Security software is essential for protecting devices and networks from malware. But, perhaps counterintuitively, letting this endpoint security software sit on a machine and expire or fall out of support may actually be just as risky as not having installed it in the first place.
No middle ground: Why an outdated defense is as problematic as no defense
For starters, having outdated antivirus or antimalware in place can create a false sense of safety, despite the cybersecurity landscape having recently shifted to continuous defenses. CIOs and security teams are realizing that they not only have to keep software up to date, but also must go beyond malware/virus detection and shield enterprise data from advanced persistent threats such as surveillance.
On top of that, today’s cutting-edge threats are frequently and automatically updated, making it difficult for signature-based defenses to keep pace. To be fair, the writing has been on the wall for signatures for some time now. Back in 2008, John Maddison of Trend Micro expressed a common sentiment in the industry in predicting an imminent wave of malware, which would require tens of thousands of new signatures to be created each hour.
It has been clear for years that security infrastructure needed an overhaul. Leaving it as-is is tantamount to having no protection at all, given the disconnect between old defenses and new threats. Antivirus et al were formulated during a different era, when cloud computing and high-speed networking weren’t accessible enough yet to enable the constant modification of cyberattacks.
“The unprecedented volume and scope of new threats also exposes a multitude of weaknesses in existing security infrastructure,” observed security researcher Jon Oltsik in a 2010 Enterprise Strategy Group white paper commissioned by Trend Micro. “[S]ignature-based technologies are only as effective as their latest updates, and product integration can help ease operations but to a great extent, an organization’s security is completely dependent upon its security vendor’s ability to detect new attacks and develop countermeasures.”
Security must now be at least somewhat proactive, since being purely reactive requires incredible overhead. The issues in making this shift in strategy, though, run deep. Keeping software up to date hasn’t always been a strong suit of businesses or consumers.
Some updates never come: Aging security software, OSes and other applications raise risk
Think back to the widespread concern in early 2014 about the end of mainstream support for Microsoft Windows XP, which still remains the second most popular version of the operating system. Or consider the case of Java 6, a legacy platform and magnet for Web-based attacks.
Trend Micro’s Christopher Budd highlighted both of these issues in a February 2014 post for the Trend Micro Simply Security blog. He outlined how Trend Micro had predicted that exploitation of known but unpatched vulnerabilities would continue to be an issue in 2014. Moreover, if enterprise linchpins such as Windows and Java can’t be held to a rigorous update schedule, then what hope is there for security software?
It’s not an apple-to-apples comparison, granted. Old OSes and development frameworks may be maintained for cost and compatibility reasons. Some applications would require a fresh coat of paint just to work smoothly on a newer platform, a costly undertaking likely not worth the risk, considering the stakes. With cybersecurity infrastructure, there is a cost element, but the risk profile is reversed – not doing something (i.e., sticking with outdated security solutions) is almost always going to be more perilous than upgrading.
For enterprises, it is vital that the mindset behind sticking with old versions of Windows and Java not influence their stance on cybersecurity infrastructure. ATMs – many of which ran XP into this year – were by and large OK after the XP deadline, but the circumstances were unusual, with banks able to foot the bill for extended support. Security software, unlike an OS, serves a highly specific purpose and won’t be able to muddle on – being good at some things and less adept at others – if its single defining functionality becomes obsolete in the face of new threats.
Just as a signature-based solution is only as good as its latest update, security software only works if it is up to date. This holds true whether an endpoint is running XP or something as new as Windows 8.1.
Microsoft research finds negligible difference between outdated protection and no protection
Underscoring this point, Microsoft recently issued a report showing that a sizeable portion of all PCs on Windows 8 and 8.1 were in some state of vulnerability, owing to either expired or snoozed security software or lack of any protection:
The difference between having lapsed antimalware and nothing, though, was slim. For example, the infection rate for PCs with no security was 2.4 percent. It was only slightly better for PCs with expired or deactivated tools, at 2.2 percent, and out-of-date ones at 1.9 percent.
The statistics in the study may be a particularly useful warning for consumers, despite the obvious lessons for enterprises trying to keep their systems current. Many PCs ship with trial versions of antimalware, meant to give users a taste of security before prompting them to upgrade to a paid solution.
Conversions rates, however, are apparently low, leading to many PCs that become exposed shortly after purchase. Unsurprisingly, the number of vulnerable non-domain systems documented by the Microsoft survey spiked not long after the initial release of Windows 8, likely indicating the expiration of large numbers of OEM trials.
The lesson of this study and of recent struggles with legacy software is that it pays to keep security infrastructure updated. In comparison, the cost of a breach or APT is much higher and not worth the risk of sticking with a convenient but outmoded defense.