The IT security market remains dominated by anti-malware vendors whose business model is based on the detection of new malware and selling subscription-based updates that block new malware as it is released. Two of the world’s biggest security companies, McAfee and Symantec – while both have diversified into services – still focus much of their global marketing effort on anti-malware and being seen to be on the offensive against the malware creators. And to the general public, cyber security IS anti-malware.
At the same time, despite coming up with new product categories that supposedly meet new types of threats as they appear, many parts of the IT security vendor community continue to license those core anti-malware products from the major manufacturers, and neatly package them into a wide variety of tin boxes in categories such as anti-malware gateways, anti-malware management, UTM and content filtering.
While it is true that security technology has improved in the last ten years, with a move to more intelligence and risk-based tools such as SIEM and vulnerability assessment products, too much effort is being placed on trying to defeat what is now increasingly clear to be undefeatable: the continuous tide of malware and zero-day vulnerabilities.
This unwinnable war on malware continues to be good business. In 2011, Gartner reported that (US) consumers spent $4.5 billion on antivirus while enterprises spent $2.9 billion, a total of $7.4 billion or more than a third of the total of $17.7 billion spent on security software.
In its marketing efforts, the anti-malware industry focuses on its valiant efforts to defeat malware. We are increasingly told how malware and, by extension, its authors have never been more “sophisticated” or the volume more eye popping.
“Today’s security threats are more sophisticated and targeted than ever, and they’re growing at an unprecedented rate. Malicious URLs, viruses, and malware have grown almost six-fold in the last two years, and last year saw more new viruses and malware than all prior years combined.” reports McAfee Labs.
Not to be outdone, F-Secure claims that, “Cybercriminals are following the money. They are authoring ever more sophisticated, difficult-to-detect malware”. And just to complete the picture here’s Sourcefire: “Today, malware is more sophisticated and evolving more quickly than ever before. Many customers find it impossible to keep up.”
The security press does its bit too. In the United States, SC Magazine says that malware remains an emerging area of concern “because it is always changing”.
“We used to worry about zero-day threats. Now it can be zero-hour. Malware is proliferating at a ferocious rate.” it added in the foreword to one of its group tests, failing to see the irony in describing malware as an emerging area of concern.
So we know for sure that malware has never been more sophisticated or that there is a lot of it about. And yet for all their efforts, the anti-malware lobby do not seem to be doing a very good job of managing the threat. Efficacy is a problem. A report by Israeli cloud security company Imperva collected and analysed 82 previously non-catalogued viruses against more than 40 anti-virus solutions, and it found that less than five per cent of anti-virus solutions were able to initially detect previously non-catalogued viruses. It also found that some freeware AV solutions performed better than those from the major brands.
At this point, I should say that I am not trying to blame any company for the anti-malware conundrum. McAfee, Symantec, Kaspersky and the rest all do valuable work for the industry in many different ways.
We still need anti-malware, just like we need PCs but I am sure that deep within the citadels of those businesses is the realisation that anti-malware as it exists now is not working and we need to be moving on from the anti-malware era.
The vendors that matter, I am sure, are giving this matter serious consideration. They are spending billions of dollars trying to defeat an entity that simply won’t go away and passing the cost onto their customers in a cycle of diminishing returns. The more we spend, the less the impact.
I am not cynical enough to believe that the anti-malware industry would prefer this negative status quo in order to maintain profits. This war on malware has led to the stasis of containment which is not good for the industry, its customer base or the economy. We have got there together.
So what’s the answer? That’s the problem. At the moment there isn’t a clear one. We can’t abandon anti-malware immediately but what we can do is shift resources away from the “war on malware” because it is evident that it is an unwinnable war.
The producers of malware by the very nature of the attack and defence mode that we find ourselves in, will always be ahead. We are always playing catch up and by its very nature anti-malware can only neutralise known threats.
We can begin a process of reengineering our approach to malware. We need instead to move to a model of active intelligence. By watching malware rather than trying to kill it. Most importantly analyse what attackers do with malware – it is after all only a means to an end whether that is data theft or financial gain.
Blocking a known malicious activity or quarantining a part of the network that is affected may be a smarter move than throwing endless bits of anti-malware across the enterprise, trying to stop it coming in.
By letting the “clever” stuff in, the well-written software (malware) that “does bad things”, we can learn how to defend the systems rather than finding a patch. After all, many of those “sophisticated” new viruses and zero day attacks are not entirely unique, they are based on the DNA of previous malware but tweaked ever so slightly to slip though the previous set of signatures. We know this so why can’t we build on this intelligence and develop architectures that can identify and isolate malware using an heuristic approach. Does this sound like fantasy or beyond the imagination of the R&D department of the major vendors?
The war on malware is beginning to look much like the war on drugs: billions spent and a drug trade bigger than ever. It’s time to divert funds and research into new technology that manages malware rather than the futile goal of killing it.
About the Author:
Paul Fisher | @Pfanda | Pfanda.co.uk
Paul Fisher has worked in the technology media and communications business for the last 22 years. In that time he has worked for some of the world’s best technology media companies, including Dennis Publishing, IDG and VNU.
He edited two of the biggest-selling PC magazines during the PC boom of the 1990s; Personal Computer World and PC Advisor. He has also acted as a communications adviser to IBM in Paris and was the Editor-in-chief of DirectGov.co.uk (now Gov.uk) and technology editor at AOL UK.
In 2006 he became the editor of SC Magazine in the UK and successfully repositioned its focus on information security as a business enabler. In June 2012 he founded pfanda as a dedicated marketing agency for the information security industry – with a focus on content creation, customer relationship management and social media.
His heroes include David Ogilvy, Ludwig Mies van der Rohe, Ken Garland, William Bernbach, Andy Warhol, Richard Branson, Charles & Ray Eames, Steve Jobs and Paul Rand. And George Best. He comes from Watford but he thinks he comes from Manchester. If you came from Watford, you would too.
As an impulsive adopter of new technologies and an inability to stick to one ecosystem, he can be spotted around London’s finest WiFi hotspots variously sporting a Chromebook Pixel, an old Blackberry, Nexus 7 and a Nokia 920. He also has a Mac and an Xbox at home.
