[arpa]

Just to play the devils' advocate, I do think that the attitude of "never use AV products" could work in corporate environment, provided the administrators are competent and draconian enough to counter-weight the absolute incompetence of users (because, frankly, the largest attack surface is the incompetence of the user):

use security policies of the domain to only allow whitelisted applications to be run;

restrict internet use to whitelisted destinations;

configure mail servers to accept only whitelist sources, use DKIM/DMARC, and reject multipart messages.

Mandate usage of wired-only HID peripherals which are soldered to the port. Don't use wifi, and physically secure the access to network wires.

Glue shut all other computer ports.

Go all-out Saudi-arabian with people who don't comply with security policies and punish them by removing digits and public hangings for repeated offenses.

It's really that simple.

[freehunter]

I work as a security consultant for a major tech company and my clients are almost always Fortune 500 (with some Fortune 100 companies, and at least one top-10 company). When they hire us, we get to learn everything about their security infrastructure.

The trend is clear: AV is out, Carbon Black (or Crowdstrike, etc) is in. This is especially prominent in the financial industry. My wife works at a tiny local bank and they're doing trials of Carbon Black.

AV is terrible software, the chemotherapy of the security world. It only exists because it's slightly better than the alternative, and if you don't have an active disease, it acts as a disease of its own. You're glad its there when it saves your life, but you curse its name every day. Application whitelisting tools don't interfere with the day-to-day workings of your computer, but don't let the bad stuff in. You're only allowed to run the software you need to run, and nothing else.

It's not set-it-and-forget-it like AV, but it's a damn sight more effective and less annoying to the users.

[drzaiusapelord]

Except AV started out like how Carbon or Cylance did (lean, effective, buzzworthy, etc) and other popular applications started out. It was decades of feature creep, poor competition, out of control pricing, etc that killed the AV industry.

I'm seeing the same thing today. Getting a trial of Cylance for a small environment seems next to impossible and when 3rd party testers test these apps, the false positive rates are terrible. Worse, they miss a lot of obvious malware traditional AV doesn't.

I am skeptical this technology is some silver bullet for the industry. I imagine cryptolocker changed the game where its politically expedient to whitelist everything be it application, driver, URL, etc where in the past IT departments were told to pound sand because some executive couldn't install Bonsai Buddy on the weekend or whatever.

Once you have proper whitelisting then you can pretty much remove AV or go with a non-traditional AV product like the kinds you list or no AV at all. Whitelisting requires a centralized IT department, no BYOD, and a lot of other infrastructure and talent smaller organizations simply don't have. I suspect traditional AV is here to stay for rational reasons and the technology behind things like CB or Cylance will eventually be part of a traditional AV package.

Arguably, the heuristics behind Win10's more advanced SmartScreen are a poor man's version of this and SS comes with every copy of Windows10 (The Win7 version is actually very poor). I imagine there's a lot of anxiety about being acquired by these companies before traditional AV reverse engineers what they do or SmartScreen gets good enough to the point where you can run a flawed local AV and still get some world-class heuristics watching your back as well.

[nugget]

Whitelist-only works until it doesn't. All an attacker has to do is compromise one of the whitelisted apps (e.g. a web browser) and they will have infiltrated the device and perhaps the network. Certain institutions can tolerate operating as a digital supermax prison (law firms, banks, Government). Most can't. The future is likely some mix of network defense, whitelist/blacklist management, traditional AV for each device, VMs (less effective with migration of apps to cloud), and lots of user education.