Malicious actors are constantly developing new and improved methods to attack companies. Innovations in security software help organizations to defend against the dynamic world of information security threats, but this protection comes with inherent drawbacks.
One of these drawbacks is that security solutions can require significant access to systems and networks to assess whether or not suspicious activity is present. Further, researchers for security vendors often need to be able to review samples and dig deep to find clues pointing to new threats. Companies receive the benefits of this access and research but should also be aware of the potential risks.
The worst case scenario of the risk associated with this kind of technology was recently brought into the spotlight by the news that Russian intelligence officers exploited the antivirus software of Kaspersky Lab, a private Russian cybersecurity company, to steal sensitive American documents. After news like this, the question on many people’s minds is, do security technologies such as antivirus software still have a place in cyber defense considering the risks the software itself poses?
The answer is more complicated than a simple yes or no. Going with or without one solution or another will always present risks either way, but at some point a company will have to accept some risk. Rather than foregoing any protection at all or drastically limiting the effectiveness of investments made in their security solutions, companies can educate themselves on the potential risks involved with different security solutions and vendors and seek to mitigate those risks as much as possible.
Businesses take different factors into account when selecting and vetting business partners, and choosing a security vendor should be no different. Asking key questions of vendors helps to ensure that both parties are protected in their relationship. Questions such as how they monitor their own systems and networks, what the expectations are as far as disclosure of their own significant security events, and how they handle access to customer data are all helpful in establishing an understanding of how they operate. References, audits, and certifications are also valuable tools in establishing background on risks and potential insights on mitigations for those risks.
What can't happen with current technology is the Nirvana of expecting security vendors to deliver on the promise of protecting against the plethora of ever-changing security threats without giving them any visibility into systems and/or networks. There is a trade-off here and it's up to companies to decide what risk is acceptable and what isn't. Is the risk of not running antivirus software greater than the risk of giving that software full access to the systems it protects? If full access isn't given, how can it be expected to protect what it can't see? How many other security products essentially present this same risk dilemma? Who wants to explain to management that their decision to rid the company of antivirus software likely led to a missed infection leading to a front-page breach?
Simply avoiding security software requiring broad access probably isn’t the best answer. Asking the right questions of these vendors and taking appropriate steps internally to mitigate associated risks is the better path. It's completely acceptable to expect a certain amount of responsibility with this access on the part of vendors, but it's also reasonable to expect that, despite their best efforts, they too may be compromised or have security flaws turn up in their products just like any other organization.
Travis Farral is the Director of Security Strategy for Anomali. With over 20 years of security industry experience, he has developed a strong background in threat intelligence, incident response, and Industrial Control Systems security. Previously Travis ran the Cybersecurity Intelligence & Strategic Services team at ExxonMobil and spent several years at companies such as Nokia and XTO Energy.