I was at a meeting at Symantec headquarters on Friday where Francis deSouza, senior vice president of the Enterprise Security Group at Symantec, was first on the agenda.  In his presentation, deSouza noted that Symantec research indicated that attacks are morphing so quickly that any given variation of an attack is used against 1.6 machines before a new variant appears.

Most companies (maybe everyone but Triumfant) employ an approach to remediation that employs previously written scripts that are matched to detected attacks.  This approach of course requires that such scripts can only be written for known attacks.  While there are some generic approaches that may apply to previously unknown attacks, for any moderately complex unknown attack there will likely be no remediation script.

Now let us put deSouza’s statistic to work in the discussion about remediation.  If we put the script-based approach in the context of deSouza’s statistic, we can conclude that any remediation script is good for 1.6 machines.  Makes sense because if the remediation is morphing, then it follows that the remediation needs would also change.  New variant requires a new script.

I am already reluctant to believe that any pre-written script can be completely effective for attacks of even moderate complexity because attacks may cause varying primary and secondary damage based on the unique combination of factors for any given machine such as OS version, installed applications, and differences in configuration.  Adding the restriction to previously known attacks and Mr. deSouza’s statistic and a logical conclusion is that scripted remediations will fall short.  Even if a script will apply, it is reasonable to doubt that the script is capable of remediating the machine without leaving one or more artifacts that will make the machine vulnerable.  This doubt normally translates to organizations re-imaging the machine as a matter of standard.

There are other differences such as the need for context.  For example, a process may be part of an attack.  A generic script may mark that process for deletion, when it may be a process shared by other benign applications.  A script would have to either shoot it on sight, potentially corrupting other applications, or contain the logic required to know what other applications the process shared and then have the ability to determine if those applications were installed on the machine.  Accounting for every “except for” would certainly be aq challenge.

Triumfant constructs a remediation that is specific to the identified incident for that machine and requires no previous knowledge to build this remediation.  We correlate all of the changes to the machine to build a remediation so complete you should not have to reimage the machine.  The remediation is surgical, contextual and specific.  As a bonus, our remediations can leverage our patent pending donor technology to restore deleted or corrupted files.

There is more, but I feel like the point has been made and anything else would be showing off.  The difference between common remediation solutions and Triumfant’s approach are profound.  Now I need to figure out how you attack 0.6 of a machine.

All things considered, the counter was remarkably accurate.  Charting both the year-over-year and cumulative signature counts through 2008, we concluded that new signatures were growing at 60% of the cumulative rate on an annual basis.  This proved to be a bit aggressive, as Symantec’s actual numbers showed 2009 growth to be 51% of the cumulative number, or just under 2.9M new signatures.   But because we conceived the counter to be instructional and not hyperbole, we built the calculations on the conservative side and the counter in fact lagged just slightly behind the actual numbers reported by Symantec throughout the year and eventually in the ISTR.

When I first did the math on the numbers from the ISTR in 2009, I was struck on how the signature numbers broke down as a practical drag on the resources of the AV companies.   Of course a 51% increase year-over-year only exacerbates the problem.  Using the numbers from the recent ISTR, that burden translates to 241,316 signatures per month, roughly 7,934 signatures per day, 5.5 signatures per minute, and ultimately one signature every 12 seconds.  It is a model that is simply not sustainable, and by every indication, it will only get worse.

The bigger question after a year is “so what?”.  Well, the language from the AV vendors has certainly changed.  In fact, the following is a direct quote from the Symantec document:

Signature-based detection is lagging behind the creation of malicious threats—something which makes newer antivirus technologies and techniques, such as behavioral-based detection, increasingly important. …. This trend suggests that security technologies that rely on signatures should be complemented with additional heuristics, behavioral monitoring techniques, and reputation-based security. (page 48, Symantec Global Internet Threat Report – Trends for 2009,  Volume XV, Published April 2010)

During his keynote at this year’s RSA, Symantec CEO’s Enrique Salem was quoted as saying “Traditional signature-based approaches to security are not keeping up.”  Of course, such admissions are directly colored by the alternative technologies the AV companies recently introduced to the market after ignoring calls from the rest of the industry for alternative detection methods.  But at least they have stepped away from their defense of signature based AV in the face of all evidence to the contrary.  I am not claiming they were driven to such mea culpa’s by our signature counter, but I do think we helped point out the issue.

