The decision by VirusTotal to restrict access to its service to certain companies underlines the need for businesses to proactively implement whitelist security solutions, rather than place too much faith in blacklist security. This is according to Norwegian app security provider Promon.
VirusTotal, the largest collection of industry analysis of computer viruses, announced last week that it will end unlimited ratings access to companies that do not share their own evaluations of submitted samples. This has led many experts to conclude that businesses frozen out by these new restrictions may be more exposed to hackers as a result.
However, according to Tom Lysemose Hansen, founder and CTO of Promon, the more important point to be made here is that organisations should not be relying so heavily on a service such as VirusTotal in the first place.
Hansen commented: “VirusTotal is a tool that has proven to be indispensable to many companies, and marks a triumph of collaboration between members of the cybersecurity community. But what has emerged from the decision to limit access is that many high-profile security firms rely entirely on VirusTotal’s database to keep ahead of the latest threats.
“Using a database that only contains known threats is equivalent to walking a cybersecurity tightrope, and is not an approach that should be taken by companies whose reputation is founded on technological innovation and expertise.”
Instead, Hansen believes that businesses of all sizes should do more to take charge of their own cybersecurity destiny, by demonstrating proactivity through embracing whitelist security.
He added: “With threats increasing by the day, taking such a passive approach to security just won’t cut it any more. To make data safe from intrusions, companies should be focusing on proactive security, which protects organisations from the unknown threats as well as the known ones. One way to do this is by introducing app hardening software to shield critical applications themselves, rather than by simply establishing a perimeter.
He concluded: “VirusTotal will remain a crucial tool in maintaining cybersecurity awareness. But to rely on it as the sole resource for keeping data safe is insufficient. Reputations are at stake: to keep them intact, adopting whitelist security will enable organisations to remain one step ahead, rather than one step behind.”
I asked several other security experts what they thought would be the repercussions of TotalVirus policy change. Paul Fletcher, cyber security evangelist at Alert Logic felt that active threat intelligence should always be a critical part of an organisation’s overall cyber security strategy, saying “While this policy change will have an impact on gathering intelligence information about the latest threats, it’s always a best practice to have multiple resources in this field of practice. This is not only true because a resource (paid or free) may alter their policy, but they may also alter algorithms and/or search functionality. Having multiple resources also helps to verify research for new and emerging malware. This policy change will impact some organisations, but it reinforces the need for multiple options when it comes to Cyber Security Threat Intelligence.”
Rich Barger, chief intelligence officer at ThreatConnect, commented “VirusTotal is an invaluable resource and one of the de facto first stops for security researchers and practitioners worldwide. What we are seeing playout is a clash between the old and the new, the established mainstream security vendors and the new school start-ups. VirusTotal, as this de facto monolith, finds itself in the center of the controversy. Many of the established anti-virus and endpoint community have shared scanning technologies as well as malicious files with VirusTotal, where other vendors have not, and are simply piggybacking on the detection ratios of other more established solutions and brands. It appears that VirusTotal is being very careful not to play favorites and wants to make sure that the entire security community is playing on a level playing field while maintaining their best interests as well.”
Aftab Afzal, SVP & GM EMEA at DDoS firm, NSFOCUS IB, concluded “Services like these rely the on input from their entire communities. Security vendors have a duty of care to share their research for the greater good and, fortunately, most do. There will always be those that just take, and in some cases have little of their own to contribute. This policy change may have some short term impact however should encourage collaborative behaviour in the longer term.”