The IT Security Ecosystem, Part 2 – Disruption Requires Innovation, Not More Signatures

I just read an interesting post by Matt Asay in CNET News called “Which software vendors are the most relevant?” in which Asay lists who he believes are changing the face of software.  One of his criteria for being such a company – he chose IBM, Microsoft, Oracle and and Cisco Systems – is that they bring a sense of innovation and vision that cause disruption in the software ecosystem.  Given that I am a big proponent of disrupting the IT security market ecosystem, Mr. Asay had my attention.  He goes on to explicitly list EMC and Symantec as companies that do not belong on the list in spite of their broad offerings and large market presence because of their lack of vision and ambition to be disruptive. 

Which leads me to something else that came to my attention.  I started using TweetDeck yesterday (I may be an old dog, but I can learn new tricks) and discovered a tweet that had been sent to @Triumfant from someone at Symantec.  It was in response to a tweet I had put out about the Symantec Internet Threat Report and the 1.6 million signatures Symantec reported they created in 2008.  My exact tweet was:

    Still thinking about Symantec Threat Report Numbers. 1 new signature every 20 seconds. 3/minute. 180/hour. When do they eat? Sleep? Tweet?

The response from someone at Symantec:

    @Triumfant Thankfully there’s a whole team and we’re situated all around the globe for this very reason!

After thinking about this a bit I realized just how much effort it takes an antivirus company to maintain the status quo of the AV ecosystem.  As the number and complexity of attacks increase geometrically, these companies are forced to deploy hundreds of people worldwide to feed the monster that is the signature problem.  Given the enormous resources such companies must pour into just keeping up with new signatures, I imagine it is hard to have resource lefts to power the innovation to cause disruption.

But therein is the problem, because the lack of innovation and subsequent absence of disruption is exactly what keeps the AV ecosystem alive.  If customers perceive that there are no alternative to signature based tools (yes, there are viable alternatives) they remain reliant on signature based defensive software.  With new signatures required every 20 seconds, the customers become equally reliant on the vendor.  And the cyber criminals do their part and constantly create new threats or threat variants.  It is a stellar example of a self-perpetuating cycle.  And it is a cycle that the big AV companies do not seem able, or want, to disrupt.

Again, let me be clear that I am not accusing Symantec or any other antivirus vendor of intentionally coercing or misleading their customers or the broader market.  The research organizations of the AV companies are well respected security professionals who take the security of their customers seriously and I only listed Symantec because someone in that company responded on Twitter.  The work done by these and other organizations are part of the ongoing battle with cyber crime and such research is vital to defending against the daily wave of new attacks. 

But to paraphrase Asay, being a leading vendor in size and revenue does not mean that you are leading the market to innovate and change, and make no mistake – the IT Security ecosystem must change.   I have already stated the case that the numbers regarding the growth of required signatures clearly indicate that signature based technology is no longer sustainable, and many others in the industry have elegantly made the same case.  It is apparent that the disruptive leadership for the IT security market to overcome the signature problem will have to come from smaller upstarts who are unburdened by feeding the status quo of the ecosystem.