Antivirus: A Quick History
The first virus for Windows based PCs was written in January of 1986 by two brothers, Basit and Amjad Farooq Alvi. They were only 17 and 24 years old, respectively, at the time. The brothers had developed heart-monitoring software, and pirates were distributing it without paying required licensing fees.The brothers developed a virus,which they named “Brain”, to stop its illegal use. Brain would copy itself onto any machine where the software was illegally installed, and the user would receive a popup stating that the PC was infected with a virus and that the user would need to contact the application owners immediately for resolution. This software and its accompanying virus eventually became BrainNet, Pakistan’s largest ISP, and motivated engineers at IBM to develop the first AV software for the consumer market in 1987.
This was a very simple beginning to what has now become the bane of the digital information era. “Brain”, much like its biological namesake, has matured, mutated and evolved into several different types of malicious code over the decades. What started as a fairly innocuous popup message has now spawned botnets, trojans, browser hijackers, rootkits, logic bombs, keyloggers, file injectors, and the now reigning champ, ransomware. Add to this the explosion of IoT devices and rapid distribution of information due to a pandemic–driven work from home push, and hackers now not only have more data available on your network, they have more entry points by which to gain access to it. But has AV been able to evolve at the same pace as malware over the years?
The Evolution of Antivirus
The short answer is no. As long as anti-virus has been around, it has not innovated to protect against attacks that use unknown threat techniques. It continues to look for a known hash, and small changes to the hash can bypass the system with a zero-day attack. Antivirus also overlooks the fact that attacks can be file-less, infecting the memory and writing directly to RAM rather than file systems. In addition, antivirus is known to not be user-friendly, hogging bandwidth with updates, and spiking CPU with resource-intensive scans. This not only leads to downtime, but often causes users to get frustrated and take measures to disable the software or ignore security warnings.
John McAfee declared that the virus protection software industry was dead back in 2015. How ironic that the founder of one of the largest antivirus companies in the world would make such a bold statement. But take into account that when McAfee worked on the first antivirus programs in 1987 new applications for Windows were released at a rate of about one new application per month. McAfee witnessed the explosion over an almost 30 year period to 10 million malicious apps. He feared that traditional antivirus alone couldn’t keep pace. In this, he was correct. But why?
The single biggest reason antivirus is struggling is the methods used by traditional antivirus software. The core method that antivirus uses is called signature checking, where AV tools check for files that match known patterns, then take a prescribed remediation action when a match is found. This has always worked well for known applications, but there are some glaring holes in this strategy. Signature databases must be constantly updated with signatures of new viruses. These signatures must then be distributed to all users of that specific AV program. Until these two things happen, the system is vulnerable to those specific attacks. Because it takes time for new attacks to be recognized, identified, and communicated, this approach is always a few steps behind, and will not catch zero-day attacks. Savvy cyber criminals even follow the National Vulnerability Database with intentions of exploiting newly identified vulnerabilities before they have been addressed by slow moving organizations. How can you be secure when the criminals are more diligent than you?
Another method used by AV is the Cyclical Redundancy Check (CRC). It detects changes made to files, specifically executable files, to verify that it has not been altered by malicious code. The problem with this technique is that the system must already be in a pristine state when the initial check is done. It will not detect any viruses that already existed on the system, only those files that change after the initial check.
Still another method used by AV is called heuristic scanning, where code is analyzed against a predefined set of rules. Certain matches or variations in the code trigger the mitigating response from AV.
Different vendors may use either or all of these methods to claim they have the better mouse trap, and some are indeed better than others. But they’re all still mouse traps, and therein lies the biggest problem. They’re reactive. They will catch a lot of mice, but by the time they do, its a good chance some of the mice have already run through your cabinets and helped themselves to your food, or in this case data. Enter Endpoint Detection and Response.
A Proactive Approach for a Remote Workforce
Endpoint Detection and Response (EDR). Sounds catchy, right? Well, the technology delivers exactly as described. EDR uses real-time monitoring and log collection to immediately discover and respond to security threats across all endpoints on the network. EDR also uses machine learning and Artificial Intelligence (AI) to dynamically recognize and respond to anomalies before_they get to propagate through your network and encrypt your files or access sensitive data. EDR doesn’t stop there. EDR solutions also provide the ability to immediately quarantine, remediate and rollback the affected system in the case of a breach. But EDR really shines in its ability to perform and report results of a forensic trace on an event from source to execution attempt. Every path taken and action attempted is logged and reported to provide security teams with the complete visibility needed to discover, document and resolve issues before_ a huge cleanup (or payout) and recovery effort becomes necessary.
Enterprises have been leveraging EDR solutions to provide this unified suite of real-time visibility, information sharing, centralized intelligence, behavioral protection, and cloud-driven fast response for several years. And now this same technology that has helped them to laugh off a demand for Bitcoin payment in exchange for their data is available and affordable to the SMB market.
EDR is not the end-all solution to malware. Instead it is a critical layer of a defense-in-depth solution. The visibility, log generation and seamless integration and communication with log analysis tools work in tandem with your firewall and other security appliances to give your security team the comprehensive intel it needs. Get proactive protection for your organization and validate compliance regulatory entities, insurance companies, or business associates.
SMBs no longer have to accept more risk simply because there is no room in the budget for the right solutions. Schedule a free proof of concept of how EDR can help to protect your business and your clients with a budget-conscious Enterprise solution.
Take advantage of our Cyber Threat and Performance Assessment where we assess network usage, network security, and network performance, then provide you with a clear and concise report of all findings. We are offering this valuable service free for a limited time to help our neighbors get back to work cyber safely during the COVID-19 pandemic.