Why antivirus and security suites are not enough to keep your information safe

Almost half of the SMEs does not have an incident response plan, and a third of these companies do not offer any type of cybersecurity training to their staff. In many cases, their cyberattack protection strategy is based on the use of antivirus and security suites. But… are antivirus and security suites enough to protect corporate information?

To gauge the effectiveness of antivirus and security suites, we must first look at the characteristics of these technologies. Antivirus programs are programs that track the presence of malware on a device, delete suspicious files, alert about security problems and paralyze dangerous processes.

On the other hand, a security suite is a set of applications such as antivirus, firewalls, password managers or anti-fraud programs that are implemented on computers and servers to establish a higher layer of protection than that offered by a simple antivirus.

We will now break down the reasons why antivirus and security suites are not effective enough in protecting corporate information.

1. The false positive rate of antivirus and security suites must be low

Both antivirus and security suites are commonly used on personal devices and corporate computers. In order for their operation not to disrupt the daily activity of companies, they cannot generate a number of alerts that are not acceptable to the users of these solutions.

Why? In these cases the applications would be generating more noise and work than benefits. This translates into:

• Developers of antivirus and security suites seek to avoid false positives. In other words, supposed cases of malicious activity that turn out not to be a danger, but that nevertheless have an impact on the day-to-day operations of companies. For example, because the program paralyzes a process.
• This kind of technology focuses on alerting about high-risk threats.
• It is possible that false negatives may occur: real malicious cases that have not generated alerts from antivirus or security suites.

Thus, a security suite with defense mechanisms such as network or cloud security is an interesting technology for a company. However, these are automated tools that aim to be precise so as not to block business processes without having sufficiently solid reasons to do so.

2. The effectiveness of antivirus and security suites is reduced in the face of behavior that is not technically malicious

Precisely, we should also note that antivirus and security suites are automated solutions that track malicious activity in a technical sense. Hence, these technologies are not able to detect and block malicious activity that is not technically malicious.

For example, if a worker copies several files of great value to his company, such as a list of customers, onto a USB stick and takes it outside the company, the antivirus or enterprise security suite will not issue any alerts. After all, the professional has performed a seemingly everyday action. However, this may be a fraudulent action.

Many malicious actions escape the reach of suites and antivirus

Another possible scenario is that Python is used to execute a script. Many applications do this, and it is difficult to identify whether the use is genuine or not.

Therefore, when addressing the effectiveness of antivirus and security suites in protecting corporate information, it is important to bear in mind that these technologies operate from a purely technical perspective and do not take into account that some activities may critically affect business and may even be fraudulent.

3. These technologies are insufficient to deal with advanced threats

We should also note that the effectiveness of antivirus and security suites in protecting corporate information suffers in the face of sophisticated cyberattacks. Why? Cybercriminal groups with more resources and technical capabilities can implement techniques, tactics and procedures to evade detection of these technologies successfully.

Hence, cybersecurity experts emphasize that the effectiveness of antivirus and security suites in protecting information is very limited in large enterprises, as these organizations are targeted by advanced persistent threat (APT) groups and other high-level malicious actors.

APTs can emulate the activity of an IT team or legitimate software and, therefore, prevent antivirus and security suites from raising any alerts, even if a security incident is occurring. Moreover, these technologies have an added limitation: they lack telemetry and, therefore, cannot provide the information that Threat Hunters and other cybersecurity professionals need to protect businesses.

4. Antivirus and security suites vs. EDRs: Telemetry is key

Precisely, it is important to keep in mind that antivirus and security suites do not record information about the activity occurring on a computer as EDR does.

This technology provides a higher layer of protection against security incidents and valuable information that cybersecurity experts can interpret to detect malicious patterns that the technology was not able to capture.

Put another way, antivirus and security suites do not move on a grayscale. They generate alerts when the probability that an activity is malicious is very high. However, they do not provide information about other activities that could be malicious.

A professional service is able to detect attacks that a security suite or antivirus would miss.

In contrast, EDRs, by providing telemetry, allow professionals to interpret the information and sift through all activities that occur on the grayscale to see if they are mere suspicions that do not pose a security risk or if, on the contrary, they are malicious actions.

It should be noted, however, that not all EDRs are the same. For example, Tarlogic’s Threat Hunting services only use approved technologies that the company’s professionals have previously analyzed to ensure that they are robust and generate all the information needed to provide these cybersecurity services.

5. The importance of human talent in protecting companies

No technology is infallible. It is, therefore, essential that a company’s cybersecurity strategy combines the use of basic solutions such as antivirus and security suites with more complete technologies such as EDRs and specialized cybersecurity services such as Threat Hunting, Red Team or Blue Team.

In this way, a basic principle of cybersecurity will be fulfilled: defense in depth through the deployment of several layers. Giving up defense in depth can be foolhardy for SMEs and, above all, for large organizations; they are exposed to cyber-attacks that result in heavy financial losses and the imposition of penalties for not having adequately protected data.

It is, therefore, critical to implement proactive Threat Hunting services that analyze the information reported by validated EDRs and can continuously investigate to detect the most advanced malicious techniques, tactics and procedures that go unnoticed by technologies such as antivirus or security suites.

Conclusions

In short, all companies, regardless of their size or sector of activity, must be aware that security suites and antivirus software are a first layer of defense. Still, they are not enough to protect their information and assets.

The use of cutting-edge technology and the knowledge and experience of specialized professionals are critical to prevent, detect and respond to security incidents. If you want more information on how to protect your company from the many threats it may face, please contact us without obligation.