The anti-virus age AIN’T over

Graham Sutherland wrote a provocative blog post titled “The anti-virus age is over.” I hear this a lot and I often argue against it, as I did recently in a Twitter thread with @jeremiahg and @adamjodonnell.

I noticed Graham argues against his own title. His blog concludes:

Now don’t get me wrong, AV still has its place in the security world

Is an age over if there is still a place in the security world? I say no.

Cory Doctorow apparently does not come to the same conclusion, and instead used Sutherland’s opening argument in his Boing Boing post called “When advanced black-hat hacking goes automatic, script kiddies turn into ninjas” to promote a fictional story of his own.

[The anti-virus age is over] was the premise and theme of my novella Knights of the Rainbow Table (also available as a free audiobook).

I confess I haven’t read much by Doctorow since he ranted against American Airlines data collection practices. At that time I wrote the following response to his predicament:

I have always observed that wise travelers provide no more than the information that is directly relevant to the question being asked — the “most accurate” answer — which has neither too little nor too much detail. It’s a fine balance, but part of the usual business of crossing International boundaries, obviously compounded by different cultural views of what constitutes suspicious or risky behavior.

Although I hate to question Doctorow’s risk management vision again, it seems to me the anti-virus age will be over when we no longer see any place for anti-virus.

The age isn’t over because our defense against polymorphic threats does not mean we should completely remove black-lists for non-polymorphic threats. Sutherland concedes this in the final text of his blog.

To put it another way, should we stop using seat-belts because we can get sick from bird-flu? Obviously not.

I tried to make this risk distinction in my 2012 RSA Conference presentation “Message in a Bottle: Finding Hope in a Sea of Security Breach Data.” Here is how I laid out the age of seatbelts (sorry about the RSA template colors):

2012 RSA SF Conference Slide - Seatbelts

This view of history suggests to me that anti-virus software will become more integrated into the cost of our systems (like seat-belts became de-facto for cars and eventually a law). It will become less visible as it becomes integral.

So where are we headed? Analytic ability with data collection is what comes next, like air-bags were added to seatbelts. But the seatbelt analogy doesn’t really work with intelligent, adaptive threats, as I also illustrated in my 2012 RSA Conference presentation (based on “Dr. John Snow’s map-based spatial analysis and algorithm” for germ theory).

2012 RSA SF Conference Slide - Ghostmap

To follow Snow’s footsteps our discretionary spend will shift towards data collection, anomaly detection and advanced response capabilities (e.g. big data security analysis). We will get better at finding and responding with new tools, while still using computer anti-virus and other old tools.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.