Unfortunately, while organizations have also come to terms with the limitations of signature based AV, many are adopting the alternatives provided by the AV vendors instead of looking to more promising technologies.  Symantec brought Quorum to the market, so reputation based security is their answer.  McAfee bought a whitelisting technology so – surprise! – whitelisting is their answer.  I guess I was hoping that organizations would see the past the entrenched vendors for alternatives given that these vendors were so slow to come to terms with the signature problem, but factors such as risk avoidance have suppressed some innovative alternatives from getting play.

Meanwhile, the counter continues to increment, and recently passed 7 million signatures on pace to add over 4 million signatures for 2010.  I was recently asked if we planned on retiring the counter given the shift in sentiment toward signature based AV.  We still see enough executives and security people that don’t yet understand the problem, so the counter will live on to help us make the point.

So in regards to a grade, how about an gold star for creativity, an “A” for the math, and an “I” (incomplete) for changing the world.

“By Symantec’s definition, an attack denotes any malicious activity carried out over a network that has been detected by a firewall, intrusion detection or prevention systems.”

Obviously, the word that stuck out in this definition was “detected”.  Why?  Because I have news for you – malicious activity that goes undetected is also an attack.  In fact, I would say that undetected attacks would be placed in a higher tier of the definition, because Rule One of criminal behavior is Don’t Get Caught.  Attacks that would fall under the characterization of an Advanced Persistent Threat are engineered to evade detection and are very much an attack.

(This reminds me of one of my favorite movie scenes.  In Stripes, Harold Ramis and Bill Murray are sitting in the Army recruitment office and the recruiter asks them if they have “ever been convicted of a felony?”.  Bill Murray’s response: “Convicted?”.)

In fairness to Symantec, I am not sure if this quote from the article was paraphrased or misquoted, and I am not out to pick on Symantec.  What I do want to point out is a huge flaw in how in the industry measures malicious activity.  Let me explain.

Both AV software vendors and internal security groups often report on what was detected.  Makes sense, right?  If you could count undetected attacks they would instantly be now detected.  But according to the Symantec Internet Security Threat Report: “Symantec created 2,895,802 new malicious code signatures in 2009, a 71 percent increase over 2008”.  It therefore makes sense that the number of detected attacks would go up proportionately with the number of identified signatures.  An organization could be doing a worse job year over year detecting attacks but their raw volume of detected attacks would still go up, giving a perception of success.

Executives look at the bulk score and are mollified that the organization is protected.  But if the number of attacks grew by 71%, the number of attacks detected by the organization better track to that same 71% or the organization is losing ground.  If you think it through, that 71% may be deceiving because what Symantec and the other AV vendors don’t tell you is how long your organization was exposed between when the attack actually was first introduced and when they finally detected it and wrote a signature. It could have been six hours, but it could have also been six months.

In short, gauging success from bulk detection numbers is a quick way to obfuscate the real risk to any organization.  But if you are selling a shield that has known flaws, it is a great way to use the steadily growing malware volume to present either software or organizational effectiveness in a successful light.

Because Triumfant uses change detection to identify malicious attacks, we have always been open about our ability to see attacks that are resident prior to our installation.  That being said, we inevitably see anomalies that are artifacts of attacks that have passed through the organization’s shields soon after we are installed.  Once installed, we can readily detect what does make it through the organization’s shields or attacks being done by maliciously intended insiders.  It is eye opening to the organization just how many attacks have and are getting through.

