Don’t dismiss the emotional transition centered around admitting – and accepting – that we simply cannot build enough walls or create a good enough shield to completely protect machines from attack.  It is human nature to seek protection first, and then come to terms with dealing with the consequences of when that protection fails only when it is clear that it will fail.  Walls bring protection, but they also imbue a false sense of security that people will cling to even when the evidence begins to build that the wall is no longer sufficient.

Many sources fueled this line of thinking.  The vendors all raced to sell the perfect shield and therefore the tide of messaging around prevention was overwhelming.  Executives were far more comfortable talking about protection than incident response, forensics, and remediation.  The rapidly growing number of attacks artificially inflated the antivirus detection rates in security reporting, creating a false sense of security.  Rank and file users were still generally under more pedestrian attacks and therefore felt no perceptible change in the greater threat landscape.

There have long been insightful thinkers and those on the front line protecting the information targeted by the Advanced Persistent Threat who have attempted to raise the level of discourse over the past several years.  The evolving threats have reached a point of saturation that the pain has become more widespread.  This new reality has forced organizations to get past the emotional attachment to a 100% shield and we now have a critical mass large enough to drive the broader discourse.

So what are the general themes of this discourse and the new phase of IT Security?  Here is my summary:

Several new articles came out in the past several weeks about assuming that your machine has been attacked – one such article by Andrew Jaquith can be found here.  I hear the shift in many of the presentations at conferences such as the Gartner Security Conference in late June.  It is a healthy discourse, and the right step toward a better set of thinking toward meeting the evolving threats.  It also creates a much healthier set of expectations for all concerned.  IT security can balance prevention and detection and look into technologies that help them detect successful attacks.  Executives will be aware that there is no 100% shield and therefore understand the associated organizational risk.  All of this opens a far more pragmatic approach to the realities of today.  Or as Roger Grimes puts it in a recent article in Infoworld: “Accept that your company’s IT system have been compromised — then get to work defending them”.

This blog has been consistently critical of the large gap between the announcement of the role of Cybersecurity Coordinator and the appointment of Mr. Schmidt.  However, there are very promising signs that progress is being made and that Mr. Schmidt is a good fit for the role.  I have been to numerous events where Mr. Schmidt has spoken, and he is obviously eager to take the cybersecurity masses to the public and be accessible.

I had the unique opportunity to speak briefly with Enrique Salem, the CEO of Symantec at a reception following Symantec’s Government Symposium last month and Mr. Salem is an enthusiastic supporter of Mr, Schmidt.  This is consistent with the overwhelmingly positive feedback from everyone I have encountered in the industry that knows Mr. Schmidt or has firsthand experience working with him.  He seems to be the right person for doing a delicate and challenging job.

When I worked at webMethods, CEO Phillip Merrick often used the metaphor of the railroad junction approach employed by the Union army in the Civil War.  It was an important tactic of the Union to divide and attack the Confederacy by controlling important railroad junctions.  Merrick was speaking toward controlling important junction points in electronic commerce, but I was reminded of the metaphor when thinking of the criticality between the defense of our country and cyber security.

The railroad junction approach is a representative tactic to a broader strategy of warfare: targeting all of the things that enable an enemy to wage war, thereby weakening that enemy and forcing a more rapid conclusion to hostilities.  The United States has based much of our ability to wage war on our ability to effectively network information.  That makes these networks a logical attack point for our adversaries, and we must do all that we can to prepare for that scenario and protect against such incursions.  This is not limited to just the systems supporting the DoD – it is our financial systems, infrastructure, and transportation that are also at risk.

Progress relies on someone to lead policy as well as become an effective facilitator between the government and the industry.  By all indications, Mr. Schmidt is that person, and by appearing at last week’s meeting the President continues to demonstrate that cybersecurity is a priority to the country and that Mr. Schmidt has his support.

As the saying goes, it is not about how you start but how you finish.  We may not have agreed to the slow start regarding the appointment of the Cybersecurity Coordinator, but we like the early indications of the direction of the role under Mr. Schmidt.  And we are hopeful for continued progress.

Triumfant has automated the construction of a remediation for any malicious attack or anomalous incident it finds.  The detail is all there in the blog entry.  But in short, because Triumfant knows what has changed and knows the value of every attribute or file before it was changed, it is a logical next step to build a remediation script to return the affected attributes to their pre-attack condition.  No spooky “thinking computer” stuff, just sound logic driven by the capabilities of our granular change detection.

