USB devices and their use illustrate how little real information that IT departments have available about their endpoint populations.  It is a strange derivation of the “last mile” phenomenon – they closely measure and monitor networks and servers, but have very little insight into what is on, or what is happening on, endpoint machines which are the last mile of the IT architecture.

For example, our CTO Dave Hooks was at a customer site where they told him that USB keys were forbidden and that they had eliminated their use within the organization.  Dave promptly ran a report easily accessible from the data in the Triumfant repository to show that a USB storage device had in fact been used on over 10 percent of the machines in the organization over the past two weeks.  This information certainly opened some eyes.

You see, because Triumfant scans for over 200,000 attributes per machine, we have that data available to produce such a report.  But unless an organization has Triumfant or some other means to collect that information, they have no idea about the extent of such activity.  That is why the Computerworld article notes that agencies have resorted to gluing shut USB ports in the absence of actionable data.

When I write about Triumfant it is to educate on the capabilities of the tool given that it is unlike other tools on the market.  The ability report on machines that use USB storage devices is a small but significant example of what Triumfant can do – provide information where there is a vacuum.  Information drives understanding which drive analysis which drives action.  Secondly, disabling autoplay is one step an organization can take in defending against malware on USB devices – one of the actions borne of information.  Continuously enforcing that configuration setting is easily accomplished by Triumfant.

The threat presented by USB devices is also a reminder that all of the network security in the world won’t protect against malware introduced directly to the machine.  Here again Triumfant comes to the rescue as Triumfant is able to detect attacks such as the Pentagon worm that made it through the endpoint defenses.  In such cases, Triumfant would have seen the worm when it executed, analyzed the threat, and built a remediation to remove the worm on every machine where it was introduced.  The time from infection to remediation would have been under five minutes, which likely would have kept it from propagating.

The threat represented by USB storage devices is not new and it is certainly not the last threat organizations will face.  It is an example of how detailed information about the endpoint population can help address such threats, and how organizations must look past traditional defenses to guard against such threats.

I was on the phone with a gentleman the other day who is a 30+ year veteran of IT, mostly in security.  He was lamenting about a favorite product that had been purchased by one of the very large AV vendors and noted that “<insert AV company name here> is the place where good products go to die”.  Now one of those large vendors (McAfee) has been acquired by an even larger vendor (Intel) that has no real pedigree in security.  One might ask if companies like  Intel (or IBM) is the place where companies where good product go to die, go to die. (Even I had to read that twice)

Some smart people have said that this acquisition, as well as the acquisition of BigFix by IBM, won’t change anything.  I have been acquired before and I can assure you it will change everything.  No matter how much the acquiring company says it will not change things, trust me, things will change.  BigFix was moved into IBM’s Software Group, specifically the Tivoli division.  Operations and security are converging, but the fact that BigFix is now in an operations oriented division would cause me concern if I were a security oriented customer of BigFix.  Speculation is that Intel acquired McAfee as a play to protect mobile devices and embedded chips.  How does that make me feel if I am a McAfee customer and my concentration is on endpoint security?  Will I become a second class citizen?  Will they continue to innovate as the threats evolve?  This is not FUD, folks – history has proven me right more times than anyone can count and examples abound.  And everyone deep down knows it to be true.

Both McAfee and BigFix are one bad quarter by their acquiring company and operational division from a re-org that begins to strip away their identity.  Cultures between the acquiring company and the smaller organizations will inevitably clash.  Plenty of smart people in the acquired companies will chafe under the slower moving, more political climate.  They will simply cash out and leave.

I have full confidence that time will prove me right.  If you have not been on my side of the business you may not know that smaller companies normally rejoice when a competitor is acquired because it tends to distract them for at least 12 months and creates enormous opportunity.