Don’t let yourself be lulled to sleep by bulk detection rate numbers.  A lot of attacks are getting through, so counting detected attacks is potentially a false gauge of success.

Notice that I am not looking to convince you I have a better umbrella, because we never portray Triumfant as a shield.  Nor am I telling you to throw away your existing umbrella, because we never position Triumfant as a replacement for antivirus software, nor do we claim that having Triumfant means you no longer need AV.

But you do need to recognize it is raining and you will get wet.  I have touched on the proof points separately at times but I have never laid them end to end until now.  So here they are:

• It rains harder every day.  Symantec reported in their Global Internet Security Threat Report, 2009 that there were 1.6M new malware instances in 2008, exceeding the 1M counted as the number of attacks for all previous years combined.  Both McAfee and Symantec show that this 1.6M number was passed sometime mid-summer for 2009.  If you graph the numbers you will see that they increase geometrically.  For example, McAfee saw twice as many attacks in the second half of 2008 than the first half of that same year.
• It is raining sideways more than ever. McAfee Avert Labs noted in a recent blog post that they see 6,000 new malware instances per day that pass through their signatures, generic filters and heuristics.  Extrapolating this number for the entire year would get you to over 2M attacks that pass through the traditional protections.
• The rain comes from a different direction every second. An August 13 article in SC Magazine notes a study that found that cyber criminals are now designing malware to last 24 hours before becoming inactive.  The study noted that 52 percent spread for just 24 hours, nineteen percent last for two days, and nine percent persist for three days.  Malware designers produce hundreds of unique samples that carry the malicious payload to evade detection.   Essentially, by the time the malware is detected, analyzed and a signature created, the cyber criminals have long since moved on.
• The rain is straining the capacity of your umbrella. A recent White Paper called the Cyber Intelligence Report, August 2009 by Cyveillance provided average daily detection rates for the period of 5/12/09 through 06/10/09.  Cyveillance fed active attacks consisting of confirmed malicious files they had detected from the Web into 13 of the top antivirus solutions and tracked the detection rates.  The results are, to say the least, eye opening, as the average detection rate reported was roughly 30 percent.

It is raining hard and relentlessly on your endpoints and sometimes it is coming down sideways.   But it is not just the traditional attack vectors that you must address in the fight for endpoint protection.  There are increasingly nasty rootkits that evade traditional defenses.  There are polymorphic attacks with rotating binaries that automatically morph themselves to never look the same way on any two machines. There are new classes of attacks like drive-by SQL injections and registry based attacks.  There is the work of the maliciously intended insider who either directly corrupts the machine or alters its defenses so it can be corrupted by outside influences.  There are new ways to subvert software assurance and the software supply chain to imbed malicious code in what is thought to be trusted software.  And as always, there is the most nefarious problem of them all – the carbon based life form installing peer-to-peer software, using Facebook, and going to Jessica Biel picture sites.  It is not just raining sideways, sometimes it must feel like it is raining up!

What is clear is that bad things will get past the traditional defenses to the endpoint, and it is time to consider what will protect your organization when that happens.  That is where we come in – we see the malicious attacks that make it to your endpoints.  The stuff that falls through the other defenses, the zero day attacks, and the newest variations of existing attacks.  And all of the attacks that come through exotic vectors that defensive endpoint security software may not yet address.  We build a normative whitelist of your environment and can tell you if something is installing that does not exist anywhere else in your environment. 

And once we detect it, we can also remediate it.  The context provided by our patented analytics enables Resolution Manager to see all of the changes to a machine that are part of the attack, making our solution uniquely able to build a remediation to address the entire scope of the attack and restore the machine to its pre-attack condition.  BTW, that context I speak of is what really sets us apart – for example it allows us to beat the false positive problem – so you may want to look at the associated post.

Folks, it is raining, and don’t look for the rain to quit or even subside because it gets worse by the day.  And you will get wet.  That is the value of Triumfant – we are that last line of defense when you do.