The automated remediation Triumfant creates is not automatic in its execution.  The Triumfant administrator must perform a one-touch confirm of the remediation before it is sent to the agent for execution.  Triumfant does the heavy lifting of analyzing the attack or problem and building a comprehensive remediation script.  It is automated.  There is still the failsafe of human interaction as a confirmation.  It is not automatic.

There does exist easily implemented mechanisms to make remediations automatic for incidents encountered in the past and for configuration and policy enforcement.  In these cases the remediations are known and the customer is comfortable with their effects.  For example we have customers who identify specific applications they want removed from endpoint machines and these remediations are automatic.  But for anything new encountered by Triumfant such as a zero day attack or an Advanced Persistent Threat type attack, the default is the one-touch confirm by the administrator, providing oversight and control.

Why am I writing about this subject?  People seem to have a love/fear relationship with the concept of automated remediation.  For example, at the NIST Security Automation Conference last October in Baltimore I asked the attendees in my presentation two questions:

Q1: Who wants automated remediation?  A: Every hand in the room enthusiastically shot up.

Q2: Who is ready to implement automated remediation?   A: Crickets.

All I can surmise is that security people suffer from what I have dubbed “SkyNet Syndrome” – the lingering effects of watching science fiction movies and television series that ultimately play the “smart computer comes to life and destroys the world” card.  The list is long and distinguished: M5 and Nomad on Star Trek the Original Series, V’Ger on the first Star Trek Movie, Colussus from Colossus: The Forbin Project, Proteus on The Demon Seed, and, of course, SkyNet from The Terminator.

Notice that I did not include W.O.P.R. from WarGames as he was hacked and did not become sentient.  Of course he was hacked because he had poorly configured endpoint protection that could have been easily recognized through change detection and quickly addressed by Triumfant through an automated remediation.  But I digress.

We know what changed. We continuously scan the machine for changes and if we see an indication that the machine is under attack we perform an accelerated full scan to kick off the analysis process.  So when Triumfant’s patented analytics perform the analysis of a malicious incident, each and every change to the machine is available for consideration.   Triumfant not only sees what has changed, but we are uniquely able to group changes to identify what changes are part of each specific incident.  The analytics leverage over 25 different correlation algorithms to determine all of the primary and secondary artifacts from any given attack.  We identify the attack and all of the changes associated withe the attack such as configuration changes and opened ports.  The changes break down into three basic change types: unexpectedly present means that something new has been added, unexpectedly absent means that something that was there is no longer there, and unexpectedly modified means that the value has been changed.

We know what the attribute or file looked like before it changed. The first step performed by the Triumfant agent is to take a snapshot of the over 200K attributes we monitor.  This includes an MD5 hash of every file on the machine.  A copy of this snapshot is continuously maintained on the endpoint and on the Triumfant server.   Therefore, Triumfant has a very logical and unique set of data that serves as the ingredients to write the remediation: we know what has changed, we know the current (changed) value, and we know the value prior to the change.  Brutally simple in concept, but elegantly and efficiently executed.

We therefore can build a script to modify the things that changed back to what they used to be before they were changed. Once you know what attribute or file has changed and know what the attribute of file looked like before it was changed, it is not hard to construct a script to change things back.  Actually, there are some challenges, but luckily our engineers have made it look simple.  For example, it is easy to delete things that are not supposed to be on the machine, and it is easy to restore modified or deleted attribute values.  It is not that simple to restore missing or corrupted files.  That is why Triumfant’s donor technology (patent pending) is so remarkable.  Triumfant uses our knowledge base (automatically generated) to find a donor machine that has the same missing or corrupted file (version, OS, validated by the MD5 hash) and uses that donor machine to provide a copy to move to the affected machine.  I will explore the donor technology and the context that powers it in a future post, suffice to say the capability is completely unique to Triumfant and is an elegant solution to a very difficult problem when considering automated remediation.

Makes sense when you lay it out this way, doesn’t it?  Triumfant uses this very simple logic flow to build a custom remediation script for each and every incident that is contextual, situational, and surgical.  The script is constructed without the need for human intervention at the server and sent to the agent for execution after confirmation by an administrator.  The remediation only affects those attributes and files that were part of the attack and does not affect any of the changes done to the machine outside of the incident.  None of the user’s work or any of the benign changes to the machine are lost.  And you should not have to re-image the machine out of fear that there may be artifacts of the attack still lurking on the machine.

