I manage the Computer Incident Response Team for a relatively small government agency with approximately 8,500 users spread out across the country.
Virus and malware issues are a constant threat. Patching and up-to-date anti-virus signatures only get you so far in this day and age. Unfortunately for anyone who owns a business, runs a computer network, surfs the internet, or uses a computer to do anything other than play Solitaire, the protection we are offered from present-day anti-virus tools is almost nonexistent.
In a time of shrinking profits for the Symantecs, McAfees, and Trend Micros of the world, the number of viruses and malware are increasing at a pace and sophistication never before seen. The question I have been wondering for years is how do they allocate resources to keep up with the exponential upward trend when their earnings are stagnant or in decline?
Anti-virus software operates based on signatures. A signature is any sequence of bits that can be used to accurately identify the presence of a particular virus in a given file or range of memory. Analyzing viruses and malware and writing signatures is a labor-intensive endeavor.
The more complex viruses that are increasingly being released are referred to as metamorphic viruses. A metamorphic virus is one that is capable of rewriting its own code with each infection, or generation of infections, while maintaining the same functionality.
Writing signatures to detect these types of viruses often requires more time and analysis than is normal and a team to complete the signature.
Symantec is a good example of an anti-virus vendor that is experiencing flat earnings per share, revenue, and an alarming decrease in projected cash flow in Q1 and Q2 of 2012. The significance of this is that any given anti-virus vendor is going to try to run as lean and mean as possible while still protecting market share, supporting high margin lines of business and downsizing unprofitable and low margin departments. For a public company like Symantec, earnings and stock price are what drive expansion and hiring. Freeware anti-virus companies such as Avast are not able to solve the resource allocation problem any better.
It is safe to draw the conclusion that anti-virus vendors are not keeping up with the threat and may reach a point where the number of virus signatures is just too unwieldy to manage from the standpoint of the limitations of computing power to run the detection software, or from the standpoint of the sheer numbers of signature writers required to address the threat.
What is the number of signatures that ultimately break one or the other: 11 million, 15 million, or 25 million? Nobody knows.
What most information security professionals know is that the virus/malware problem is not going away anytime soon and that it may already have reached the point of critical mass. For those of us on the front lines who are dealing with the problem on a daily basis, there is no end in sight.
Using the popular site Virus Total only illustrates the issue. Virus Total lists approximately 44 different anti-virus vendors, but only one or two may have a signature for any given threat. This situation is akin to playing Russian roulette and hoping that your company has the right anti-virus solution that detects a given virus.
Company owners and shareholders will continue to see annual expenditures made on enterprise anti-virus products and a corresponding budget line item for dealing with virus outbreaks. Productivity also impacts the bottom line but is rarely quantified.
What is needed is a new paradigm in how we fight computer viruses. Viruses and malware are advancing and becoming more complex, whereas the anti-virus vendors are unable to keep pace.
Having an enterprise anti-virus solution is a critical piece to any enterprise security solution, but it is often one of the least effective. Vendors must offer us something more than reactive mode and ever-increasing numbers of signatures. There must be a more proactive, preventative solution to this problem that is able to at least keep pace with or stay ahead of the wave of viruses and malware that are costing businesses dearly.
It is at times like this, when an entire industry appears to be moving at a glacial pace, that innovation works its transformative magic.
The anti-virus industry is ripe for innovation.