This supports our contention that signature based endpoint security is simply no longer viable as a way to detect malicious attacks in the current world in which organizations have to operate.  Gartner analysts Peter Firstbrook notes in the article: “The database of signatures is growing rapidly, but effectiveness is declining.”  There are also malware numbers from Panda Security that track with the alarming numbers we have reported from both Symantec and McAfee.  Panda says that they had collected 18M malware samples to-date through 2008, and have already collected 12M through August of this year. 

This is, of course, the very point we have been trying to make with the Worldwide Malware Signature Counter.  The quantitative evidence is overwhelming and every time new data comes out, the thesis behind the counter grows increasingly rock solid.  

Quite simply, the malware game has changed and the protections have not kept up.  Prior knowledge of an attack in the form of signatures is no longer a sustainable way of detecting malware, as this article clearly indicates.   Current signature alternatives such as heuristics, behavioral analysis and reputation based detection have too many false positives or are too broad to be effective.  Malware is evolving, and organizations must be ready to look beyond traditional endpoint protection – the usual suspects in the center aisles of the RSA Conference – if they are to have any hope to protecting critical data from the threats described in this article.

Fortunately there are new, compelling solutions that can detect that can detect dynamic, targeted attacks (what we call the dynamic persisten threat) without prior knowledge and provide a complete view of the attack and the collateral damage it causes to the victim machine.  In just the past 10 days I have had the chance to show our product to multiple groups of some of the most senior security people I have had the privilege to encounter, and all of them came away very impressed with how we not only detect but also remediate an attack without a signature.  We show all of them the same basic demonstration use used for the three minute malware challenge we did at RSA where we put malware on a machine and watch Triumfant detect, analyse and remediate the attack in minutes.  No prior knowledge required, no human intervention needed.

The sentence at the end of the article says it all: “While AV companies are quickly working to create signatures for malware variants, businesses should be most worried about targeted attacks that security firms may not even be aware of.” The evidence is everywhere, and this problem will only accelerate over time.  The longer your organization ignores the warning signs the larger the gap will grow in your endpoint protection and therefore your risk.  Don’t be afraid to look beyond the traditional security vendors for a solution, because that is where you will find it.

It should be noted that the counter started the year at roughly 2.6 million and has just passed 4.2 million.  This is noteworthy because the 1.6 million new signatures is the equivalent to the number of new signatures Symantec reported for all of 2008, and we have not yet hit the halfway point in the year.  Given that a graph of the signature counts appears to be geometric rather than linear, we expect the rate of increase to accelerate and raise that delta for 2009 to on or about 4 million signatures. For the second year in a row, the number of new signature for just this year will surpass the previous combined total number of signatures.

When we had the idea for the counter, we were careful to apply some science and statistical analysis to the process because we wanted to be fair and conservative.  The counter was never meant to be about hype – it was built to provide a visual representation of the unsustainable nature of the signature model for defensive software.  That is why we are updating the counter in our attempts for accuracy, and we will also adjust the numbers down if we see that it begins to exceed the reported numbers.   

The point of this exercise remains the same.  Companies and government agencies must look beyond signature based tools for endpoint protection, as the sheer volume of new attacks makes it impossible for these tools to protect organizations from malicious activity.  Many new approaches to endpoint security such as behavioral analysis and heuristics still require previous knowledge of the attack to be really effective.  Triumfant is the one tool on the market that can detect, analyze and remediate a malicious attack without any prior knowledge of the attack.  No waiting for a vendor to create a remediation script or signature.  Remediation is minutes not hours or days.  And as the counter illustrates, every day your organization does not look beyond signature based tools, the problem only grows worse.

I would also note that the counter is not meant as a direct poke at Symantec.  We use their numbers because of our respect for the capabilities of their research team and because they graciously make their numbers public.  Other products that use signatures may have differing counts when it comes to signatures, but the basic problem still exists for those solutions. 

