endured as part of a select group of legacy antivirus companies that got started in that era. The list includes Avira, Avast, AVG, Bitdefender, F-Secure, G Data, Kaspersky, McAfee, Panda, Sophos, Symantec and Trend Micro.

It’s amazing that these companies all continue to thrive years later, long after pundits declared traditional antivirus too anachronistic to keep pace with the rise of ecommerce, cloud computing, mobile computing and now the Internet of Things. But they were wrong.

Today the “endpoint security” market, which includes antimalware, antispyware and firewalls, is as healthy as ever; research firm Marketsandmarkets estimates global spending on endpoint security will rise to $17.4 billion by 2020, up from $11.6 billion in 2015, a robust 8% per annum growth rate.

I had the chance to discuss ESET’s evolution from traditional antivirus to a full suite of security solutions (ransomware protection, threat intelligence, encryption and the like) with Tony Anscombe, ESET’s global security evangelist, at RSA Conference 2018. For a drill down on our conversation please give the accompanying podcast a listen. A few big takeaways:

Cat vs. mouse

Conceived as a primary layer of defense against known malware, traditional antivirus relies on malware signatures and behavioral analysis to identify threats. From the start, it has been a cat and mouse chase; each time the good guys identified and wrote a signature for a new variant of malware, the bad guys simply created a fresh variant.

Thus, the number of unique malware signatures rose materially each year through the 1990s and early 2000s. Then between 2005 and 2006, fresh malware samples skyrocketed from a few hundred thousand to six million. “It became unrealistic for any company to actually analyze every sample – it was beyond human,” Anscombe recalls. “At that stage we started using machine learning, heuristics and behavior detection, and began to actually teach the machines to decide what is good or bad.”

Rather than die off, antivirus matured out of traditional signature-based detections; despite the technological evolution companies like ESET have gone through, the space continues to be referred to as “antivirus.”  ESET takes a system-centric view of endpoint security, adding systems to examine every process on every endpoint. The goal is to algorithmically detect and deter stealthy, multi-stage attacks.

At the core, antivirus has remained an essential layer of network defenses. According to the 2016 SANS Endpoint Security survey, antivirus suites combined with Intrusion Prevention System alerts detect and deter some 57% of impactful events.

“If you look at how endpoint products work today, yes, there’s an endpoint component, but there are different layers within the endpoint product,” Anscombe told me. “You have signature detection, which is what AV is known for, but you also have behavioral and heuristic detection, you have sandboxing, etc., all these layers  built into the client.”

Intensified attacks

ESET utilizes highly scalable, cloud-based analytics to determine relationships between patterns of behavior that its systems monitor. This can help reveal a malicious activity, while minimizing false positives. By reconstructing chains of events, it’s possible to flush out an attacker who has already gained insider access and is maneuvering to do material damage.

It remains, at the core, a cat vs. mouse chase. So-called “fileless” malware, for instance, have no signatures. Instead, the attacker gains privileged access then looks around for existing,  legitimate Windows utility tools, such as PsExec, PowerShell or TeamViewer. The attacker then logs on to these tools and uses them, in the guise of an authorized user, to carry out malicious activity.

It makes sense that the original antivirus vendors have been quietly, diligently innovating to stay ahead as the threat landscape expands and intensifies . Threat actors today have a much greater range of tactics, techniques and procedures (TTPs) at their beck and call.

“We utilize cloud systems to actually look at reputation and we can sandbox things in the cloud and get back to the client,” Anscombe says. “And, beyond that, we have threat intelligence that will actually help the organization take preventative measures and tell them what’s actually happening  with an APT (advanced persistent threat) attack.”

I came away from my chat with Anscombe encouraged by the way companies are grappling with leading-edge attacks and exposure scenarios. It’s a healthy thing that 13 companies, some with roots back to the late 1980s and early 1990s, are still in the antivirus game. Competition is driving innovation, and these longstanding vendors continue to play a major role preventing threat actors from operating with impunity.

(Editor’s note: Last Watchdog has supplied consulting services to ESET Global.)

*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: https://www.lastwatchdog.com/why-antivirus-has-endured-as-a-primary-layer-of-defense-30-years-into-the-cat-vs-mouse-chase/