Today Triumfant added a malware signature counter to our Web site to represent an up-to-the-second counter of the number of signatures required by traditional signature based tools. The counter is designed to graphically reinforce what many in the IT security industry believe is a growing problem that is being largely ignored – that the reliance on signatures to protect endpoints and servers against malicious attack is simply unsustainable.
The counter uses the statistics from Symantec’s “Global Internet Security Threat Report – Trends for 2008″, published in April of 2009 as the statistical foundation and simply extrapolates the growth rates in new attacks – and therefore the companion signatures – seen in 2008 into 2009. We used the Symantec data because it is in the public domain, because they are a credible market leader, and because they have an exemplary research capability. But we also used this report because we thought it was a fair set of numbers given that they come from a vendor who, like most in the IT security market, relies heavily on signatures for defensive capabilities and were therefore not inflated to make a point.
Just what is that point? The world of cyber crime is simultaneously accelerating and evolving in ways that no one would have predicted three years ago. According to Symantec, the total number of signatures increased approximately 265% year-to-year from 2007 to 2008. The total number of signatures created in 2008 exceeded the total number of signatures written to-date by 60%, adding 1.6M signatures to the cumulative total of 1M signatures. If these growth rates continue, and the curve appears to be actually geometric instead of linear, over 4M new signatures will need to be written in 2009.
Customers are promised innovation, but are delivered more of the same in what we have come to call the process of “perfecting the obsolete”. So why is the industry moving slowly? I address this in detail in a previous post called An RSA Keynote from the Outer Aisles – Demand Disruption, but essentially the movement away from the reliance on signatures is simply too disruptive to the comfortable ecosystem that has been created, and even the customers are partially complicit because they do not demand change.
Triumfant is not looking to beat the “AV is dead” drum as we believe that antivirus software will always have a place in a defense-in-depth strategy. but we do believe that continued reliance on antivirus software in the face of the mounting evidence is not a reasonable or prudent strategy. And do not lose the perspective that each one of the 1.6M new signatures represents a response to a new unknown attack or a variant of an existing attack that therefore evaded the signature based software at a rate generally reported to be fifty percent. I would be remiss to add that there are likely many more such attacks that have yet to be discovered, as the daily headlines point to attacks that go months undetected.
So the questions begged by the counter are simple. How many signatures must we write before we hit the tipping point? How much data and money and intellectual property must be stolen before the market demands change? How many people who have entrusted personal data to organizations with the belief that these organizations would protect that data must have their privacy compromised? When is the market going to stop supporting the self serving ecosystem and engage in some constructive conversation about evolving defensive software to meet the obvious threat?
The counter was designed to be a visual reminder of the mess we are sliding toward. The counter will accelerate to match the accelerating rate of the problem, and soon will be incrementing every eight seconds by year end. There are alternative ways to detect and remediate malicious activity and I would respectfully suggest that you and your organization owe it to yourself and your stakeholders, customers, and employees to start to look into these alternatives to signature based tools sooner rather than later. The counter is ticking.
Click here to subscribe
May 20, 2009 at 8:43 am |
[...] Malware Counter The Worldwide Malware Counterintroduced in Triumfant CEO John Prisco’s blog post yesterday has gotten a lot of interesting response and some questions that I thought I would [...]
May 27, 2009 at 12:17 pm |
[...] you did not know this, you must be a first time visitor and may want to check out the post on our malware counter. We are most definitely not an antivirus product and do not use signatures to detect malicious [...]
June 1, 2009 at 11:56 am |
[...] is no way to ensure detection or defensibility. Encouragingly, even some preventative security vendors get this, and are working to expose the [...]
June 8, 2009 at 10:27 am |
[...] that fit that requirement to one: Triumfant. We talk a lot about the ability of Triumfant to see the malicious attacks that other signature based tools miss, and we have also discussed the ability of Triumfant to [...]
June 23, 2009 at 9:47 am |
[...] we had the idea for the counter, we were careful to apply some science and statistical analysis to the process because we wanted to [...]
July 9, 2009 at 1:44 pm |
[...] that signatures are no longer a sustainable technology, as we have been pointing out with our Worldwide Signature Counter. Reputation based protection may play well in the consumer market, but for businesses and [...]
August 15, 2009 at 3:35 pm |
[...] is no way to ensure detection or defensibility. Encouragingly, even some preventative security vendors get this, and are working to expose the [...]
January 6, 2010 at 10:28 am |
[...] Worldwide Malware Signature Counter One of the fun things we did at Triumfant in 2009 was introduce the Worldwide Malware Signature Counter as a visual representation of the number of signatures [...]