Tuesday, May 06, 2014

symantec anti-virus is dead

there's a lot of digital ink getting spilled right now over symantec's brian dye saying that anti-virus is dead (one, two, three, four, five, and more to come i'm sure), but i don't see many people asking the tough question, which is "why should we believe symantec now"?

looking back over my past posts about symantec paints a pretty unappealing picture, and reveals what might be considered a pattern. virtually right from the beginning they named their consumer anti-virus product after a man who famously said computer viruses were an urban legend. then, when they then tried to reinvent themselves with their "security 2.0" campaign, they claimed the virus problem was solved. now, when it appears they're trying to reinvent themselves again, they're saying that anti-virus is dead. it seems that whenever their business plan calls for serious marketing, they latch on to messages that grab attention but whose reality is questionable at best.

when the biggest anti-virus vendor starts saying anti-virus is dead, there's no way that isn't going to grab a lot of attention. it seems designed to hurt the very industry they're on top of, while they are (apparently) in the process of trying to distance themselves from it. i've noted in the past that the biggest players in the industry are hurt the least by the consequences of their bad acts. as market leaders they control perception not just of themselves but of the entire industry, so that even if a smaller player wanted to try to present a more reasonable and accurate view of things in order to better compete on technical merit rather than deceptive marketing manipulation, there's very little impact they could have. saying that anti-virus is dead while simultaneously trying to position themselves as something else is essentially a scorched earth tactic.it will hurt the entire anti-virus industry while drawing attention to the alternate industry they're trying to create/break into.

when the biggest anti-virus vendor starts saying anti-virus is dead, there's also no way that shouldn't raise the hairs on the back of your neck. out of the blue symantec starts mimicking exactly the same message that enterprise level infosec people have been saying for years? am i the only one who thinks that sounds like it belongs in the too good to be true category? this is the same kind of technique a malware writer might use to trick you into trying out his/her handiwork. before you get any ideas about symantec using 'trojan marketing', though, it's also the same kind of technique AV marketers used when they told people just using AV would solve their security problems. too good to be true has been part of the AV marketing arsenal from the very beginning, it's just that this new one about AV being dead seems to be designed for a much more select class of dupe, i mean user. this is the same shit, it's just a different pile.

it'll probably work, though. telling people what they want to hear is unfortunately quite effective. even smart people will fall for it, because despite being smart, those people still want to hear something that is far too simplistic to have anything in common with reality. when you look closely enough, the truth always seems to wind up being messy and complicated, not something that could fit in a sound-bite.

this is the reason why i try to convince people to stop listening to marketing (and really, everything that comes out of a vendor is marketing to some degree). this is almost certainly nothing more than another in a long line of efforts to deceive and manipulate the market. if you must listen to something, listen to their actions. they aren't retiring their AV product, so how dead can AV really be?

all that being said, i actually do welcome their shift in focus from purely prevention to now include more detection and recovery. it's about time AV vendors started getting serious about the last 2 parts of the PDR triad (prevention, detection, recovery). it doesn't have to be purely service-based detection though. years ago we had generic detection tools (such as integrity checkers) that end users could use themselves. symantec's focus on providing detection services instead of detection tools belies a philosophy of not trusting the users' competence, which in turn is consistent with their long history of failing to educate, elevate, and empower their users. maybe that kind of paternalism is appropriate for home users, but enterprise security operations? i thought we could expect enterprise level IT and infosec professionals to develop skills and expertise in these kinds of areas, so why is symantec choosing a path that takes these things out of advanced customers' hands?

as much as it seems like symantec is doing an about-face, they really haven't changed their tune. telling enterprises what they want to hear is just a ploy so that enterprises will get in bed with them (that's just what we call pillow talk, baby). they still aren't giving their users any new power to affect their own security outcomes. so far they're just offering words. nothing but sweet, sweet words that turn into bitter orange wax in your ears.