So what does this mean to you?  I would submit that choosing a large security company as a perceived hedge against risk may be futile.  The McAfee acquisition proves that everyone can get bought, and in fact the rumors about Symantec are now rampant.  So choosing the “one throat to choke” path and taking the monolithic offerings from McAfee or Symantec or IBM may not buy you any risk reduction, and in fact force you to compromise your security with products that don’t deliver to your needs.

Unlike any other segment of IT, security people must be pragmatic and make hard decisions.  I understand that there is personal, professional risk in choosing smaller companies, but in most cases they are where the real innovation happens.  That is why small companies get acquired, because larger companies tend to stop innovating.

My advice?  Don’t compromise and blindly buy into the suites.  Evaluate your security threats and needs and don’t fear innovative products just because the company can’t afford a booth the size of an airplane hangar at RSA.  Don’t ring your hands over companies being acquired, as that is the nature of the business and it will either happen or it won’t, but the bad guys will persist.  And even the large companies perceived as “safe bets” are every bit as much in play as a company with under $100M in revenue.  Yesterday’s acquisition proved that.  Don’t saddle yourself with bloated agents and monolithic product suites full of “me-too” stuff that do not effectively address your security risks.

Remember that the bad guys thrive when organizations delay important decisions or make “safe” decisions.  I would submit that yesterday’s acquisition proves there is no such thing as a safe decision.  So free yourself of that worry and choose the products that help you win the battle.

While this may be an interesting admission by Symantec, I think the bigger problem is that we are allowing the black hats to out-innovate us.  More precisely, we are allowing market dynamics and an aversion to adopting new technologies to stifle innovation unnecessarily and therefore give the adversary an even bigger advantage.  We are, in some sense, helping them win.

Organizations trusted the AV vendors to address the signature problem and got the long list of technologies cited in the article: heuristic, behavioural and intrusion prevention technologies.  The AV vendors trotted each of these technologies out to solve the shortcomings of their solution and each proved in turn to have significant shortcomings.  The cycle perpetuated itself because traditional thinking and the reliance on prior knowledge hampered these supposed solutions.  Because these technologies failed, Symantec is now emphasizing their reputation-based security, while McAfee has been leaning hard on their whitelisting technology.

The very real innovations that are available today often do not get the opportunity to prove their worth and show that they can help win the ongoing fight.  The big vendors will protect their turf by telling customers that they “can do that” when a closer look may prove otherwise.  Much of what the 800-pound gorillas bring to the market is based more on justifying their latest acquisition rather than innovating to keep up with the bad guys.  Organizations respond by taking what they perceive to be a less chancy path and trusting the big vendors in spite of their track record, because innovation often comes from smaller companies that may be perceived as introducing risk due to their size.  This cycle serves to hand the innovation advantage to the adversary.

The adversary already has an advantage, because defense will always trail offense.  What we must collectively avoid throwing in the towel and allowing our actions to widen the gap needlessly.  Organizations must look past the traditional vendors to new and innovative detection technologies, and the larger established 800 pound gorillas in the room must stop stifling innovation through their “not invented here” attitudes.

No matter what Symantec or any other traditional vendor may say, there is no reason to throw in the towel if organizations would think beyond traditional companies and approaches and embrace innovation.  We obviously think Triumfant is one such innovation, but I have seen many other good ideas on the market.  Let’s not declare the battle over just yet, but instead let’s make sure we create an environment where innovation can flourish and be readily engaged in the battle.  The adversary certainly has no such artificial barriers.

Don’t dismiss the emotional transition centered around admitting – and accepting – that we simply cannot build enough walls or create a good enough shield to completely protect machines from attack.  It is human nature to seek protection first, and then come to terms with dealing with the consequences of when that protection fails only when it is clear that it will fail.  Walls bring protection, but they also imbue a false sense of security that people will cling to even when the evidence begins to build that the wall is no longer sufficient.

