It’s Not Me, Anti-Virus, It’s you:
Why an imminent break-up with anti-virus as a security solution is a good idea.
The other day while talking about a new opportunity I had to research and blog for Ostra. As I was explaining how Ostra was an Enterprise Grade security solution, I was offered some advice: Small and medium business owners may think anti-virus gives them the protection they need. Two weeks after that conversation, news broke that three major AV companies were breached by a high profile Russian hacking group and 30 terabytes of stolen internal corporate documents and anti-virus source code are for sale in criminal marketplaces. And, as it turns out, this isn’t the first time reputed security companies have failed to keep criminal hackers out of their networks. To me this seems to be the bold exclamation point to a long-overdue conclusion that traditional AV security is far from the protection small and medium business owners need.
The way all of this played out is in March 2019, a Russian hacking group, Fxmsp stated they “could provide exclusive information stolen from three top antivirus companies located in the United States.” This group of cyber-criminals has a long-standing reputation for selling sensitive information stolen from high profile government and corporate entities. Over the last two years they have sold verifiable corporate breaches for a profit of nearly $1 million. A threat research firm, AdvIntel, verified that the group had source code related to the companies anti-virus software development and notified “the potential victim entities” which were Symantec, Trend Micro, and McAfee.
What happens next is something AV consumers should pay close attention to. Symantec performed a self-assessment and downplayed any potential damage. Similarly Trend Micro also claimed this was a low risk breach. McAfee neither confirmed nor denied the breach and only commented they are aware of the threat claim and are taking steps to monitor and investigate. So the three major AV vendors that were breached all promised transparency during a self assessment of impact and downplayed the damage. This type of response is straight out of the Breach 101 playbook, so as the truth comes out overtime it will be “old news” that doesn’t need to be covered and everyone will return to business as usual. Except these are the guys selling cyber-crime consumer protection.
So what does that protection look like in the future? It’s hard to say how these three vendors will prevent the stolen source code from being exploited. Third party endpoint security is a sizable attack surface because systems have to trust and empower it to keep them safe. Maybe it’s time for small and medium business consumers to re-evaluate that trust and their relationship with anti-virus, and move on to enterprise-grade solutions like Ostra.