Sitewide
RSS Feed:
The Slow Death of AV Technology
 |
By: Robin Bloor Published: 7th June 2007 Copyright © 2007 |
AV technology is gradually dying and being replaced by far more effective IT security technology based on whitelisting. You could view this as an inevitable development, given the horrible inadequacies of AV technology, or you might want to pin the credit on the AVID (AntiVirus Is Dead) campaign which has repeatedly drawn attention to the inadequacy of AV technology and championed whitelisting technology that actually works. Actually it doesn't matter much either way. It's happening.
Two trends that are in progress at the moment.
- The first is that major AV companies are now actively looking around for whitelisting technology to acquire, so we can expect to see some of the whitelisting start-ups get eaten. Rumor also informs me that there are some internal projects underway in some AV companies to develop whitelisting products to compete with the vendors that have such technology; SecureWave, CA, Bit9, AppSense, et al.
In respect of this, one almost feels sorry for some of the AV vendors. The majors like Symantec, McAfee and Trend Micro have the muscle and market clout to survive and possibly even thrive in the advancing demise of the AV industry, but the smaller vendors have nowhere to go. Time to get your resume into shape if you work for an AV vendor, perhaps. - New whitelisting start-ups keep appearing—not surprising really because the technology is fast gaining traction and it was validated in a big way when CA came out with its CA HIPS product. (In case you didn't know CA is, in revenue terms, the second largest IT security software vendor after Symantec).
The latest whitelisting vendor to emerge is SignaCert. I'm quite partial to this company primarily because, in discussion, its executives expressed the same fundamental view of IT security that I have. "When you get down to it, it's not about malware and hackers, it's about ‘software authentication'".
SignaCert, for its part, has been collaborating with some major vendors (Intel, Sun, Juniper networks, Cordys, XenSource, PGP and many others) to assemble an "authentication database" for authenticating software. SignaCert delivers the authentication platform that complements the database. It is the first whitelisting vendor to make the leap, and think in terms of authenticating software for all platforms—not just Windows, where the major pain is experienced.
When I initially started the AVID campaign it was because, having thought about it, I concluded that AV must be a wrong idea because it didn't attempt to authenticate software, it only attempted to recognize bad stuff. (It was only later that I discovered how ineffective AV technology actually is). Mention the concept "software authentication" to an AV vendor and you are likely to get a blank stare. It isn't what AV vendors do.
However software authentication is necessary for many reasons; to prevent people from running the wrong versions of software, to prevent them loading their own favourite software without permission, to prevent people from running software for which your company has not bought a license or to prevent them running it on a machine for which it is not licensed. Software authentication IS the issue. If you have effective software authentication, it stops malware stone dead AND it helps manage the corporate software resource in a productive way.
So there is a new AVID hero. It is called SignaCert. Now there are 6 whitelisting companies. By the way, I've been sent information which leads me to believe that there may be a seventh one. If it proves true, I can't say I'll be surprised. What we are watching here is a major IT security trend in motion.
Reader Comments
We are no longer accepting comments against this item. We suggest contacting the author directly.
7th June 2007: 'peteo' said:
The Signacert technology is well thought out and scalable. The company has a strong team with a good pedgree in information security. It takes into account a wide variety of situations and will become another important arrow in the quiver of security tools every CIO/CSO needs.
8th June 2007: 'John Sniadowski' said:
On the surface the idea of software authentication looks ideal especially when compared with AV and I agree with Robin that AV is a dead technology. Not only does AV not work very well in todays connected environment it also soaks up lots of system resources just looking for an exception for when and if a bad guy happens by. However, I get the feeling that white listing or software authentication is another Pandora's box. I look at it mainly from 2 angles: 1)- Trusted computing or in some parlances also know as treacherous computing,
2)- Privacy/attack surface reduction Software Authentication is in some respects similar to trusted computing in so far that if the software does not pass the tests, it does not run/install or worse a working version is revoked and prevented from being used. Depending on the circumstances this can result in the legitimate user being denied the use of the software AND the material it is designed to process. This takes the power away from the legitimate user and places it in the hands of some other and potentially hostile 3rd party. Privacy is another big issue, knowing what applications a user(s) has authenticated can give away swathes of information about the user/organization. This opens up another avenue of security that of attack surface reduction. Just knowing what applications are installed can be utilized to craft denial or service attacks, back door hackery or just plain old industrial espionage. Just about every application under the sun is being profiled by hackers to see what can be prized open and what combination of application configuration opens up other attack vector possibilities. Imagine now the prize of the Software Authentication databases and its contents. Every time you build such systems that contains such useful information another avenue of attack becomes possible. So whilst Software Authentication has its place, the end user community MUST be skeptical and vigilant of the possible misuse of such technology and see through the marketing puff of vendors of such products. Ask yourself the question what is “effective software authentication” that does not open up the Pandora's box. Remember, the only secure network is one locked in a room with no users connected to it, thus it is about risk management, there is no “magic bullet” and anyone who touts a hero in this context is either disingenuous or naive.