Many sources fueled this line of thinking.  The vendors all raced to sell the perfect shield and therefore the tide of messaging around prevention was overwhelming.  Executives were far more comfortable talking about protection than incident response, forensics, and remediation.  The rapidly growing number of attacks artificially inflated the antivirus detection rates in security reporting, creating a false sense of security.  Rank and file users were still generally under more pedestrian attacks and therefore felt no perceptible change in the greater threat landscape.

There have long been insightful thinkers and those on the front line protecting the information targeted by the Advanced Persistent Threat who have attempted to raise the level of discourse over the past several years.  The evolving threats have reached a point of saturation that the pain has become more widespread.  This new reality has forced organizations to get past the emotional attachment to a 100% shield and we now have a critical mass large enough to drive the broader discourse.

So what are the general themes of this discourse and the new phase of IT Security?  Here is my summary:

Several new articles came out in the past several weeks about assuming that your machine has been attacked – one such article by Andrew Jaquith can be found here.  I hear the shift in many of the presentations at conferences such as the Gartner Security Conference in late June.  It is a healthy discourse, and the right step toward a better set of thinking toward meeting the evolving threats.  It also creates a much healthier set of expectations for all concerned.  IT security can balance prevention and detection and look into technologies that help them detect successful attacks.  Executives will be aware that there is no 100% shield and therefore understand the associated organizational risk.  All of this opens a far more pragmatic approach to the realities of today.  Or as Roger Grimes puts it in a recent article in Infoworld: “Accept that your company’s IT system have been compromised — then get to work defending them”.

Triumfant has automated the construction of a remediation for any malicious attack or anomalous incident it finds.  The detail is all there in the blog entry.  But in short, because Triumfant knows what has changed and knows the value of every attribute or file before it was changed, it is a logical next step to build a remediation script to return the affected attributes to their pre-attack condition.  No spooky “thinking computer” stuff, just sound logic driven by the capabilities of our granular change detection.

The automated remediation Triumfant creates is not automatic in its execution.  The Triumfant administrator must perform a one-touch confirm of the remediation before it is sent to the agent for execution.  Triumfant does the heavy lifting of analyzing the attack or problem and building a comprehensive remediation script.  It is automated.  There is still the failsafe of human interaction as a confirmation.  It is not automatic.

There does exist easily implemented mechanisms to make remediations automatic for incidents encountered in the past and for configuration and policy enforcement.  In these cases the remediations are known and the customer is comfortable with their effects.  For example we have customers who identify specific applications they want removed from endpoint machines and these remediations are automatic.  But for anything new encountered by Triumfant such as a zero day attack or an Advanced Persistent Threat type attack, the default is the one-touch confirm by the administrator, providing oversight and control.

Why am I writing about this subject?  People seem to have a love/fear relationship with the concept of automated remediation.  For example, at the NIST Security Automation Conference last October in Baltimore I asked the attendees in my presentation two questions:

Q1: Who wants automated remediation?  A: Every hand in the room enthusiastically shot up.

Q2: Who is ready to implement automated remediation?   A: Crickets.

All I can surmise is that security people suffer from what I have dubbed “SkyNet Syndrome” – the lingering effects of watching science fiction movies and television series that ultimately play the “smart computer comes to life and destroys the world” card.  The list is long and distinguished: M5 and Nomad on Star Trek the Original Series, V’Ger on the first Star Trek Movie, Colussus from Colossus: The Forbin Project, Proteus on The Demon Seed, and, of course, SkyNet from The Terminator.

Notice that I did not include W.O.P.R. from WarGames as he was hacked and did not become sentient.  Of course he was hacked because he had poorly configured endpoint protection that could have been easily recognized through change detection and quickly addressed by Triumfant through an automated remediation.  But I digress.

