Thursday, October 21, 2010

Crossroads: Changing the AV Security Model

The current security model used by the AV vendors is broken and hopelessly out-of-date. The "virus signature update" model of detect and destroy made sense twenty years ago when there were only a handful of new viruses every couple of months. Since the transformation of the "enemy" from kiddie hacker to professional crime took hold the number of new malware threats per day is in excess of 60,000 (that's roughly one new virus/malware threat every 1.4 seconds!).

In order to sustain the current model new updates would have to be worked on around-the-clock 24/7 (this is not practical nor is it reasonable). A new security model is desperately required (the bad guys changed their model; why are the "good guys" so slow in changing theirs?). Rather than focusing on the infinitely countable viruses/malware signatures why don't the vendors focus on protecting the exploits (both known and unknown)? There are far fewer exploits than there are viruses and such an approach is far more proactive and makes us "less of a victim".

I'm not trying to downplay the importance of using an AV protection suite (it still plays a role in a good defence-in-depth strategy), however we are at a crossroads and we need to pressure the AV vendors to change their models and fast. If the same security model ends up being adopted for smartphones, then we are all truly screwed (no point in sugar coating this one).