In the wake of the WannaCry outbreak, corporate executives, IT professionals, and journalists have been bombarded by cybersecurity product vendors. The message, “if only you had bought our product you would have been protected,” smacks of shameless opportunism.
Outside the cybersecurity realm, sales and marketing professionals display significantly more tact. Following serious highway pileups, automobile manufacturers do not announce that people would have fared better in new safer cars. In the aftermath of terrorist attacks, defence vendors do not launch advertising campaigns to proclaim that their products could have saved lives. Yet when businesses, including hospitals, are crippled by malware, cybersecurity product vendors rush to their megaphones.
The inconvenient truth many vendors choose to ignore is that plenty of WannaCry victims had anti-malware software installed. Sixteen UK hospitals were impacted. It is inconceivable that none of them had anti-virus software. Using outdated Windows XP certainly did not help, but organizations running supported Windows operating systems with mainstream, centrally managed, up-to-date endpoint protection suites regularly fall victim to ransomware infections.
Due diligence, best practices, and compliance requirements effectively mandate enterprise-wide anti-malware deployments. In all but the smallest of companies, a centralized console is the only manageable way to monitor endpoint protection status. CISOs face a dilemma: failing to deploy endpoint protection is negligent, yet many popular products are proving ineffective against rapidly evolving malware threats. Many anti-virus deployments provide more business value by placing checkmarks on compliance checklists than by actually stopping malware infections.
Despite vendor claims of advanced heuristics and cloud-based intelligence, most antivirus products remain primarily signature based, rendering them effective against legacy nuisance infections, but incapable of stopping more dangerous advanced malware threats. Constant signature updates are are a hassle for customers, but provide a recurring revenue stream to the companies that supply them.
Expensive dynamic analysis systems often fail to live up to their marketing claims; they remain too easy for malware to evade, and detecting malware after it has already passed into the organization is claimed as a success. Malware capable of autonomous lateral attack movement, such as WannaCry, highlights how little security value many products actually provide.
A key challenge in cybersecurity is poor information sharing. Few, if any, victimized organizations are willing to discuss the defences they had in place when a security event occurred. If this information were to become public, it could assist future attackers, and it has the potential to adversely impact the organization’s image.
A carefully implemented global security event clearinghouse could collect information and report on the efficacy of various controls and products. But governments have demonstrated that they can not be trusted with sensitive corporate security information, corporate IT budgets are too thin to support such an initiative, and security product developers have no incentive to participate. In the absence of scrutiny, security software vendors are free to make unsubstantiated claims, protected by software licence agreements that shield them from any liability.
Some cybersecurity vendors, primarily startups, are rising to the challenge with innovative solutions. Malware detection based on machine learning is poised to displace signature-based products. Execution control that leverages policy-based whitelisting shows promise, but developers must make these products much easier to deploy and manage.
These new solutions will take some time to gain acceptance, but they are the future of endpoint protection. They also threaten the large install base of traditional signature-based antivirus products, and at least one major vendor has responded with borderline predatory pricing practices to retain market share.
It is only fair to recognize some good behaviour during the WannaCry outbreak. While the exploit was apparently stolen from the NSA, the agency did warn Microsoft, who in turn issued a patch for supported systems a month before the outbreak. When it became clear that unsupported Windows XP systems were being infected and crippling businesses, Microsoft, under no obligation to do so, quickly released a patch. One security researcher, who could have easily sold his findings to a single anti-malware vendor, halted the attack for several days, clearly acting for the greater good.
But overall, the industry’s response to WannaCry is an affront to both the profession and to businesses struggling to protect themselves from this criminal malware assault. The cybersecurity industry must do better.