We know what changed. We continuously scan the machine for changes and if we see an indication that the machine is under attack we perform an accelerated full scan to kick off the analysis process.  So when Triumfant’s patented analytics perform the analysis of a malicious incident, each and every change to the machine is available for consideration.   Triumfant not only sees what has changed, but we are uniquely able to group changes to identify what changes are part of each specific incident.  The analytics leverage over 25 different correlation algorithms to determine all of the primary and secondary artifacts from any given attack.  We identify the attack and all of the changes associated withe the attack such as configuration changes and opened ports.  The changes break down into three basic change types: unexpectedly present means that something new has been added, unexpectedly absent means that something that was there is no longer there, and unexpectedly modified means that the value has been changed.

We know what the attribute or file looked like before it changed. The first step performed by the Triumfant agent is to take a snapshot of the over 200K attributes we monitor.  This includes an MD5 hash of every file on the machine.  A copy of this snapshot is continuously maintained on the endpoint and on the Triumfant server.   Therefore, Triumfant has a very logical and unique set of data that serves as the ingredients to write the remediation: we know what has changed, we know the current (changed) value, and we know the value prior to the change.  Brutally simple in concept, but elegantly and efficiently executed.

We therefore can build a script to modify the things that changed back to what they used to be before they were changed. Once you know what attribute or file has changed and know what the attribute of file looked like before it was changed, it is not hard to construct a script to change things back.  Actually, there are some challenges, but luckily our engineers have made it look simple.  For example, it is easy to delete things that are not supposed to be on the machine, and it is easy to restore modified or deleted attribute values.  It is not that simple to restore missing or corrupted files.  That is why Triumfant’s donor technology (patent pending) is so remarkable.  Triumfant uses our knowledge base (automatically generated) to find a donor machine that has the same missing or corrupted file (version, OS, validated by the MD5 hash) and uses that donor machine to provide a copy to move to the affected machine.  I will explore the donor technology and the context that powers it in a future post, suffice to say the capability is completely unique to Triumfant and is an elegant solution to a very difficult problem when considering automated remediation.

Makes sense when you lay it out this way, doesn’t it?  Triumfant uses this very simple logic flow to build a custom remediation script for each and every incident that is contextual, situational, and surgical.  The script is constructed without the need for human intervention at the server and sent to the agent for execution after confirmation by an administrator.  The remediation only affects those attributes and files that were part of the attack and does not affect any of the changes done to the machine outside of the incident.  None of the user’s work or any of the benign changes to the machine are lost.  And you should not have to re-image the machine out of fear that there may be artifacts of the attack still lurking on the machine.

This is not a rollback to an image, there is no interaction required by the end user, including the requirement (accept in the most extreme cases) to reboot.  We are not pulling from a library of pre-written remediations that can’t possibly know enough to address all of the primary and secondary artifacts of an attack.

This is not VooDoo, but sound, sensible science.  It takes the concepts of change detection and extrapolates it to the logical end – not only can Triumfant see the attacks that evade other defenses, it can build a remediation that stops the attack and removes all of the collateral damage of the attack.   We are not a shield, but we go from infection (not detection, which for many tools takes days, weeks, even months) to remediation in less than five minutes.  So given that the shields miss so much, the fact that malware exists on the machine for five minutes is a more than equitable trade-off for those organizations dealing with the advanced persistent threat, zero day attacks, and rootkits.

Finally, I know the term “automated” gives everyone heartburn.  Everyone likes the concept, but is skittish on actually implementing.  Not to worry.  We build the remediation automatically, but by default it does not run automatically.  The administrator will get an alert that malware has been detected, and the administrator can then evaluate Triumfant’s findings and validate the remediation before it is executed.  And every remediation is completely reversible.  We provide all of the analysis and write the remediation script, you actually put it into motion.

