The quiet anti-virus assumption
- {{x.value}}
{{ twilioFailed ? 'SMS Code Failed to Send…' : 'Enter verification code' }}
{{ completedStep1 ? 'Authentication & Security' : content.trialHeading.replace('{0}', user.FirstName) }}
{{ content.upgradeHeading.replace('{0}', user.FirstName) }}
The email address you entered is registered with InvestSMART
Please login to continue
We have sent you an email with the details of your registration.
Looks you are already a member. Please enter your password to proceed
{{ upgradeCTAText }}
Updating information
Please wait ...
Your membership to InvestSMART Group recently failed to renew.
Please make sure your payment details are up to date to continue your membership.
Having trouble renewing?
Please contact Member Services on support@investsmart.com.au or 1300 880 160
You've recently updated your payment details.
It may take a few minutes to update your subscription details, during this time you will not be able to view locked content.
If you are still having trouble viewing content after 10 minutes, try logging out of your account and logging back in.
Still having trouble viewing content?
Please contact Member Services on support@investsmart.com.au or 1300 880 160
Please click on the ACTIVATE button to activate your Intelligent Investor 15-day free trial
Please click on the ACTIVATE button to finalise your membership
Unsuccessful registration
Registration for this event is available only to Eureka Report members. View our membership page for more information.
Registration for this event is available only to Intelligent Investor members. View our membership page for more information.
- You are already registered for this event.
- This event is already full.
- Please select a quantity for at least one ticket.
- {{ i }}
Forgotten password
Please enter your email address below to request a new password
- Verify your email address by clicking on the link we sent to {{user.Email}}
- You now have free access, we look forward to helping you on your financial journey.
Everytime I go to the RSA conference, I always “sniff” the air for trends, emerging developments and even just new research data points. Here is one such discovery from RSA 2013.
Despite all the anti-malware test methodology debates and controversy among warring security vendors, I sensed what I now call "the quiet AV assumption." Essentially, people who deal with advanced incident response today quietly assume that the malware will not be detected by whatever anti-virus tools installed. The question of "does AV detect it?" never even comes up anymore. In their world, anti-virus effectiveness is basically 0 per cent and this is not a subject of any debate. This is simply a fact of their daily life.
In fact, not only “top shelf” incident responders, but also network forensics implementers, skilled SIEM analysts and even good security architects now operate under an assumption that the malware will get in and will stay awhile and that traditional anti-malware tools will not affect its propagation and survival. Note that this quiet assumption has nothing to do with the questions like “is AV useful?”, “does AV work?” or “what is the AV effectiveness across the entire pool of systems where it is installed?”
The mere concept of IOCs (such as registry keys, file names and checksums, connections, processes) implies that these need to be analysed before the artifact is decided to be “bad.” The need to do malware reversing also implies that no AV vendor has a nice write-up on it and tossing a sample up to VirusTotal is merely a token gesture. Thus, IOCs and reversing exist in a different world compared to anti-malware updates and debates about “AV effectiveness.” One can say that they exist in a more cruel, primal world where only your technical skills matter, not your purchasing decisions or your security vendor market profile. This is the world of true hand to hand combat between the attackers who create malware (and other tools of their trade) on one side and you and your detection and reversing skills on the other side.
Think about it for a second, does the kill chain paper says "… and then the attacker installs malware … and AV catches it"? Not funny, Anton.
In fact, the line between Security Haves and Have-nots goes cleanly between those who trust AV and those who have seen it fail repeatedly in their own environments to the point that it is assumed to never work for the advanced threats that the organisation cares about. Endpoint cleanup with no analysis is still the default in the other world. Reversing the malware to extract the IOCs fast (or get those IOCs shared with you by trusted friends) and then look for them on other systems is the norm in the other…
Anton Chuvakin is a research director at Gartner's IT1 Security and Risk Management group
Call 1300 880 160
Start a chat
Schedule a call
