In defence of security software - an interview with Trend Micro's Rik Ferguson

Q. Is it fair to say that AV becomes more ineffective as a ‘defence' the more important the data to be protected is?

No, the value of the data to be protected does not have any impact on the raw effectiveness of security technologies. The key to success is in selecting the right combination of technologies appropriate to the job in hand and ensuring that you are not spending more protecting an asset that the failure or breach of that asset would cost your business.

Q. Is it fair to say that despite the introduction of heuristic detection, AV remains poor at identifying potentially harmful files for which a signature has not yet been written?

Heuristic detection is necessarily more weighty in processing terms and more prone to false positives than simple pattern recognition. For those reasons it will never be an effective security posture in isolation. It does, though, form an important part of that identification process of "previously unknown malware", constituting one of several layers in your security. More recently, heuristics is moving more towards sandboxed execution in custom user environments, providing real actionable intelligence to the enterprise.

Q. Is it fair to say that organisations ought to spend less on anti-virus software and more on other forms of security/protection?

As I said, traditional anti-virus software is only one of many layers to an effective security strategy. The key to success is in selecting the right combination of technologies appropriate to the job in hand - ensuring that you are not spending more protecting an asset that the failure or breach of that asset would cost your business. It is facile to make a generic statement that technology x requires less spend and technology y more, and belies a lack of realism in security planning (or an excess of marketing by a vendor).

Q. AV software has turned into "suites" encompassing anti-malware, personal firewalls etc. Have these become too big, difficult to comprehend (and therefore use effectively) and bloated, slowing machines down as much as they protect them?

A good consumer "suite" is not bloated, but should offer levels of functionality appropriate to the end-user's requirements. The interface should be simple and almost never seen by the user. A good enterprise suite is not a suite. Rather, it offers a plug-in architecture that enables functional modules to be deployed (and crucially, licensed) on an as-needed basis under a common management infrastructure.

Q. What technologies or innovations can we expect AV software to adopt, or is under development, to improve detection - particularly of "unknown unknowns"?

From an enterprise perspective the move is, firstly, away from the fortress model of aiming to prevent all breaches and towards a model that reflects the fact that breaches will happen from time to time. Thus security vendors must concentrate on technologies that constantly analyse behaviour across the enterprise estate (not just on endpoints) and provide real-time, actionable intelligence to detect, contain and remediate malicious activity when it does get past the layered security model, as it inevitably will.

Q. How much of the "blame" for the security shortcomings of many platforms is down to the operating system vendors adopting inherently insecure practices?

Of course vulnerabilities in operating systems and applications must bear some of the blame, but it is also true to say that great strides have been made in securing these areas in recent years (particularly in operating systems, less so applications with a focus on in-browser add-ons). Notwithstanding that, the most successful attack vector remains the end-user, their natural will to help, their curiosity, credulity and lack of awareness.