• Genius Idea #1:  Google is introducing an operating system, Chrome OS, by the end of the year.  So of course they need to move their staff to Google products and more specifically, away from the Microsoft products.  Given Google is smart enough to not move their entire operations to a new OS on day one, they can get off of MS now to Linux or MAC OS to eliminate the PR ambiguity.  In other words, they cut the MS chord without putting all of the their operational chips on the Google OS square.  Genius.
• Genius Idea #2:  Where is the official statement by Google?  Everything I have read had quotes from “one Google employee”.   They get the word out, enjoy all of the publicity, and keep their executive team free from any involvement.   There are no defamation suits to file and no one at Google for Microsoft to attack in the press.  Genius.
• Genius Idea #3:  Google’s decision means that any other company that wants to move away from Microsoft no longer has to bear the risk of going first.  Google is respected (well, they keep trying to screw that up) technology leader.  If they can ditch MS, then so can any other company.  Genius.
• Genius Idea #4:  They have clearly planted the flag on why organizations will want to look at the Chrome OS – security.  It is unlikely that the Chrome OS will have a wealth of differentiating OS features, so Google needed to create a clear reason to make the switch.  Declaring (albeit through “one Google employee”) the move is security based and pulling in the Operation Aurora buzz as a catalyzing factor, Google has kick-started the brand for Chrome OS.  Genius.

I wear many hats at Triumfant – CMO, product management, product marketing – but when I look at this from a marketing point of view I am really impressed by this move.  Google has managed to make multiple strategic moves at near zero costs and no “official” entanglements.  They create buzz, establish some brand awareness, and begin the “eat our own dog food” process with some perceptive guerrilla marketing.  Genius.

I have long contended that the disclaimer at the end of erectile dysfunction medicine commercials was added not by legal but by marketing.  You know, the disclaimer about certain conditions lasting longer than four hours.  The marketing person likely said “You really want everyone to remember this commercial? Then put in this disclaimer and everyone will be talking about it.”   It worked.  Genius.

So today the blogosphere and Twitterverse is buzzing loudly with the Google move.  Bravo Google marketing person.  Well done.  Genius.

I was at the Capital Connection Show last week and had the pleasure to attend a luncheon roundtable discussion that included Gary Gagnon of MITRE and Debora Plunkett, NSA’s Information Assurance Director.  I found it interesting that the call to arms was not for better shields but for a better understanding of how to detect and eradicate adversaries that have made it through the defenses.  It was clearly a pragmatic view that offense is always ahead of defense, and that a continued emphasis on chasing the perfect shield was no longer viable.  Regardless of if you like the term, the Advanced Persistent Threat is a reality, and the advanced persistent adversary is now organized, competent, and highly motivated.

Unfortunately, the IT security industry formed in a simpler time when the two buckets of defense and access were enough.  The entrenched thinking and alignment of products into these buckets have seemingly left no room for a third bucket.  When we brief the analysts or the press it is clear that while they understand what Triumfant does and the value our solution represents, there is a struggle to process the information because we do not neatly fit into a bucket or one of the sub-classifications in those buckets. I fear that it actually puts Triumfant at a disadvantage even though we effectively fill critical gaps in endpoint security and configuration management.

There is an interesting corollary when one looks at the evolution of the defense of the United States over the past 30 years.  When I entered the professional workforce in 1981 at what was then Martin Marietta, the U.S. Armed Forces focused on fighting a broad, land-based conflict in Eastern Europe against the Soviet Bloc.  For those too young to remember, military vehicles and uniforms were not desert khaki, but green.

Ten years later, America was fighting the first Gulf War and the military was scrambling to find khaki and brown paint – literally.  Military vehicles would pass on the highways and you could see they were hastily painted from forest green to desert brown.  Many of the vehicles and weapons built for the woods of Eastern Europe were not so effective in this new theatre.  The adversary was also different in nearly every aspect.  So we quickly found that our strategies and techniques had to be completely reset.  In spite of these challenges, the public was served multiple images of the sophistication of our weapons, creating a sense of confidence that our military superiority would shield our home soil from aggression.

Ten more years later on September 11, 2001, I stood at a window on the 27^th floor of a high-rise office building in mid-town Manhattan as my brain struggled to process the data from my eyes as I watched the first of the Twin Towers of the World Trade Center shudder and fall.  The enemy was no longer in some far away land most of us would never see, the enemy was among us.  The enemy had in fact lived among us, and we had trained them to have the skills to perform their acts of aggression.  Iconic building on our own soil had been attacked, and non-combatants were killed.

