[LINK] The Antivirus Industry

stephen at melbpc.org.au stephen at melbpc.org.au
Thu Jan 3 00:15:56 AEDT 2013 

Outmaneuvered at Their Own Game, Antivirus Makers Struggle to Adapt

By NICOLE PERLROTH  Published: December 31, 2012 
<http://www.nytimes.com/2013/01/01/technology/antivirus-makers-work-on-
software-to-catch-malware-more-effectively.html?src=me&ref=general&_r=0>


SAN FRANCISCO — The antivirus industry has a dirty little secret: its 
products are often not very good at stopping viruses. 

Consumers and businesses spend billions of dollars every year on 
antivirus software. But these programs rarely, if ever, block freshly 
minted computer viruses, experts say, because the virus creators move too 
quickly. That is prompting start-ups and other companies to get creative 
about new approaches to computer security. 

“The bad guys are always trying to be a step ahead,” said Matthew D. 
Howard, a venture capitalist at Norwest Venture Partners who previously 
set up the security strategy at Cisco Systems. “And it doesn’t take a lot 
to be a step ahead.” 

Computer viruses used to be the domain of digital mischief makers. But in 
the mid-2000s, when criminals discovered that malicious software could be 
profitable, the number of new viruses began to grow exponentially. 

In 2000, there were fewer than a million new strains of malware, most of 
them the work of amateurs. By 2010, there were 49 million new strains, 
according to AV-Test, a German research institute that tests antivirus 
products. 

The antivirus industry has grown as well, but experts say it is falling 
behind. By the time its products are able to block new viruses, it is 
often too late. The bad guys have already had their fun, siphoning out a 
company’s trade secrets, erasing data or emptying a consumer’s bank 
account. 

A new study by Imperva, a data security firm in Redwood City, Calif., and 
students from the Technion-Israel Institute of Technology is the latest 
confirmation of this. Amichai Shulman, Imperva’s chief technology 
officer, and a group of researchers collected and analyzed 82 new 
computer viruses and put them up against more than 40 antivirus products, 
made by top companies like Microsoft, Symantec, McAfee and Kaspersky Lab. 
They found that the initial detection rate was less than 5 percent. 

On average, it took almost a month for antivirus products to update their 
detection mechanisms and spot the new viruses. And two of the products 
with the best detection rates — Avast and Emsisoft — are available free; 
users are encouraged to pay for additional features. This despite the 
fact that consumers and businesses spent a combined $7.4 billion on 
antivirus software last year — nearly half of the $17.7 billion spent on 
security software in 2011, according to Gartner. 

“Existing methodologies we’ve been protecting ourselves with have lost 
their efficacy,” said Ted Schlein, a security-focused investment partner 
at Kleiner Perkins Caufield & Byers. “This study is just another 
indicator of that. But the whole concept of detecting what is bad is a 
broken concept.” 

Part of the problem is that antivirus products are inherently reactive. 
Just as medical researchers have to study a virus before they can create 
a vaccine, antivirus makers must capture a computer virus, take it apart 
and identify its “signature” — unique signs in its code — before they can 
write a program that removes it. 

That process can take as little as a few hours or as long as several 
years. In May, researchers at Kaspersky Lab discovered Flame, a complex 
piece of malware that had been stealing data from computers for an 
estimated five years. 

Mikko H. Hypponen, chief researcher at F-Secure, called Flame “a 
spectacular failure” for the antivirus industry. “We really should have 
been able to do better,” he wrote in an essay for Wired.com after Flame’s 
discovery. “But we didn’t. We were out of our league in our own game.” 

Symantec and McAfee, which built their businesses on antivirus products, 
have begun to acknowledge their limitations and to try new approaches. 
The word “antivirus” does not appear once on their home pages. Symantec 
rebranded its popular antivirus packages: its consumer product is now 
called Norton Internet Security, and its corporate offering is now 
Symantec Endpoint Protection. 

