Antivirus has been the default method for providing computer security for decades. The question is should it continue or what is next?
AntiVirus typically works on a list of bad things and then anything being used is compared against the list and anything similar or the same is then blocked. There are many techniques on how this is done from algorithms, signatures, patterns or behaviours. However at the core they are based on the known bad thing. This worked prior to 2008, quite well as the number of malware was low and the spread was typically slow.
As you can see in the image the amount of Malware has increased dramatically and now it seems silly to keep a list of hundreds of millions of bad things. Furthermore the whole premise of a bad list is that everything is assumed good until it is caught doing bad. This means Cyber attackers get first movers advantage for free, as anything new that doesn’t match or isn’t similar to other bad things, wont be blocked as it is not yet on the bad list. So with this model we are always one step behind the cyber attackers and need to assume it is only a matter of time before we are infected and will be required to “cleanup” after the impact of malware. Here is one example from VirusTotal showing that since its first release on 2018-06-26 to 2018-06-29, across 69 different AntiVirus products, only 39 detect it as Malware.
The solution is to use a good list (whitelist) and in regards to malware it is known as an application whitelist and sometimes called application control.
Application whitelisting works by keeping a good list of all the known applications that are used. Then anything not on the good list including malware written in the past or malware that has yet to be created would be blocked. This does require some upfront effort as now you are choosing to deal with security at the start, rather than doing almost nothing at the start (AntiVirus) but then hoping and potentially having to spend effort to deal with a malware infection. AntiVirus has a great startup process as it is very easy to install, so it is very hard for almost any other security solution be that easy. However that ease and simplicity must come with a cost. One way to think about it could be as a choice, would it be better to:
- Place effort putting doors and locks for the house and the internal rooms.
- Take a risk and hope people don’t realise it isn’t locked and then on the chance it occurs deal with impact of a burglary.
There is no right answer as every business is different, however if your business deals with confidential, personal or secret information then Application Whitelisting is most likely applicable. Especially because the NSA and the Australian Equivalent (ASD [Australian Signals Directorate]) have both announced that the best cyber security protection is Application Whitelisting. This is based on dealing with actual Cyber security attacks and analysing the best methods for protection. A side point is Application Whitelisting and AntiVirus can work together so they are not mutually exclusive and hence just because you have one doesn’t mean you shouldn’t have the other. Especially when security is involved more protections should improve security.
Furthermore if Application Whitelisting is the number one method of protection, I suspect the EU GDPR (General Data Protection Regulation) and the Mandatory Breach Notification (Australian Privacy Act Amendment) may expect this level of protection applied to be appropriately secure.
So the next question is how do you apply application whitelisting. In short it is technical and complex and for this reason why we have built an Application Whitelisting platform. If you are interested check out the details of ShellProtect and request your free trial.