This is not a rollback to an image, there is no interaction required by the end user, including the requirement (accept in the most extreme cases) to reboot.  We are not pulling from a library of pre-written remediations that can’t possibly know enough to address all of the primary and secondary artifacts of an attack.

This is not VooDoo, but sound, sensible science.  It takes the concepts of change detection and extrapolates it to the logical end – not only can Triumfant see the attacks that evade other defenses, it can build a remediation that stops the attack and removes all of the collateral damage of the attack.   We are not a shield, but we go from infection (not detection, which for many tools takes days, weeks, even months) to remediation in less than five minutes.  So given that the shields miss so much, the fact that malware exists on the machine for five minutes is a more than equitable trade-off for those organizations dealing with the advanced persistent threat, zero day attacks, and rootkits.

Finally, I know the term “automated” gives everyone heartburn.  Everyone likes the concept, but is skittish on actually implementing.  Not to worry.  We build the remediation automatically, but by default it does not run automatically.  The administrator will get an alert that malware has been detected, and the administrator can then evaluate Triumfant’s findings and validate the remediation before it is executed.  And every remediation is completely reversible.  We provide all of the analysis and write the remediation script, you actually put it into motion.

• Genius Idea #1:  Google is introducing an operating system, Chrome OS, by the end of the year.  So of course they need to move their staff to Google products and more specifically, away from the Microsoft products.  Given Google is smart enough to not move their entire operations to a new OS on day one, they can get off of MS now to Linux or MAC OS to eliminate the PR ambiguity.  In other words, they cut the MS chord without putting all of the their operational chips on the Google OS square.  Genius.
• Genius Idea #2:  Where is the official statement by Google?  Everything I have read had quotes from “one Google employee”.   They get the word out, enjoy all of the publicity, and keep their executive team free from any involvement.   There are no defamation suits to file and no one at Google for Microsoft to attack in the press.  Genius.
• Genius Idea #3:  Google’s decision means that any other company that wants to move away from Microsoft no longer has to bear the risk of going first.  Google is respected (well, they keep trying to screw that up) technology leader.  If they can ditch MS, then so can any other company.  Genius.
• Genius Idea #4:  They have clearly planted the flag on why organizations will want to look at the Chrome OS – security.  It is unlikely that the Chrome OS will have a wealth of differentiating OS features, so Google needed to create a clear reason to make the switch.  Declaring (albeit through “one Google employee”) the move is security based and pulling in the Operation Aurora buzz as a catalyzing factor, Google has kick-started the brand for Chrome OS.  Genius.

I wear many hats at Triumfant – CMO, product management, product marketing – but when I look at this from a marketing point of view I am really impressed by this move.  Google has managed to make multiple strategic moves at near zero costs and no “official” entanglements.  They create buzz, establish some brand awareness, and begin the “eat our own dog food” process with some perceptive guerrilla marketing.  Genius.

I have long contended that the disclaimer at the end of erectile dysfunction medicine commercials was added not by legal but by marketing.  You know, the disclaimer about certain conditions lasting longer than four hours.  The marketing person likely said “You really want everyone to remember this commercial? Then put in this disclaimer and everyone will be talking about it.”   It worked.  Genius.

So today the blogosphere and Twitterverse is buzzing loudly with the Google move.  Bravo Google marketing person.  Well done.  Genius.

(Quick aside: please don’t tell me you have not seen “Grounhog Day”.  Just do yourself the favor and see it immediately. You can thank me later.)

You see, like Bill Murray in Groundhog Day, I have lived the RSA submission process over and over.  For six years and two companies I have done my absolute best to come up with the most compelling, vendor-neutral and highly informative presentation abstract imaginable.  Every year I get a predictable “no thank you”. RSA is simply content to round up the same usual suspects and follow the “rinse, repeat” cycle they have been in for many years.

I know I am not alone, as every year I hear the same from a substantial number of bona fide potential presenters.  Many of these folks decided that they did not need established venues like RSA and Black Hat to get their message heard and started the Security B-Sides program which is flourishing nicely as an alternative venue for new ideas and technologies.  You can get the skinny on B-Sides in the Bill Brenner CSO article here, and the B-Sides Web Site here.  (This morning the B-Sides site seemed to be having some issues so be patient)

But the difference between Bill Murray and I is that my Groundhog Day was a hell of my own making, because I willingly ran up the RSA hill knowing full well I was going to be summarily rejected.  So this year, I will simply say “no thank you” to RSA and spend my energy trying to get on the speaking rotation at the B-Sides show or some other venue that has not allowed itself to get into a horrible rut that does their patrons a huge disservice.