“Nobody is saying antivirus is enough,” said Kevin Haley, Symantec’s 
director of security response. Mr. Haley said Symantec’s antivirus 
products included a handful of new technologies, like behavior-based 
blocking, which looks at some 30 characteristics of a file, including 
when it was created and where else it has been installed, before allowing 
it to run. “In over two-thirds of cases, malware is detected by one of 
these other technologies,” he said.

Imperva, which sponsored the antivirus study, has a horse in this race. 
Its Web application and data security software are part of a wave of 
products that look at security in a new way. Instead of simply blocking 
what is bad, as antivirus programs and perimeter firewalls are designed 
to do, Imperva monitors access to servers, databases and files for 
suspicious activity. 

The day companies unplug their antivirus software is still far off, but 
entrepreneurs and investors are betting that the old tools will become 
relics. 

“The game has changed from the attacker’s standpoint,” said Phil 
Hochmuth, a Web security analyst at the research firm International Data 
Corporation. “The traditional signature-based method of detecting malware 
is not keeping up.” 

Investors are backing a new crop of start-ups that turn the whole notion 
of security on its head. If it is no longer possible to block everything 
that is bad, the thinking goes, then the security companies of the future 
will be the ones whose software can spot unusual behavior and clean up 
systems once they have been breached. 

The hottest security start-ups today are companies like Bit9, Bromium, 
FireEye and Seculert that monitor Internet traffic, and companies like 
Mandiant and CrowdStrike that have expertise in cleaning up after an 
attack. 

Bit9, which received more than $70 million in financing from top venture 
firms like Kleiner Perkins and Sequoia Capital, uses an approach known as 
whitelisting, allowing only traffic that the system knows is innocuous. 

McAfee acquired Solidcore, a whitelisting start-up, in 2009, and 
Symantec’s products now include its Insight technology, which is similar 
in that it does not let any unknown files run on a machine. 

McAfee’s former chief executive, David G. DeWalt, was rumored to be a 
contender for the top job at Intel, which acquired McAfee in 2010. 
Instead, he joined FireEye, a start-up with a system that isolates a 
company’s applications in virtual containers, then looks for suspicious 
activity in a sort of digital petri dish before deciding whether to let 
traffic through. 

The company has received more than $35 million in financing from Norwest, 
Sequoia Capital and In-Q-Tel, the venture arm of the Central Intelligence 
Agency, among others. 

Seculert, an Israeli start-up, approaches the problem somewhat 
differently. It looks at where threats are coming from — the command and 
control centers used to coordinate attacks — to give governments and 
businesses an early warning system. 

As the number of prominent online attacks rises, analysts and venture 
capitalists are betting that corporate spending patterns will change. 

“Technologies that once were only used by very sensitive industries like 
finance are moving into the mainstream,” Mr. Hochmuth said. “Very soon, 
if you are not running these technologies and you’re a security 
professional, your colleagues and counterparts will start to look at you 
funny.” 

Companies have started working from the assumption that they will be 
hacked, Mr. Hochmuth said, and that when they are, they will need top-
notch cleanup crews. 

Mandiant, which specializes in data forensics and responding to breaches, 
has received $70 million from Kleiner Perkins and One Equity Partners, 
JPMorgan Chase’s private investment arm. 

Two McAfee executives, George Kurtz and Dmitri Alperovitch, left to start 
CrowdStrike, a start-up that offers a similar forensics service. Less 
than a year later, they have already raised $26 million from Warburg 
Pincus. 

If and when antivirus makers are able to fortify desktop computers, 
chances are the criminals will have already moved on to smartphones. 

In October, the F.B.I. warned that a number of malicious apps were 
compromising Android devices. And in July, Kaspersky Lab discovered the 
first malicious app in Apple’s app store. The Defense Department has 
called for companies and universities to find ways to protect mobile 
devices from malware. McAfee, Symantec and others are working on 
solutions, and Lookout, a start-up whose products scan apps for malware 
and viruses, recently raised funding that valued it at $1 billion. 

“The bad guys are getting worse,” Mr. Howard of Norwest said. “Antivirus 
helps filter down the problem, but the next big security company will be 
the one that offers a comprehensive solution.”

--

Cheers,
Stephen

More information about the Link mailing list