Ransomware is often able to bypass signature-based antivirus protection, leaving many security experts to question protection efficacy. Thycotic conducted a survey of Black Hat 2017 conference attendees to see what they thought about current security products. The results weren’t good.
For example, 73 percent of respondents said that traditional perimeter security firewalls and antivirus protection products were irrelevant to their data breaching efforts or otherwise obsolete. This complements a survey conducted by WatchGuard about traditional (signature-based) antivirus programs, which found that those solutions missed about 30 percent of threats.
Ransomware, as a category, is one of the malware types that makes traditional antivirus protection programs ineffective. One simulated threat exercise in March of this year found that only 52 percent of potential threats were thwarted by a traditional antivirus product approach, according to CSO Online. Additionally, an IBM study found that nearly half of businesspeople reported being hit by ransomware last year, with 70 percent of those organizations ponying up the ransom.
If threat actors find that a class of malware has a high success rate, they will obviously continue their efforts with it. And if an organization is slow to update its antivirus products with the latest information, the success rate of such attacks increases.
Your Father’s Antivirus Protection Product
Traditional antivirus products shouldn’t be written off entirely: They excel at spotting known threats. However, for a threat to be known, a user has to be hit first.
Raja Patel, vice president for corporate product at McAfee, summed up the situation to CSO Online, saying that “signature-based defenses will protect you after you know about the threats, but they won’t protect patient zero and the time period after infection and when you wrote the signatures.”
While these products aren’t perfect, it’s better than no protection at all. Luckily, new developments are in progress that will strengthen antivirus capabilities.
A New Approach
Another method has been added to the antivirus repertoire, and it is where much of current research effort is going: a combination of behavior analytics, sandboxing and machine learning. But it comes with a cost. More computational power is required to perform these tasks. Running extra tests on files may adversely impact productivity as well.
Traditional antivirus does have its place in the security lineup. It’s a simple and fast way to deal with threats that have already been established, which is a good first line of defense. But defense that is in-depth, using nontraditional techniques, may prove to be more valuable to the security team in dealing with unique problems.