I did watch both towers fall, and I can assure you I do not invoke 9/11 lightly or use it as a casual metaphor.  That day the United States understood that defense was no longer about keeping the bad guys out, because they were already in.  The nation was forced to completely rethink security and come to grips with finding and removing embedded adversaries and admit to the hard truth that there was no way to completely secure the perimeter.  The myth of the shield fell in the flames of the WTC and the Pentagon

We are at that place with IT security and have been for some time.  The pragmatic know this and are well on their way to addressing the problem.  But the industry itself and many within organizations and government agencies are stuck on the concept of perfecting shields rather than dealing with the cold harsh reality of an adversary that has long since found ways to penetrate those shields in a targeted and systematic way at a rate that increases daily.

The larger, incumbent security software companies that started with shields predictably hold onto the premise and respond to problems by introducing new shields that the bad guys soon evade.  Organizations buy into the story because it simply feels better to think about keeping the bad guys out than admitting they have long since found their way in.  They rest on reports from AV software that show increasing detection statistics that create a false sense of security because there is no statistics on what is getting through.  Yet outside statistics prove conclusively that things are getting through.

Folks, the world has changed and there is no denying it nor can we turn back the clock.  There has to be a third bucket that addresses what we do when the bad guys get past our defenses and infiltrate our systems.  My problem – I don’t have a good name for the bucket, so I am open to suggestions.  Regardless of what we call it, it is time to face the uncomfortable truth and adjust our thinking accordingly.

Which brings me to the Matousec dust-up of last week.  For those of you who missed the fun, Matousec.com published a paper that defined an attack that bypassed a list of over 30 broadly used endpoint security program.  The paper (found here) describes an attack Matousec calls KHOBE (Kernel HOok Bypassing Engine) but goes by the more generic description of an argument-switch attack.

I won’t restate the particulars (good article with more details in the Register here), but the general gist of the attack is to send a benign piece of code to the A/V software on the targeted machine and then swap out the benign code for malicious code just before execution begins.  The attack seems particularly useful on multi-core machines where it can use multiple threads to facilitate the code switch.  It should be noted that this attack is strictly a lab-based manifestation, and has not been reported in the wild.  Matousec did test a broad spectrum of AV products and reports the following (emphasis by Matousec): “If a product uses SSDT hooks or other kind of kernel mode hooks on similar level to implement security features it is vulnerable. In other words, 100 % of the tested products were found vulnerable.”  Included in that list were Symantec, McAfee, Trend Micro, Kaspersky, Sophos and the other usual suspects.

Several of the AV companies gone on the defensive and responded by noting that the attack is complex and would be difficult to execute in the wild.  Others have noted that it is plausible that known exploits in commonly used programs such as Adobe Reader could turn that software into a delivery vehicle for the malicious code payload needed to execute the KHOBE attack.

As for me, I sit in a zen like state, calmly observing the fuss.  Because Matousec is just the latest, albeit technically progressive, technique for evading defensive shields and getting a malicious payload to the machine.  My zen comes from knowing that Triumfant would be there after KHOBE did all of its complex machinations.  In spite of the technical sophistication of the argument-switch attack, the end result is the same basic trigger – the endpoint will be changed, and we will detect the change, and then we will step in to protect the machine.  Triumfant waits in an equally blissful state of zen, completely unaffected by the sophistication (or lack of sophistication) that got the attack to the machine.

My zen state is only deepened by the knowledge that even if this attack never makes it into the wild, it is a harbinger of new attacks being developed as we speak.  We just passed the ten-year anniversary of the “I love you” virus that rocked the world in May 2000.  Looking back now it seems rather quaint in the context of the malware we face today.  I am quite sure KHOBE is an example of the same phenomenon – except it will look quaint in 2 to 3 years instead of 10.