I have heard a lot of complaints from IT security people that say there has not been much new in the way of technology lately.  I would respectfully disagree and would invite you to have a look at the Triumfant solution and get a feel for how it works via a video of our Three Minute Malware Challenge from RSA.  Words don’t do the product justice, so the video will provide much deeper insight.   Then give us a call and let’s talk about what is keeping you up at night and allow us to show you how we can help.

First, I have done a lot of writing about the depth and breadth of the malware menace by using the numbers from the Symantec Global Internet Security Threat Report.  The data from this report is the basis for our Worldwide Malware Signature Counter on the Triumfant Web site.  In her story, Elinor provides some great data from McAfee’s Avert Labs that adds yet another set of sobering statistics to the conversation. According to the article Avert Labs:

“…sees more than 400,000 new zombies a day, 4,000 new pieces of malware a day and 1.5 million malicious sites a month. There were 1.5 million pieces of unique malware last year and McAfee predicts that number will rise to 2.4 million this year.”

Like the Symantec numbers, these figures are staggering, but sometimes I fear that executives that look at security budgets and endpoint protection cannot grasp their meaning.   IT Security is a funny business where success often brings a sense of false security with those not savvy about the depth of the threat.  Somehow in spite of a deluge of sound statistics, those under budgetary pressure allow themselves to fall into the mind trap of “I have not had a major breach, therefore there is no real threat, therefore I am overspending on security”. 

Which brings me to my second point: I wonder if those same executives would think that way if each were able to take the same malware test drive as Elinor.   My guess is that they would walk away with a completely new outlook on the world and be able to better put the statistics like those from Avert Labs into practical context.  Elinor lives in this world continually and reports on massive breaches almost daily and she found the experience “sobering”.  Hats off to the McAfee folks for putting together such an eye opening demonstration – I am sure it has helped them close more than one contract.  But it may serve to do all of us in IT security a collective favor by providing a very visceral lesson to those who doubt the need for endpoint security.

Why should I care about this counter?  Because if you are reading this, you are likely engaged in IT security in some form, and the tectonic plates of that world are shifting rapidly beneath your feet.  This counter is meant to give you a small taste of just how much it is shifting.  Consider that a signature is written in response to a new attack or a new variant of an attack, and signature based tools fail at a fifty percent or higher rate to detect the attacks that have no known signature.   If you are not looking at alternatives to signature based tools you should be.  Because as other organizations do, the cyber criminals are going to find those organizations who continue to rely solely on signature based tools because they will offer the least resistance.  

Is the counter just a timed linear count?  No. We actually modeled the numbers from Symantec Threat Report and built a counter that we think fits the represented data as best as possible.  The counter’s pace will actually escalate throughout the year to represent the growth rates from the data.  So we start the year at one every 20 seconds, and will end the year at one every 8 seconds.  The counter is representative, but we made it as accurate as possible – no hype or fear mongering.

What, no sound effects?  As a big fan of 24, I really wanted to use the same sound they have on their timer, but maybe we can add something in release 1.1 of the counter.  Like the agonizing screams of a user realizing their machine just got infected.

Will you adjust the counter as Symantec updates their numbers?  Absolutely.  The counter was built with variables so we can do just that.  Again, our goal was to provide a graphical representation that was fair and erred on the side of being conservative.  When we see new numbers from Symantec we will update our model and the counter.  If we were too high, we will say so.  We think we will be low.

Are you picking on Symantec?  Nope.  We used the Symantec numbers because they are in the public domain and they represent a broad, worldwide sampling of what organizations are encountering.  We commend Symantec for making the information available, and we have the utmost respect for their research.   Triumfant is not an antivirus replacement, we have never positioned ourselves that way, and we therefore have no quarrel with Symantec (or Mcafee, or Trend, or Sophos, or <insert antivirus vendor name here>).   If someone knows of similar research that is in the public domain that we should consider, please let me know.

