They don’t call ‘em computer viruses for nothing, right?
Originally the term was coined to illustrate their ability to spread, however, today’s malicious threats can also evolve and mutate at an extremely quick pace (much like their namesake) thanks to the advent of malware variant automation tools. Unfortunately for us, this rapid change in the threat landscape makes it hard for our security vendors to stay on top of it.
Signatures Can’t Keep Up
Typically antivirus uses signatures to recognize and stop malware. The antivirus vendor must first identify the specific malware and understand how it attacks in order to create a defense against it, the signature or pattern update. From there, the vendor pushes this signature out to all its active users. When this method of defense first became mainstream, about a million malware variants were appearing each year. In 2016, there were 140 million new threats. Trying to identify and create signatures for all these threats today is nearly impossible.
Signatures Keep Us from Keeping Up
Just for a moment, let’s say we have an antivirus vendor that is managing to somehow keep up with creating signatures to combat all the new threats that crop up every day. That would be several updates a day, which would require all your endpoints to scan and download those updates. These types of actions can put a considerable strain on your environment and impact the performance of your systems. Your users then suffer, and you as the IT admin may also struggle to keep your environment running as best as you can.
Threat Intelligence through Machine Learning
Let’s see how many more buzzwords I can throw in on top of this: there is artificial intelligence in the cloud that is constantly working to classify and score URLs, IPs, files and mobile apps on top of incorporating watching end user behavior to provide context in order to identify and stop threats faster. Phew.
In other words, we deploy an antivirus tool, Webroot, that – while it does still employ signatures – also relies on analyzing typical user behavior to quickly identify anything outside the norm. Behavior that Webroot may be on the lookout for might be mass encryption of files or frequent contact to an outside unknown IP address. By targeting unusual behaviors at the end point level, Webroot can stay more on top of threats.
As always, antivirus should just be one important element to your security strategy. It should work hand in hand with your firewalls, policies, content filtering, etc.