Perfecting the Obsolete Part 2 – Is That an Elephant in the Room?

One every 20 seconds.

Ever since I did the math from the Symantec Internet Security Threat Report, I cannot get that statistic out of my head.  The number, of course, comes from the report’s statistic that Symantec created 1.6 million new code signatures in 2008. 

1,600,000 for a year equates to one every 20 seconds.

Remember the Greek myth of Sisyphus?  He was an ancient king and generally sketchy fellow who was ultimately punished by the gods by being cursed to roll a huge boulder up a hill, only to watch it roll back down, and to repeat this throughout eternity.  A Sisyphean task is a task that leads to ultimate and repeated failure and frustration. 

The numbers from the Symantec report would strongly suggest that trying to keep up with signatures is a Sisyphean task.  But it is actually worse, because every day the boulder gets bigger and the hill taller and steeper.  The report said that signatures grew at a rate of 256% from the previous year to take the total to 2.6 million signatures.  Using that same growth rate for 2009 – and the graph Symantec provides shows that this growth is geometric and not linear – we would end 2009 with 6.6 million signatures, or an increase of 4 million.  At that rate, by the time we get to RSA we will be getting within weeks of already reaching the 1.6 million new signatures for the previous year!  And here is the new number to chew on – 4 million new signatures equates to one every 8 seconds.

One every 8 seconds.

There is clearly an elephant in the room.  When I speak of perfecting the obsolete, I am speaking to the notion of the reliance of the IT security industry on a technology that the math – not the analysts, not competitors, not marketing guys – says is clearly unsustainable.  Antivirus is not dead.  But it is the lifecycle of every product in IT security that it becomes a layer that eventually has enough holes that a new layer must be added.  But why haven’t we really started to seriously look toward that other layer?  Why wasn’t there a lot of shock and dismay around the Symantec report?  I find the lack of response perplexing, which leads me to the other statistic that sticks in my head.

Fifty percent.

That is the statistic Gartner provided in their last set of research that put a number on the failure rate of traditional antivirus software to detect malicious code where there was no known signature.   Call me crazy, but 50 percent failure and the term “defensive” would seem to be somewhat antithetical.  So let me take these two statistics and see if I can put a better definition around perfecting the obsolete

Perfecting the obsolete is continuing to put your trust in traditional signature based defensive software that has a fifty percent failure rate detecting the malicious code that has no known signature and relies on the ability to write a new signature every 20 seconds to keep pace with the evolving cyber threats.

There is an elephant in the room. Watch your step.