For the past few years, everyone seems to be down on antivirus software. This sentiment was exhibited in a recent ESG research report titled, The Endpoint Security Paradox (note: I am an ESG employee). When asked to identify challenges associated with their antivirus software, 34% of security professionals complained about too many false positives that classify benign flies/software as malware, while 33% said that products are not nearly as effective at blocking and/or detecting malware as they should be.
This and other data give the impression that AV software simply doesn’t work but there may be other factors in play here. For example, ESG found that 73% of enterprise organizations have two or more unique AV products deployed across the enterprise. Amazingly, 29% of large organizations have three or more unique AV products deployed across the enterprise.
Now these products can be from different vendors or they can be different versions of an AV product from the same vendor but the impact is the same – multiple products mean multiple management consoles, configurations, administration, etc. All of these operational issues can impact AV efficacy and efficiency.
This pattern of AV variety is further exacerbated by frequent replacements of AV products and vendors. More than half (56%) of enterprises say that they change AV vendors “frequently” (22%) or “occasionally” (34%), so large organizations may be constantly churning through a potpourri of AV operational issues.
The ESG research also revealed an interesting dichotomy as to why organizations are willing to swap out AV vendors on such a casual basis as:
- 37% of enterprise organizations said that they are willing to bring in new AV products to get the best possible price. These organizations must consider AV software a commodity where price is the most important attribute of products.
- 33% of enterprises organizations said that they consider AV to be a priority and are continually seeking the best product available. This is your classic “best-of-breed” behavior that has been a big part of the information security mentality for years.
So let’s think about all of this AV behavior in aggregate. While about one-third of security professionals pooh-pooh AV software efficacy, many use multiple different products and regularly swap out one product for another on an annual basis. AV is therefore managed as an infosec analogue to a revolving door and this constant churn can certainly influence how well products perform and how much effort the infosec team puts in to manage the whole enchilada.
It’s certainly true that AV alone is no longer an adequate countermeasure for targeted/sophisticated threats, but the ESG data indicates that many organizations treat AV like a flea market making things much worse. AV software is NOT a commodity, there are differences amongst brands in terms of feature/function, manageability, integration with other tools, and yes – efficacy as well. CISOs can only maximize their return on AV software if they pick an enterprise standards, take the time to learn and apply the right configurations and features, develop best practices, and work with vendors to enhance products as necessary. This will not only improve product efficacy but also streamline security operations.
AV products may not be perfect but large organizations should put a bit of work into using them correctly before throwing a whole software category under the proverbial bus. In lieu of this type of effort and commitment, there isn’t a single security product in any category that will come close to working as advertised.