No, anti-virus software isn’t dead (yet)
FORTUNE — Just over a week ago, Symantec’s (SYMC) senior vice president of information security Brian Dye delivered a concise eulogy for anti-virus software. It “is dead,” he told the Wall Street Journal. “We don’t think of antivirus as a moneymaker in any way.”
This isn’t news to the cybersecurity community. Most agree that anti-virus lost primacy seven or eight years ago as a traditional prevention tactic. The notion of setting up perimeter defenses around a network to keep hackers out has given way to a more flexible detection and response model. “The entire industry has moved beyond anti-virus a long time ago,” said Bret Hartman, chief technology officer of the security business group at Cisco (CSCO). “It’s not a surprise.”
But anti-virus protection remains important as a first line of defense against threats. According to Dye’s estimates, traditional cybersecurity methods catch more than 45 percent of threats. The problem, he says, is that anti-virus alone is insufficient. “The point that we were making in the interview with the Wall Street Journal and that we make with our customers on a regular basis is that anti-virus alone is not enough,” Dye clarified in an interview with Fortune. “The era of antivirus-only is over.”
“If that’s all you’re using to protect yourself, you’re vulnerable,” said Fran Rosch, senior vice president of Symantec’s Norton consumer business.
Other security firms have already begun implementing a new slate of security technologies. Juniper Networks (JNPR), for instance, lures malicious intruders into revealing themselves by placing bait within a network. “Once they touch a false piece of information we’ve planted, we flag it,” said Nawf Bitar, senior vice president and general manager of the security business at Juniper. The company can then determine whether an intruder is up to no good.
Others in the space are keeping up by acquisition. At the beginning of this year, FireEye (FEYE), for example, bought Mandiant, a cybersecurity firm able to investigate network breaches and track and detail hackers. Six months ago, Cisco purchased SourceFire, which also analyzes and tracks threats. Though the deals demonstrate that the industry at large is evolving beyond protection to detection and response, Symantec’s announcement is particularly notable for indicating a sea change at the company that originally invented commercial anti-virus software.
“It’s one thing for the outside world to bash anti-virus,” said Ted Schlein, general partner at Kleiner Perkins Caulfield & Byers, who helped create the earliest commercial anti-virus software products at Symantec in the late 1980s. “It’s another thing for the anti-virus king to bash anti-virus.”
Symantec still rakes in more than 40 percent of its revenue from anti-virus products. But year-over-year, that revenue is in decline. In the company’s latest quarterly earnings report, revenue fell 7 percent for the quarter ended March 28 compared to the same quarter last year.
“The only dead thing about A.V. are its revenue and growth prospects,” wrote Vinnie Liu, co-founder and partner at security consultancy Bishop Fox, in an email. “Instead of settling for diminishing returns on old school preventative technologies (e.g. A.V.), they’re finding they can achieve higher R.O.I. from adaptive tools.”
In other words, in order to remain relevant, Symantec has chosen to follow the money. “By 2020, 60% of enterprise information security budgets will be allocated for rapid detection and response approaches,” according to a May 2013 study by the market research firm Gartner, “up from less than 10% in 2013.” That certainly sounds like an opportunity for growth.
Following the pronouncement of the death of anti-virus, Symantec announced the addition of two new premium security services to its existing flagship products for business. The company wants to go head-to-head with competition like FireEye by briefing companies on threats, analyzing networks for shady activities and detecting breaches.
“It is a smart move by SYMC,” wrote Craig Carpenter, Chief Strategy Officer from AccessData, in an email, noting that Symantec has lagged in recent years. “The quickest way for SYMC to catch up (i.e. get to market with a viable solution) is to launch a managed service or two leaning on their advantages (a large installed base and strong presence on the client) and filling in key gaps with a partner ecosystem (e.g. threat intelligence monitoring, IR [incident response], etc.).”
Having ousted its second CEO in two years — Steve Bennett — in March, Symantec is clearly trying to reinvent itself. “It’s challenging dealing with your own legacy system,” said Schlein. “I hope they get the leadership in there to make those changes.”
But has anti-virus drawn really its last breath? Cisco’s Hartman added that no technology truly dies, it just becomes more commoditized or less valuable. Rosch analogizes anti-virus software to the seatbelt in a car. It’s the first layer of protection; as the industry continues to evolve and safety grows more sophisticated, shoulder strap, airbags, and better braces follow.
“I think anti-virus someday won’t be needed at all,” Schlein said. “But right now it takes care of a lot of the known items.”
So don’t uninstall just yet.