Why did Triumfant do this?  To catalyze awareness and discussion because a picture is worth a thousand words (feel free to use that quote if you like it).  Triumfant believes that organizations, particularly those organizations that are continuously bombarded with persistent targeted threats, need to know what they are up against.  And while they may feel safe now, they need to look to alternatives to traditional signature based tools now before this counter gets to the 10’s of millions.  Someone sent us a comment yesterday that until they saw the counter they had not considered the potential load on their computer to sift through so many signatures.  That is what we were after – to stimulate some thinking.  And of course if that thinking were to drive people to consider Triumfant as one of those alternative technologies, then that would be a plus (come on folks, we are not a philanthropy).

Are we to believe a marketing guy built an analytical model that extrapolates and performs intelligent escalation? Luckily, my CEO went to MIT and he built the model.  But in my defense I did get a “B” in ordinary differential equations.

With all due respect to these distinguished speakers, I would challenge them to walk toward either wall on the exhibit floor and see that there are small, innovative companies that have already solved or are 95% of the way toward solving these problems.  The change that must happen for the market to move forward must come in the attitudes of the larger vendors and the expectations of the users of security products. 

You see, the larger vendors, particularly the ones with signature based technologies, have a lot riding on the continued use of signature based tools.  They have built large infrastructures that feed the beast they have created, positioning armies of people around the world to try and run in front of the avalanche of new attacks that are growing in volume and complexity at an alarming rate.  The admission by Symantec that they had to create 1.6M signatures in 2008 should be a terrifying revelation to users.  So should the fact that this reflected a growth rate of 254% year over year and was 160% more that the total number of combined signatures in 2007 (1M). 

But stepping away from signatures means the fundamental disruption of an ecosystem that has arisen to feed the signature beast, which could put the revenue of some of these companies in danger if they cannot bring an innovative alternative to market.  So while they may speak of innovation, they may in fact have a vested interest in the status quo.  We have gone to calling this process “perfecting the obsolete”.  Many of these companies share a not-invented-here bias or continue to tell their customers that they have alternative solutions that fill the gaps.  But the numbers say otherwise as does their response when they see the capabilities of products like Triumfant Resolution Manager. 

I don’t want to paint all of the market leaders with the same brush as some of the large companies are stepping out and putting real action behind their promises.  As you may know, we announced at RSA that we have joined the McAfee Security Innovation Alliance, and actually were in McAfee’s partner pavilion.  We are pleased that McAfee has taken the time to learn about what Triumfant can offer and sees complementary capabilities.  In speaking with their people, I get a real sense that they know the market has to evolve, and they are looking inside and outside of McAfee to bring to market a solution that provides their customers with an innovative and evolved offering.  But others seem content only to make promises yet simply deliver more of the same.

Make no mistake; promises are frequently a blocking technique to keep customers from looking elsewhere for innovation. All the promises in the world cannot hide the fact that the innovation has been already been realized on the outer aisles of RSA. And not just realized, but available on the market as working viable products, with Triumfant just one proof point.  Today, Triumfant can demonstrate the ability to detect, analyze and remediate a malicious attack without a signature, prior knowledge of the attack, or human intervention in three minutes (view a video demonstration here).  No calls to the vendor to get a script or signature written, no need to push a new signature to the endpoints, no bloated agent with scores of pre-written remediations that may or may not fit the situation, no need to re-image the infected machine.  Three minutes – not four hours or, more likely, days or weeks.  Not a promise, but a reality we are willing to install at a customer site and let them see for themselves in their own environment.

The blame cannot rest completely with the vendors.  Customers bear a responsibility to facilitate the necessary disruption of the security market and should be outraged that the protection of their corporate IT assets is contingent on 15- to 20-year old technologies such as signatures and firewalls.  Organizations allow themselves to enjoy a false sense of security as long as they are not the ones targeted, when in fact they may be under massive and costly attacks now that they have not yet detected because their defensive software misses such attacks at a rate of fifty percent or higher.   Fifty percent is not my number, but Gartner’s, and you can find reputable studies that show a bigger number when looking at the percent of attacks that evade traditional signature based software when there is no known signature.  The fact that customers will accept such a rate of failure means that businesses and government agencies are, at a minimum, an enabling partner in the lack of innovation.  Markets evolve when users demand that they evolve.  It is time to start demanding.

