Questions Answered About the Worldwide Malware Counter
May 20, 2009 1 Comment
Why should I care about this counter? Because if you are reading this, you are likely engaged in IT security in some form, and the tectonic plates of that world are shifting rapidly beneath your feet. This counter is meant to give you a small taste of just how much it is shifting. Consider that a signature is written in response to a new attack or a new variant of an attack, and signature based tools fail at a fifty percent or higher rate to detect the attacks that have no known signature. If you are not looking at alternatives to signature based tools you should be. Because as other organizations do, the cyber criminals are going to find those organizations who continue to rely solely on signature based tools because they will offer the least resistance.
Is the counter just a timed linear count? No. We actually modeled the numbers from Symantec Threat Report and built a counter that we think fits the represented data as best as possible. The counter’s pace will actually escalate throughout the year to represent the growth rates from the data. So we start the year at one every 20 seconds, and will end the year at one every 8 seconds. The counter is representative, but we made it as accurate as possible – no hype or fear mongering.
What, no sound effects? As a big fan of 24, I really wanted to use the same sound they have on their timer, but maybe we can add something in release 1.1 of the counter. Like the agonizing screams of a user realizing their machine just got infected.
Will you adjust the counter as Symantec updates their numbers? Absolutely. The counter was built with variables so we can do just that. Again, our goal was to provide a graphical representation that was fair and erred on the side of being conservative. When we see new numbers from Symantec we will update our model and the counter. If we were too high, we will say so. We think we will be low.
Are you picking on Symantec? Nope. We used the Symantec numbers because they are in the public domain and they represent a broad, worldwide sampling of what organizations are encountering. We commend Symantec for making the information available, and we have the utmost respect for their research. Triumfant is not an antivirus replacement, we have never positioned ourselves that way, and we therefore have no quarrel with Symantec (or Mcafee, or Trend, or Sophos, or <insert antivirus vendor name here>). If someone knows of similar research that is in the public domain that we should consider, please let me know.
Why did Triumfant do this? To catalyze awareness and discussion because a picture is worth a thousand words (feel free to use that quote if you like it). Triumfant believes that organizations, particularly those organizations that are continuously bombarded with persistent targeted threats, need to know what they are up against. And while they may feel safe now, they need to look to alternatives to traditional signature based tools now before this counter gets to the 10’s of millions. Someone sent us a comment yesterday that until they saw the counter they had not considered the potential load on their computer to sift through so many signatures. That is what we were after – to stimulate some thinking. And of course if that thinking were to drive people to consider Triumfant as one of those alternative technologies, then that would be a plus (come on folks, we are not a philanthropy).
Are we to believe a marketing guy built an analytical model that extrapolates and performs intelligent escalation? Luckily, my CEO went to MIT and he built the model. But in my defense I did get a “B” in ordinary differential equations.