I once called the RSA show a “Denial of Innovation Attack” and the yearly failure of the show’s management to look beyond their normal presenters is yet another brick in that wall.  It is a shame for all of us in the security market, because what is billed as one of the most important shows for IT security fails miserably in bringing new ideas and technologies into the spotlight.

I was at the Capital Connection Show last week and had the pleasure to attend a luncheon roundtable discussion that included Gary Gagnon of MITRE and Debora Plunkett, NSA’s Information Assurance Director.  I found it interesting that the call to arms was not for better shields but for a better understanding of how to detect and eradicate adversaries that have made it through the defenses.  It was clearly a pragmatic view that offense is always ahead of defense, and that a continued emphasis on chasing the perfect shield was no longer viable.  Regardless of if you like the term, the Advanced Persistent Threat is a reality, and the advanced persistent adversary is now organized, competent, and highly motivated.

Unfortunately, the IT security industry formed in a simpler time when the two buckets of defense and access were enough.  The entrenched thinking and alignment of products into these buckets have seemingly left no room for a third bucket.  When we brief the analysts or the press it is clear that while they understand what Triumfant does and the value our solution represents, there is a struggle to process the information because we do not neatly fit into a bucket or one of the sub-classifications in those buckets. I fear that it actually puts Triumfant at a disadvantage even though we effectively fill critical gaps in endpoint security and configuration management.

There is an interesting corollary when one looks at the evolution of the defense of the United States over the past 30 years.  When I entered the professional workforce in 1981 at what was then Martin Marietta, the U.S. Armed Forces focused on fighting a broad, land-based conflict in Eastern Europe against the Soviet Bloc.  For those too young to remember, military vehicles and uniforms were not desert khaki, but green.

Ten years later, America was fighting the first Gulf War and the military was scrambling to find khaki and brown paint – literally.  Military vehicles would pass on the highways and you could see they were hastily painted from forest green to desert brown.  Many of the vehicles and weapons built for the woods of Eastern Europe were not so effective in this new theatre.  The adversary was also different in nearly every aspect.  So we quickly found that our strategies and techniques had to be completely reset.  In spite of these challenges, the public was served multiple images of the sophistication of our weapons, creating a sense of confidence that our military superiority would shield our home soil from aggression.

Ten more years later on September 11, 2001, I stood at a window on the 27^th floor of a high-rise office building in mid-town Manhattan as my brain struggled to process the data from my eyes as I watched the first of the Twin Towers of the World Trade Center shudder and fall.  The enemy was no longer in some far away land most of us would never see, the enemy was among us.  The enemy had in fact lived among us, and we had trained them to have the skills to perform their acts of aggression.  Iconic building on our own soil had been attacked, and non-combatants were killed.

I did watch both towers fall, and I can assure you I do not invoke 9/11 lightly or use it as a casual metaphor.  That day the United States understood that defense was no longer about keeping the bad guys out, because they were already in.  The nation was forced to completely rethink security and come to grips with finding and removing embedded adversaries and admit to the hard truth that there was no way to completely secure the perimeter.  The myth of the shield fell in the flames of the WTC and the Pentagon

We are at that place with IT security and have been for some time.  The pragmatic know this and are well on their way to addressing the problem.  But the industry itself and many within organizations and government agencies are stuck on the concept of perfecting shields rather than dealing with the cold harsh reality of an adversary that has long since found ways to penetrate those shields in a targeted and systematic way at a rate that increases daily.

The larger, incumbent security software companies that started with shields predictably hold onto the premise and respond to problems by introducing new shields that the bad guys soon evade.  Organizations buy into the story because it simply feels better to think about keeping the bad guys out than admitting they have long since found their way in.  They rest on reports from AV software that show increasing detection statistics that create a false sense of security because there is no statistics on what is getting through.  Yet outside statistics prove conclusively that things are getting through.

Folks, the world has changed and there is no denying it nor can we turn back the clock.  There has to be a third bucket that addresses what we do when the bad guys get past our defenses and infiltrate our systems.  My problem – I don’t have a good name for the bucket, so I am open to suggestions.  Regardless of what we call it, it is time to face the uncomfortable truth and adjust our thinking accordingly.

