I write a lot about the need to move away from traditional signature based technologies for malware detection. Admittedly, some of my motivation is self serving, as Triumfant’s clear differentiation is our ability to detect malware without a signature. But there is also sound fundamental thinking behind my opinions, and you don’t have to look past Symantec’s recently released Symantec Internet Security Threat Report for more proof.
In this report, Symantec claims that it created 1.6 million new malicious code signatures in 2008. Let’s run with this number for a second. That translates to 133,000 signatures per month and roughly 4,400 signatures per day. Or how about this – 3 per minute. 1 every 20 seconds. Now there is job security – have your kids become signature analysts.
Now let’s have some fun extrapolating. Symantec says that the 1.6 million new signatures represents more than 60 percent of the total signatures ever written. In 2003, Symantec created 18,827 new signatures. Five years later the amount is roughly 8,400 percent higher. And the curve is certainly geometric – look on page 10, figure 3. So using the same 2008 256 percent increase number for 2009 – which is conservative given the slope of the graph – this year we can expect to see 4 million new signatures. If you are old enough to remember the old McDonalds’ signs that used to track the millions of hamburgers served, eventually McDonalds stopped counting and just said “millions and millions served”. Give us five years and even Symantec may be tempted to stop counting.
Many have warned that there would be a tipping point where the number of new attacks would get ahead of our collective ability to write signatures. These numbers would suggest that we just tipped. And a half. The numbers now shout louder than the opinions.
The only rational and reasonable conclusion one can draw from these numbers is that building a defensive strategy on signature based tools is what we call perfecting the obsolete. Again, this is not an “AV is dead” rant. AV has been a critical part of the defensive strategy for 20 years or so. And it will continue to be in the future. But the numbers show that reliance on this technology is simply not sustainable. AV needs complementary help, and soon.
Organizations may not yet be really feeling the effects of all of this yet, but they will. With the run rates we have discussed, is reasonable to expect that the response times from detection to the release of a new signature will lengthen, increasing potential exposure. Many of these same tools have remediation processes that use scripts (or fixlets or remedies or some name for a script) that are in fact signature based remediations – a fix is built in advance for a known problem. That means for every one new signature, these vendors have to write a signature and a script, so the load doubles. Something will have to suffer.
Organizations have got to look past signature based tools now, because the tide is coming in much quicker that even the most negative prognosticators could predict. Anomaly detection, behavioral analysis, heuristics – all of these need to be considered and given a close look. Because while the numbers are scary enough, let’s not lose site of the fact that the cyber criminals writing this tide of new attacks have evolved geometrically as well from teenage rebels seeking bulletin board notoriety to organized groups seeking silent monetary gain.
It is time to wake up and smell the coffee. And this coffee is roadside diner strong based on pure, stark numbers that tell a very clear story. And there is more to this story to talk about later. For instance, don’t forget that someone has to clean up after all of these new attacks as witnessed by the $100M DoD revelation last week.
My advice is simple. If you are at the RSA Conference 2009 next week, you may want to spend some time looking at the alternative approaches to malware detection. These vendors, Triumfant is one, may not have the biggest, flashiest booths or the best give-aways, but they may offer an important alternative to the incoming tide that the Symantec report numbers indicate. The hard evidence says that reliance on traditional signature based tools is an exercise in perfecting the obsolete, and even the best built sand castles eventually get swept under a rising tide.
Click here to subscribe
[...] In a show where “more of the same” seemed to rule, there are companies not content with perfecting the obsolete and not trying to pass off signature based technology as a sustainable method for malware [...]
[...] confusing claims are a fundamental component of what I call perfecting the obsolete – the IT security market continuing to push signature based malware detection software on the [...]
[...] may in fact have a vested interest in the status quo. We have gone to calling this process “perfecting the obsolete”. Many of these companies share a not-invented-here bias or continue to tell their customers [...]
[...] Rating Endpoint Protection Platforms – Who is Best at Perfecting the Obsolete Given the mountain of evidence at the inability of traditional, signature based defensive software to keep up with the geometric growth in volume and complexity of attacks, any evaluation of signature based tools strikes me somewhat as a Consumer Reports evaluation of standard definition, analog televisions. In other words, which vendor is excelling at perfecting the obsolete. [...]
[...] have to test the signature, because at the rate the antivirus guys are spitting them out – one every 20 seconds – I think there is reasonable suspicion about how much testing is being done. Then you [...]
[...] innovation, but are delivered more of the same in what we have come to call the process of “perfecting the obsolete”. So why is the industry moving slowly? I address this in detail in a previous post [...]
[...] have been leveraging the Symantec numbers for our Worldwide Malware Signature Counter, and it is nice to see that the McAfee numbers back up [...]
[...] malware numbers from Panda Security that track with the alarming numbers we have reported from both Symantec and McAfee. Panda says that they had collected 18M malware samples to-date through 2008, and have [...]
[...] vendors who continue to perfect their defenses around older attack forms - a process I call “Perfecting the Obsolete” – and look to defend market position by framing APT as malware. In Mike Cloppert’s [...]