A running theme with Antivirus in Security circles is that it is useless - and I've personally witnessed that belief trickle out to lesser aware users who neglect anti-malware and just "run Chrome" or some other "solution" to all their ills.
Woefully unaware of attachments, other patches, safe browsing habits, and readily downloading supposed Intuit enhancements from an online forum, etc.
And two opposed themes regarding Security Awareness have emerged: 1) End-user behavior ultimately decides your eventual security or 2) End-user behavior shouldn't matter and thus awareness training is a budgetary burden. (Read this by Dave Aitel that prompted me to finally post.)
I want to address both of these issues.
First - the short of it -
Both Antimalware and Security Awareness are investments that need to be made but are entirely too expensive and expansive in most environments.
Now the details..
- An AV suite can't be the cornerstone of your security posture and thus shouldn't be a significant budgetary drain. It should be inexpensive and "set it and forget it."
- It's useless if it overwhelms you with noise but equally useless if it doesn't log at all. So choose wisely.
- "Support" is oversold in the AV market - I've seen absolutely zero situations that resulted in something from a support contract that the AV maker didn't have to do for everybody else in the World.
- Take three/four of your more savvy security (all facets), engineering, Legal, etc. folks and have them draft up emails and/or videos to send to everyone. It's not a production.
- Automate the system - skip tests and the flashy nonsense. You're only CYAing on a grand scale, people aren't actually sitting there eating the material up generally.
- Leave Security Awareness up to an OPSEC concern for each department - providing your expertise and personal on an on-demand limited bases and recorded for future playback.
My off-the-cuff rubric for spending, regardless of the size of business, for "generic" security needs is 3% average over three years.
How I came to that number was a function of environments I was exposed to but in effect that means really cheap at the Enterprise and free solutions only for Small Business.
Where these two intersects is the same fundamental problem - Security Usability.
No matter how many times it's warned against, most Security professionals use themselves and their contemporaries as the basis for what's "right"... and as security becomes higher profile with more incidents it really starts looking like instead of having cynical contempt for the users (still not appropriate) it's more like plain excuses.
For some reason the former I think is trainable out of people - the latter really concerns me.
Antimalware isn't for us or people we regularly talk to - it's for the "unseen masses" we don't get to deal with personally. Security Awareness is the same... they're both part of creating a usable Security environment.
So instead of tossing them aside you need to take them in the context of ROI - and in that view they're entirely too expensive in most environments today (as total costs including personnel and support).
Closing the loop - while I agree with Dave's premise, strongly for that matter, I think it's appropriate to frame it in the context of the larger Security Usability issue.
Cross-posted from Packetknife's Space