February 29, 2012 Leave a comment
At the bottom of the Triumfant home page is the Worldwide Malware Signature Counter, a fixture on the site since May of 2009. The Counter was designed, according to the associated blog post marking its debut, “to graphically reinforce what many in the IT security industry believe is a growing problem that is being largely ignored – that the reliance on signatures to protect endpoints and servers against malicious attack is simply unsustainable”. My only regret is that I never found a way to add the hard clunking sound from the timer on “24” to add emphasis.
I periodically check the Counter against reported malware counts to ensure that it is an accurate and fair representation of the signature story. Truthfully, the Counter was designed to err on the side of understatement to avoid the impression of FUD or sensationalism, so I normally have to correct it up instead of down. Yes, IT security folks, there are actually marketing people with restraint. Go figure.
Last week I updated the Counter to track to the signature counts reported by Symantec at the close of 2011. Doing so led to a time of reflection on the genesis and objective of the Counter, and the changes in the threat landscape between then and now.
When Triumfant introduced the Counter three years ago, the world was still coming to terms with the evolution of malicious attacks and the hard realization that signature based protections could no longer be their primary shield. I would hope that there are very few serious members of the IT security community who need further convincing today.
Ironically, in the past three years the large vendors that owe their market presence largely on selling AV software have shifted their messaging. Most dropped signature counts from their annual threat reports in spite of such counts being a featured staple in years past. I noted in one blog post that one such vendor dropped any mention of the word “signature” completely. In an interesting twist, some of these vendors now use the large malware sample numbers to sell other products and solutions in their portfolio. The flood of annual reports that are the precursor for the RSA Conference scream numbers such as 75 million and 250 million for malware samples. You have to feel for signature software: it made these vendors market leaders and it is now being dismissively kicked to the curb. Think Sunset Boulevard for security software.
Meanwhile, the battle to protect sensitive data and intellectual property continues to rapidly evolve. The first malware sprung to life when sensitive information moved from corporate systems to the first personal computers. Those early attacks now seem laughable against the volume and sophistication of the threats we face today, and things will only get more complicated when you consider the flood of mobile devices and BYOD machines that will soon be accessing corporate systems. Furthermore, the adversary has changed from basement hackers to well organized, well funded, and highly motivated groups driven by monetary gain or political motives. The sum total of this evolution creates a gap between signature based protections and the current reality that grows faster than a simple signature counter can capture.
The counter was a great visual to help people grasp the shift in the IT security world and helped bring attention to Triumfant’s ability to detect malware without signatures. The counter often provoked people to ask if we were a replacement for signature based protections, and we always said no. Signature based protections are a logical brick in the wall around IT assets, but they are just a brick, not the entire wall. I should add that the Counter now serves as a symbol for all solutions that based their detection capability on some form of prior knowledge, not just AV.
My next thoughts went to the Counter itself and its continued existence on the Triumfant site. After some consideration, I decided to keep it around because while the thinking of the IT security world has evolved there are still plenty of other business people outside of security that are still coming to terms with the concept. Truth be told, I have an emotional fondness for the Counter and it is still a place for people to discover Triumfant and the uniqueness of our approach.
The Triumfant Worldwide Malware Signature Counter will live on. Maybe I will finally add that sound effect. Clunk…Clunk…Clunk…