AV: Mind the gap

If you’re a subscriber to Virus Bulletin, we have an article in May’s edition, http://www.virusbtn.com/news/2012/05_01_vb.xml . I discuss whether AV has run it’s course and it’s time to move on, or do we just need a more realistic view in our industry of what the real threat landscape is, and what our products can do?

An excerpt:

“Some vendors are now pushing new approaches, like Indicators of Compromise, yet these too are merely signatures by another name

A key point that gets little acknowledgement from security vendors: while a sophisticated threat actor can bypass signature-based

products more or less at will, the cost of doing business has risen dramatically for cybercriminals.

As an industry, we collectively push two falsehoods:

1. That our products provide the security the user needs.

2. That the cybercrime threat is pervasive and out of control.

I believe that the second point is true for certainindustries and governments. I’ve sat with incident response teams as they play whack-a-mole with compromised machines. For them, the reality is that at any given moment a certain number of their endpoints will be compromised, often by sophisticated statesponsored attackers. “