Customers must also not be a slave to old thinking or rely on the large vendors to define their expectation.  For example, one pushback we get is the need to run an agent to use our software.  But open minded customers see that in fact Triumfant can do the work of a security configuration management tool, a whitelist/blacklist tool, an FDCC compliance tool, and even perform endpoint power management – all with one agent and one console.  With a little up-front discomfort to unplug some point solutions, an organization could add the one-of-a-kind capabilities of Triumfant and eliminate some agents.  Don’t let the big boys talk you out of some disruptive change.

In closing, I urge the market to return to the days when we worried less about protecting established ecosystems and concentrated on making customers safer and more secure.  I urge customers to not accept more of the same.  It is your data and your organizational reputation that stands in the balance and you should not accept fifty percent failure rates when the stakes are so very high.  This market has always been about keeping pace with the evolution of cyber crime.  Customers must put pressure on trusted vendors to integrate new technologies, even if they are invented elsewhere.

I fear that we have let hubris give the bad guys too much of an edge while we make promises and proclamations without real progress.   There is innovation out there that can make up lost ground, and the market must accept disruption to move forward. Customers must demand that this disruption happen and happen now.

Which leads me to something else that came to my attention.  I started using TweetDeck yesterday (I may be an old dog, but I can learn new tricks) and discovered a tweet that had been sent to @Triumfant from someone at Symantec.  It was in response to a tweet I had put out about the Symantec Internet Threat Report and the 1.6 million signatures Symantec reported they created in 2008.  My exact tweet was:

    Still thinking about Symantec Threat Report Numbers. 1 new signature every 20 seconds. 3/minute. 180/hour. When do they eat? Sleep? Tweet?

The response from someone at Symantec:

    @Triumfant Thankfully there’s a whole team and we’re situated all around the globe for this very reason!

After thinking about this a bit I realized just how much effort it takes an antivirus company to maintain the status quo of the AV ecosystem.  As the number and complexity of attacks increase geometrically, these companies are forced to deploy hundreds of people worldwide to feed the monster that is the signature problem.  Given the enormous resources such companies must pour into just keeping up with new signatures, I imagine it is hard to have resource lefts to power the innovation to cause disruption.

But therein is the problem, because the lack of innovation and subsequent absence of disruption is exactly what keeps the AV ecosystem alive.  If customers perceive that there are no alternative to signature based tools (yes, there are viable alternatives) they remain reliant on signature based defensive software.  With new signatures required every 20 seconds, the customers become equally reliant on the vendor.  And the cyber criminals do their part and constantly create new threats or threat variants.  It is a stellar example of a self-perpetuating cycle.  And it is a cycle that the big AV companies do not seem able, or want, to disrupt.

Again, let me be clear that I am not accusing Symantec or any other antivirus vendor of intentionally coercing or misleading their customers or the broader market.  The research organizations of the AV companies are well respected security professionals who take the security of their customers seriously and I only listed Symantec because someone in that company responded on Twitter.  The work done by these and other organizations are part of the ongoing battle with cyber crime and such research is vital to defending against the daily wave of new attacks. 

But to paraphrase Asay, being a leading vendor in size and revenue does not mean that you are leading the market to innovate and change, and make no mistake – the IT Security ecosystem must change.   I have already stated the case that the numbers regarding the growth of required signatures clearly indicate that signature based technology is no longer sustainable, and many others in the industry have elegantly made the same case.  It is apparent that the disruptive leadership for the IT security market to overcome the signature problem will have to come from smaller upstarts who are unburdened by feeding the status quo of the ecosystem.