The rise of the Internet of Things may hasten the demise of antivirus software, according to some experts.
The experts believe efforts to secure Internet of Things (IoT) devices such as smart lighting and surveillance cameras may negate the need for antivirus software in the future.
Not everyone agrees, of course, but the discovery of vulnerabilities in Symantec products, including Norton AntiVirus software, indicates that perhaps we need to find additional ways to protect our devices and data.
To be fair, security vendors are working on new solutions, and the booming IoT industry may hold the key to unlocking some of those solutions.
The rise of IoT means more devices will be connected, but they'll be harder to secure. Much of the IoT hardware already on the market doesn't have security built in.
“The trend we're seeing is that many vendors are coming out with new devices, but they don't take security seriously because they don't understand that it's important, or they just don't care,” said Cesar Cerrudo, chief technology officer of security firm IOActive.
That leaves devices at risk throughout their lifetime, as IoT gadgets are often difficult to update. “The Internet of Things is an interesting area because these devices are usually small, autonomous, and you can't install any additional security software on top of that,” said Andrey Nikishin, future technologies projects director at Kaspersky.
“If it's insecure, it stays insecure forever. You can't fix it – it would be expensive, more expensive than the device itself.”
While experts routinely suggest IoT makers build security in ‘by design’, another way to secure the connected devices in our homes and businesses may be to shift security to the network or router – and what works for your smart fridge could work for your PC.
Protecting IoT with an operating system
There are different ways of tackling this problem, but Kaspersky is building KasperskyOS as its solution. KasperskyOS has been in the works for years, with the company unveiling it in 2012 as a secure operating system for industrial control systems. But it has since been suggested that the tiny microkernel design could help secure everything from smart cars to IoT devices.
“At the moment, all of the pieces are one big mess, and they all communicate with each other,” explained Nikishin. “If you have vulnerability [in one spot], you can get control of the whole system. How it works in our system... all communications go through the microkernel, and all of the communications go past the security system there.
“Only documented communication is allowed. If one part is vulnerable, only that part is vulnerable, and hackers can't get anywhere else in the system,” said Nikishin. “The operating system gives the chance to run unsecured software, securely. We don't trust third-party software by default, but we create an environment where you can trust untrusted software.”
If hackers target your smart light bulbs, they may be able to hop over your Wi-Fi to your PC, for example. Using this system, they'd be blocked.
When asked if this could apply to your PC and remove the need for antivirus, Nikishin said it could, essentially giving the OS sandbox-style protection similar to modern browsers. However, he stressed such a solution would be at least a decade in the future, as further development work needs to be completed before it could be widely adopted.
Whether or not KasperskyOS rids the world of antivirus software, PCs do need to be made more secure. “We've reached the moment when we understand we have to do something, redesign everything in a secure way,” added Nikishin.
Routing around the issue
There's also a growing trend to shift security to the perimeter of the network. IOActive’s Cerrudo said the router is a sensible place for security to live, since it's “the easiest place to add protection”.
Google is keen on the idea, with its OnHub router offering easy-to-understand management and security, while F-Secure's Sense router aims to offer security across your home, covering smart appliances to smartphones, tablets and PCs, scanning web traffic before it gets to your devices, as well as acting as a virtual private network (VPN), firewall and more.
“Whereas companies have IT admins to monitor the network and make sure everything is secure, your home with IoT is becoming more and more of a network onto itself,” said F-Secure security advisor Sean Sullivan. “This moves security to a device on the network, either the router or another specialised device, that kind of sits there in partnership with the router.”
And if your network's already being scanned for viruses and other malware, can we uninstall antivirus from our PCs? “Yes, exactly,” Sullivan said, explaining security must shift that way, as “you're never going to use antivirus on your refrigerator”.
To the cloud
This, Sullivan claims, is where the cloud comes in. “We'll still have a bunch of [security] software for the near future,” he said, saying F-Secure already tends towards calling it endpoint security rather than antivirus. “I think the goal will be to make it lighter, so it's almost all cloud-based.”
“I think we'll move beyond needing antivirus on our computers."
He explained that devices will have a client that can query the cloud security provider, asking about the reputation of a program or whether an IP address is safe or a known problem. That can work for smaller devices as well as for PCs, he added.
“I think we'll move beyond needing antivirus on our computers so that the computer doesn't get turned into a bot,” Sullivan said.
A cloud-based security system can protect against distributed denial of service (DDoS), ransomware and other attacks, he added. This is helped by the shift in software such as office suites to the cloud, and improvements at the operating system level, making it harder for malicious code to run.
“The OS is getting more secure, so I think at some point it will become difficult to run untrusted code on an operating system,” Cerrudo explained. “So that will make antivirus less useful in the traditional way we use it right now.”
While viruses and malware must still be battled, Sullivan suggested security will shift in a new direction, away from detecting threats to “keeping everything healthy and up to date”.
Of course, security companies won't simply sit back and hope “healthy” systems can withstand the onslaught, and not everyone agrees that antivirus is on the way out.
“Properly configured and updated antivirus is an efficient security control, and will remain so even into the future,” argued Ilia Kolochenko, founder of web app security firm High-Tech Bridge – and his firm doesn't even make antivirus.
New technologies such as artificial intelligence-based automation could help boost security vendors' arsenals.
“Currently, we are talking a lot about autonomous machine learning, however, I'm not sure its effect will be bigger than heuristic analysis was in the antivirus industry years ago: that was predicted to totally eliminate all viruses in a couple of years,” said Kolochenko.
“Instead I believe in 'cyborgisation' of technologies – when human and machines will be working together, complementing one another and completing each other's weaknesses.”
And just like IoT, the arrival of new technologies such as virtual reality and augmented reality could also have security implications.
“One wonders if there will be virtual spaces in the future to secure,” Sullivan pondered. “There's a lot of unpredictable future ahead of us.”