Which brings me to the Matousec dust-up of last week.  For those of you who missed the fun, Matousec.com published a paper that defined an attack that bypassed a list of over 30 broadly used endpoint security program.  The paper (found here) describes an attack Matousec calls KHOBE (Kernel HOok Bypassing Engine) but goes by the more generic description of an argument-switch attack.

I won’t restate the particulars (good article with more details in the Register here), but the general gist of the attack is to send a benign piece of code to the A/V software on the targeted machine and then swap out the benign code for malicious code just before execution begins.  The attack seems particularly useful on multi-core machines where it can use multiple threads to facilitate the code switch.  It should be noted that this attack is strictly a lab-based manifestation, and has not been reported in the wild.  Matousec did test a broad spectrum of AV products and reports the following (emphasis by Matousec): “If a product uses SSDT hooks or other kind of kernel mode hooks on similar level to implement security features it is vulnerable. In other words, 100 % of the tested products were found vulnerable.”  Included in that list were Symantec, McAfee, Trend Micro, Kaspersky, Sophos and the other usual suspects.

Several of the AV companies gone on the defensive and responded by noting that the attack is complex and would be difficult to execute in the wild.  Others have noted that it is plausible that known exploits in commonly used programs such as Adobe Reader could turn that software into a delivery vehicle for the malicious code payload needed to execute the KHOBE attack.

As for me, I sit in a zen like state, calmly observing the fuss.  Because Matousec is just the latest, albeit technically progressive, technique for evading defensive shields and getting a malicious payload to the machine.  My zen comes from knowing that Triumfant would be there after KHOBE did all of its complex machinations.  In spite of the technical sophistication of the argument-switch attack, the end result is the same basic trigger – the endpoint will be changed, and we will detect the change, and then we will step in to protect the machine.  Triumfant waits in an equally blissful state of zen, completely unaffected by the sophistication (or lack of sophistication) that got the attack to the machine.

My zen state is only deepened by the knowledge that even if this attack never makes it into the wild, it is a harbinger of new attacks being developed as we speak.  We just passed the ten-year anniversary of the “I love you” virus that rocked the world in May 2000.  Looking back now it seems rather quaint in the context of the malware we face today.  I am quite sure KHOBE is an example of the same phenomenon – except it will look quaint in 2 to 3 years instead of 10.

The bottom line is what I have said in numerous posts (here and here) – attacks will get through your shields.  Write it in stone, because that fact will never change.  Ever.  It is the one absolute you can bank on.  That absolute is the source of my zen state because we provide a really unique and interesting solution that will detect what gets through the shields and restore attacked machines to pre-attack condition in less than five minutes.  This capability is that unique differentiation I spoke about earlier.

The term Nirvana is often defined as “a state of total bliss or happiness”.  I am not happy that organizations are being attacked and I find no bliss in seeing new attacks such as the argument-switch attack being created.  Quite the opposite, my bliss comes from knowing I have the right solution at the right time, and that we can help organizations protect their intellectual property and sensitive data as the complexity and volume of attacks continues to grow. We do not promise a sense of zen, but Triumfant sure can help protect you against whatever new attacks created to evade your defenses.  And just maybe you will find just a little more peace along the way.

All things considered, the counter was remarkably accurate.  Charting both the year-over-year and cumulative signature counts through 2008, we concluded that new signatures were growing at 60% of the cumulative rate on an annual basis.  This proved to be a bit aggressive, as Symantec’s actual numbers showed 2009 growth to be 51% of the cumulative number, or just under 2.9M new signatures.   But because we conceived the counter to be instructional and not hyperbole, we built the calculations on the conservative side and the counter in fact lagged just slightly behind the actual numbers reported by Symantec throughout the year and eventually in the ISTR.

When I first did the math on the numbers from the ISTR in 2009, I was struck on how the signature numbers broke down as a practical drag on the resources of the AV companies.   Of course a 51% increase year-over-year only exacerbates the problem.  Using the numbers from the recent ISTR, that burden translates to 241,316 signatures per month, roughly 7,934 signatures per day, 5.5 signatures per minute, and ultimately one signature every 12 seconds.  It is a model that is simply not sustainable, and by every indication, it will only get worse.

