“Traditional signature-based approaches to security are not keeping up. What we’ve had to do is come up with a new approach. The idea is it has to be able to deal with attacks that we’ve never seen.”
Words from some maverick security company? Hardly. These are the words of Symantec CEO’s Enrique Salem from his Tuesday RSA Conference keynote. And he is about to tell the assembled RSA crowd that Symantec’s prevalence technology is the answer to the vexing problem of rapidly emerging and constantly evolving threats. I can’t fault his message – his company paid handsomely for that keynote spot so he can proclaim his new technology as the 2010 silver bullet. But in my opinion, Salem and Symantec’s new found honesty regarding the efficacy of AV is late, awkward, and does little to provide real leadership to the market. The industry leaders should not feel all self congratulatory in finally admitting a problem they have ignored for far too long.
I had a similar experience listening to a CEO in denial say something equally late and awkward before at the 1999 Sapphire Conference (SAP user conference) in Philadelphia. SAP was acting like the World Wide Web was simply not happening all around them because it was so foreign to their core technology. In his keynote, then SAP CEO (or COB) Hasso Plattner grudgingly referenced the internet as an “emerging technology” but was still ultimately dismissive. I remember thinking “sir, I think the internet has already emerged and no dismissal from you can change that fact”. Actually, I think my exact thought was “Emerging? Dude, internet done emerged!”
What confounds me is that companies still somehow either believe or want to believe that companies like Symantec can solve this problem. Not one person in a company or government agency that fights what has been called the advanced persistent threat tells me that they believe that prevalence technology is a viable solution for what Salem calls “the attacks that we’ve never seen”. Same with whitelisting, which is the proposed answer for companies like McAfee and Lumension.
(As a complete aside, one vendor actually touted “intelligent whitelisting” at RSA, I assume implying that somehow intelligence had been left out of previous whitelisting attempts. I could see people everywhere saying “AH! I was supposed to be intelligent about whitelisting! Now I get it.”)
I think it is disingenuous for companies that have been at the front of the A/V wave to feign public shock that signatures are no longer viable when their own customers have been pleading with them for years and years to step up and make the jump to newer technology. We of course have been pointing out the problem for some time, with our Worldwide Malware Signature Counter providing a visual for the problem. I also think it odd that a company like Symantec would post a reports showing that 100% of the enterprises they polled for a recent study had been attacked (see an interesting view of FUD surveys in John Pescatore’s blog here). The math is simple: if Symantec represents 40% market share and 100% were attacked, aren’t they saying that they failed to protect 40% of the enterprises represented in the survey? Seriously, am I missing something here?
Let me be clear. The answers to the problem Salem raises do exist. You and your organization are simply going to have to look outside of your AV suite vendor to find it.
Click here to subscribe
