AV software: “I’m not quite dead yet”

If you are a cybersecurity professional, you’ve probably read the quote, “AV is dead” hundreds or even thousands of times. The thought here is that antivirus software is no longer effective at blocking modern exploits and malware, thus its useful lifespan is effectively over. 

Now, when any technology is declared “dead,” it is usually an industry analyst (like me) who makes this type of provocative statement. I remember the analyst declaration “mainframe is dead” from the early 1990s and the more recent refrain portending the death of the PC. In this case, however, many people attribute the “AV is dead” soundbite to a former Symantec VP quote in the Wall Street Journal, which seems to give it more credibility. After all, if Symantec, the market leader, thinks AV is dead, then it sure as heck must be.

Not even close!

First, let me weigh in on the infamous Symantec quote. The interview took place during Symantec’s customer event (SymantecVision), which I happened to be attending at the time. What the Symantec executive actually said was something like, “Signature-based antivirus alone is dead.” (Personally, I don’t think many people would disagree with this statement.) Unfortunately, the quote was summarized in the WSJ and taken out of context from that point forward.

My colleagues Doug Cahill, Kyle Prigmore and I are just wrapping up a research project on next-generation endpoint security where we interviewed dozens of enterprise organizations (i.e. more than 1,000 employees) on their current practices, challenges, requirements and future plans for endpoint security. Admittedly this is not a statistically significant sample size, but I believe these discussions gave us a good understanding of what’s happening in this area. As for AV, here are a few of the things we learned:

1. Most enterprise organizations continue to run AV today. Yes, some have plans or are contemplating AV replacements with a “next-generation” alternative (i.e. Carbon Black, Cylance, Invincea, SentinelOne, etc.), but these are exceptions and not the rule. It is likely, however, that more organizations will seek out supplemental endpoint security technologies in the future and may eventually replace basic AV.
2. While “next-generation endpoint security technologies” are certainly gaining market momentum and visibility, most organizations haven’t considered any type of AV alternative yet. This is especially true with organizations in the small enterprise and mid-market category.
3. Many organizations still believe AV is effective for detecting and blocking exploits and malware attacks. In a 2014 ESG research project on endpoint security, 49 percent of the cybersecurity and IT professionals surveyed rated the AV software used by their organizations as “very effective, while 39 percent claimed it is “somewhat effective” (note: I am an ESG employee). Sure, things have changed since 2014, but I don’t believe there has been a radical shift of opinion.
4. About half of the organizations we recently interviewed have not tested and do not use the advanced features resident in their AV software. These features, such as in-memory scanning, behavior-based heuristics and threat intelligence integration, were designed to detect and block sophisticated cyberattacks but for some reason, enterprises regularly seek AV alternatives before even kicking the advanced feature tires.
5. Aside from eschewing AV advanced features, many organizations delegate day-to-day AV management to IT operations groups that typically have less cybersecurity skill and experience than the core infosec team. The folks we interviewed readily admitted that this situation is suboptimal for endpoint defense.

It is worth noting that all of the AV vendors I meet with recognize that endpoint security requirements are changing and are making accommodations for this. Sophos purchased SurfRight to add protection capabilities against sophisticated exploits.  Webroot provides multi-layered defenses to block attacks and rollback endpoints to a known good state. Intel Security, Symantec and Trend have integrated cloud-based analytics and network protection into their endpoint security products.

To be clear, I am not suggesting that there is no need for next-generation endpoint technologies, as many products do go above and beyond AV with innovative new capabilities. My point is that it doesn’t make sense to throw the AV baby out with the endpoint security bath water—especially when organizations haven’t even investigated whether their AV products can be configured in a way that makes them more effective.  In my humble opinion, it’s worth understanding what your existing AV can do and where your AV vendor plans to take its products before pulling the endpoint security plug.