Today Triumfant added a malware signature counter to our Web site to represent an up-to-the-second counter of the number of signatures required by traditional signature based tools. The counter is designed to graphically reinforce what many in the IT security industry believe is a growing problem that is being largely ignored – that the reliance on signatures to protect endpoints and servers against malicious attack is simply unsustainable.
The counter uses the statistics from Symantec’s “Global Internet Security Threat Report – Trends for 2008″, published in April of 2009 as the statistical foundation and simply extrapolates the growth rates in new attacks – and therefore the companion signatures – seen in 2008 into 2009. We used the Symantec data because it is in the public domain, because they are a credible market leader, and because they have an exemplary research capability. But we also used this report because we thought it was a fair set of numbers given that they come from a vendor who, like most in the IT security market, relies heavily on signatures for defensive capabilities and were therefore not inflated to make a point.
Just what is that point? The world of cyber crime is simultaneously accelerating and evolving in ways that no one would have predicted three years ago. According to Symantec, the total number of signatures increased approximately 265% year-to-year from 2007 to 2008. The total number of signatures created in 2008 exceeded the total number of signatures written to-date by 60%, adding 1.6M signatures to the cumulative total of 1M signatures. If these growth rates continue, and the curve appears to be actually geometric instead of linear, over 4M new signatures will need to be written in 2009.
Customers are promised innovation, but are delivered more of the same in what we have come to call the process of “perfecting the obsolete”. So why is the industry moving slowly? I address this in detail in a previous post called An RSA Keynote from the Outer Aisles – Demand Disruption, but essentially the movement away from the reliance on signatures is simply too disruptive to the comfortable ecosystem that has been created, and even the customers are partially complicit because they do not demand change.
Triumfant is not looking to beat the “AV is dead” drum as we believe that antivirus software will always have a place in a defense-in-depth strategy. but we do believe that continued reliance on antivirus software in the face of the mounting evidence is not a reasonable or prudent strategy. And do not lose the perspective that each one of the 1.6M new signatures represents a response to a new unknown attack or a variant of an existing attack that therefore evaded the signature based software at a rate generally reported to be fifty percent. I would be remiss to add that there are likely many more such attacks that have yet to be discovered, as the daily headlines point to attacks that go months undetected.
So the questions begged by the counter are simple. How many signatures must we write before we hit the tipping point? How much data and money and intellectual property must be stolen before the market demands change? How many people who have entrusted personal data to organizations with the belief that these organizations would protect that data must have their privacy compromised? When is the market going to stop supporting the self serving ecosystem and engage in some constructive conversation about evolving defensive software to meet the obvious threat?
The counter was designed to be a visual reminder of the mess we are sliding toward. The counter will accelerate to match the accelerating rate of the problem, and soon will be incrementing every eight seconds by year end. There are alternative ways to detect and remediate malicious activity and I would respectfully suggest that you and your organization owe it to yourself and your stakeholders, customers, and employees to start to look into these alternatives to signature based tools sooner rather than later. The counter is ticking.
Posted in Endpoint Security