8th June 2007: 'Robin Bloor' (Author) said:
In answer to John's comments, it is certainly true that any information made available about the software that a particular piece of hardware runs increases the attack surface. However, that is not the way that whitelisting products work. Quite specifically the databases they hold are kept highly secure since they represent a point of significant vulnerability. secondly whitelisting does not prevent unauthenticated software from running, it simply disables such software from infecting either the local machine or any other in a network. Finally if you are effective in providing a audit trail of the provenance of an executable then it is truly difficult to break the authentication process. The reality is that there really is no alternative to authentication, so it is really a matter of engineering authentication to be both unintrusive and very difficult to break. Whitelisting is the beginning of this and it will harden over time.
11th June 2007: 'Ilya Rabinovich' said:
Well, there was another SignaCert-like project from HP. It died. The reasons was:
1. Too many applications and script files (document files may contains scripts too).
2. Many of them are commercial secret and, thus, can't be signed out.
3. Slow addition of new ones.
4. Need of constant Internet connection. SignCert will die too. It is obvious. The real fact is that only sandbox HIPS solutions, based on threat-gate applications isolations are the only way out for AV industry. One of it have been already acquired by Google, others, I suppose, will be acquired within next year. BTW, how to sign up for your AVID campaign?
12th June 2007: 'Robin Bloor' (Author) said:
Ilya... How to sign up for the AVID campaign. Well right now I hadn't thought to do anything other than regularly post articles which point out that AV technology doesn't work. Now you've got me thinking. I'll see if we can set up a place where at least people can sign on
12th June 2007: 'Gene Spafford' said:
If you look closely at the approach being taken by SignaCert, you will see that it addresses your objections. For instance, the offering lets customers include their own signatures in a local DB, for custom software, scripts, etc. And by working with vendors (rather than off the net), the SignaCert signatures are highly trustworthy and don't require any disclosure of the code. Is this a solution for home users or for every platform? No. But there really is no universal solution. Perhaps ISPs will take up some defensive measures (such as SignaCert) and offer them to customers. And if the idea is sound, other vendors will want to be part of this. HIPS/HIDS is not a solution, either, because we keep seeing new attacks that bypass them. It is a simply issue of intractability -- one cannot enumerate all possible bad things in advance, and that includes rules against behavior. I've been doing research into such approaches for nearly 15 years, and we know there are theoretical bounds on what we can detect. I may be a little biased because I came up with the original design for the SignaCert product, but I really believe that the approach (white listing with vendor cooperation and trust scoring) is a necessary component in an overall security architecture for trusted computing. One needs to have confidence that the software in place is what was originally designed and produced by its authors.
26th June 2007: 'Richard' said:
I too am in agreement with Robin’s point of view here. It’s like asking for world peace, great idea but we all know that’s not going to happen. It’s all in how we prepare for the problems, we all know that the big 3, OK maybe 4 AV company’s are not going to just sit on the side and die, but as in the Symantec case they acquired some technology’s over the past couple of years and are still trying to get there own house back at 100%. I feel whitelist are a good thing and it’s all in how you approach the problem/issues, there are always going to be bad guys and we just need to protect what’s important to the business, it is going to be a long road but I feel security companies are seeing the light. You will see much more on the acquisition side this year and into next year, (I’m not going to stick my neck out any further than that!) and better alignment towards protecting key applications or 'software authentication' and what keeps the business running. I see this already with the two acquisitions by PatchLink (Harris STAT and SecureWave) and moving to a more consolidated approach, I don’t need one more tool to address one more problem, I need what I currently have in house to do more. Richard K Linke CSO
Global Security Management Inc.
31st July 2007: 'Sony Wega' said:
My Tube Television owns your blu ray HD tv pictures. I see it like this. When cars were made better(out of steel) you didn't need stuff like air bags. Now TVs are following the footsteps of cars, and your Blue ray stuff, is your airbag.,..
The messages above were all contributed by IT-Director.com readers. Whilst we take care to remove any posts deemed inappropriate, we can take no responsibility for these comments. If you would like a comment removed please contact our editorial team.