The bigger question after a year is “so what?”.  Well, the language from the AV vendors has certainly changed.  In fact, the following is a direct quote from the Symantec document:

Signature-based detection is lagging behind the creation of malicious threats—something which makes newer antivirus technologies and techniques, such as behavioral-based detection, increasingly important. …. This trend suggests that security technologies that rely on signatures should be complemented with additional heuristics, behavioral monitoring techniques, and reputation-based security. (page 48, Symantec Global Internet Threat Report – Trends for 2009,  Volume XV, Published April 2010)

During his keynote at this year’s RSA, Symantec CEO’s Enrique Salem was quoted as saying “Traditional signature-based approaches to security are not keeping up.”  Of course, such admissions are directly colored by the alternative technologies the AV companies recently introduced to the market after ignoring calls from the rest of the industry for alternative detection methods.  But at least they have stepped away from their defense of signature based AV in the face of all evidence to the contrary.  I am not claiming they were driven to such mea culpa’s by our signature counter, but I do think we helped point out the issue.

Unfortunately, while organizations have also come to terms with the limitations of signature based AV, many are adopting the alternatives provided by the AV vendors instead of looking to more promising technologies.  Symantec brought Quorum to the market, so reputation based security is their answer.  McAfee bought a whitelisting technology so – surprise! – whitelisting is their answer.  I guess I was hoping that organizations would see the past the entrenched vendors for alternatives given that these vendors were so slow to come to terms with the signature problem, but factors such as risk avoidance have suppressed some innovative alternatives from getting play.

Meanwhile, the counter continues to increment, and recently passed 7 million signatures on pace to add over 4 million signatures for 2010.  I was recently asked if we planned on retiring the counter given the shift in sentiment toward signature based AV.  We still see enough executives and security people that don’t yet understand the problem, so the counter will live on to help us make the point.

So in regards to a grade, how about an gold star for creativity, an “A” for the math, and an “I” (incomplete) for changing the world.

Last week, the security market had quite the experience as McAfee inadvertently disabled thousands of PC’s with an update to their signature files that knocked out a file critical to the XP operating system.  Now a week later, it is prudent to ask: what did we learn?

This was inevitable. The velocity and volume at which malicious attacks have been growing simply overwhelmed the process of writing and updating signatures to keep pace.  The signature counts are now over 7 million, with half of those signatures coming in 2009.  I have been shouting this from the mountaintop for over a year now – the process is not sustainable.  That is why we started the Worldwide Malware Counter to provide a visual representation of the problem.  Those who have chosen to look the other way can no longer ignore the evidence as this problem interrupted business, infrastructure, and healthcare.

This is an industry problem, not a McAfee problem. I don’t blame McAfee, I think the law of averages simply kicked in and they were the unlucky target.  The other vendors will likely jump on McAfee, but they in fact owe them a debt because deep down they all know it could have been their number that came up first.  Trading McAfee AV for some other AV software is not the answer.

This problem is not going away. Now the AV vendors will be under increasing scrutiny, and the relentless burden of writing signatures will only worsen.  They are being strangled on both ends, and similar problems are sure to follow.  Yes, they will all tighten their QA processes, but the forces at work will only grow stronger and the process will buckle again.  And by the way, have you ever stopped to think of the load on the network and the endpoints to continuously deliver and process ever larger DAT files? Or the performance hit of having to check 7M signatures constantly?

Malware writers will leverage the “Tony Stark Effect”. In Ironman, Tony Stark cannot have the shrapnel removed from his chest because it is too close to his heart.  In the same way, malware writers were already pushing attacks closer to the critical files at the heart of the operating system.  This pushed McAfee to extend some generic signatures too close to one of these files and it backfired.  Now the AV vendors will be skittish about signatures that get close to other files like SVCHOST, which is a gap that the malware writers will exploit.

The LINUX, Mac, and anti-AV forces will be in full voice. This event will feed the fires of those who either tout their OS as a malware free environment or those on the fringe that advocate running without AV software.  While we can detect the attacks that evade AV software, we never advocate going without AV and believe it has a place in the defensive strategy for the endpoint.  But it does need help, as antivirus detection rates demonstrate the holes.  I am also a believer that if everyone shifted to LINUX or the Mac, then the malware writers would follow.  Remember the answer to the famous question when Willie Sutton, the prolific bank robber, was asked “why do you rob banks?” – his response “because that is where they keep the money”.   If business moves to these OS’s, the malware will follow.

While I don’t blame McAfee, they really dropped the ball in responding to the crisis. McAfee is a partner and I normally find them pretty savvy with their marketing and their handling of the media.  But they flat out crashed and burned in handling this problem, starting with initial denials and following with near radio silence over the first 48 hours.  While this could have happened to any AV vendor, I do have to call out McAfee for the weak response.

It will be interesting to watch as this problem continues to play out.