The bottom line is what I have said in numerous posts (here and here) – attacks will get through your shields.  Write it in stone, because that fact will never change.  Ever.  It is the one absolute you can bank on.  That absolute is the source of my zen state because we provide a really unique and interesting solution that will detect what gets through the shields and restore attacked machines to pre-attack condition in less than five minutes.  This capability is that unique differentiation I spoke about earlier.

The term Nirvana is often defined as “a state of total bliss or happiness”.  I am not happy that organizations are being attacked and I find no bliss in seeing new attacks such as the argument-switch attack being created.  Quite the opposite, my bliss comes from knowing I have the right solution at the right time, and that we can help organizations protect their intellectual property and sensitive data as the complexity and volume of attacks continues to grow. We do not promise a sense of zen, but Triumfant sure can help protect you against whatever new attacks created to evade your defenses.  And just maybe you will find just a little more peace along the way.

All things considered, the counter was remarkably accurate.  Charting both the year-over-year and cumulative signature counts through 2008, we concluded that new signatures were growing at 60% of the cumulative rate on an annual basis.  This proved to be a bit aggressive, as Symantec’s actual numbers showed 2009 growth to be 51% of the cumulative number, or just under 2.9M new signatures.   But because we conceived the counter to be instructional and not hyperbole, we built the calculations on the conservative side and the counter in fact lagged just slightly behind the actual numbers reported by Symantec throughout the year and eventually in the ISTR.

When I first did the math on the numbers from the ISTR in 2009, I was struck on how the signature numbers broke down as a practical drag on the resources of the AV companies.   Of course a 51% increase year-over-year only exacerbates the problem.  Using the numbers from the recent ISTR, that burden translates to 241,316 signatures per month, roughly 7,934 signatures per day, 5.5 signatures per minute, and ultimately one signature every 12 seconds.  It is a model that is simply not sustainable, and by every indication, it will only get worse.

The bigger question after a year is “so what?”.  Well, the language from the AV vendors has certainly changed.  In fact, the following is a direct quote from the Symantec document:

Signature-based detection is lagging behind the creation of malicious threats—something which makes newer antivirus technologies and techniques, such as behavioral-based detection, increasingly important. …. This trend suggests that security technologies that rely on signatures should be complemented with additional heuristics, behavioral monitoring techniques, and reputation-based security. (page 48, Symantec Global Internet Threat Report – Trends for 2009,  Volume XV, Published April 2010)

During his keynote at this year’s RSA, Symantec CEO’s Enrique Salem was quoted as saying “Traditional signature-based approaches to security are not keeping up.”  Of course, such admissions are directly colored by the alternative technologies the AV companies recently introduced to the market after ignoring calls from the rest of the industry for alternative detection methods.  But at least they have stepped away from their defense of signature based AV in the face of all evidence to the contrary.  I am not claiming they were driven to such mea culpa’s by our signature counter, but I do think we helped point out the issue.

Unfortunately, while organizations have also come to terms with the limitations of signature based AV, many are adopting the alternatives provided by the AV vendors instead of looking to more promising technologies.  Symantec brought Quorum to the market, so reputation based security is their answer.  McAfee bought a whitelisting technology so – surprise! – whitelisting is their answer.  I guess I was hoping that organizations would see the past the entrenched vendors for alternatives given that these vendors were so slow to come to terms with the signature problem, but factors such as risk avoidance have suppressed some innovative alternatives from getting play.

Meanwhile, the counter continues to increment, and recently passed 7 million signatures on pace to add over 4 million signatures for 2010.  I was recently asked if we planned on retiring the counter given the shift in sentiment toward signature based AV.  We still see enough executives and security people that don’t yet understand the problem, so the counter will live on to help us make the point.

So in regards to a grade, how about an gold star for creativity, an “A” for the math, and an “I” (incomplete) for changing the world.