Anyone attending this year’s RSA conference couldn’t help notice one thing: the security industry is awash in guilt over the failure to stop hackers. RSA chairman Arthur Coviello said “security vendors and practitioners need to shift their strategies beyond signature and perimeter-based defenses and collaborate to develop and adopt new intelligence-based approaches to information security.” And this mea culpa follows another one from McAfee who wrote in an August 2011 report, “The security industry may need to reconsider some of its fundamental assumptions, including 'Are we really protecting users and companies?’
One reason for the guilt trips? The inadequacy of antivirus. Today, the enterprise desktop security software spend is $3.4 billion worldwide. Consumers will spend even more — nearly $5 billion — on antivirus this year. However, new virus detection remains quite low. For example, one of the most prominent virus kits—the Blackhole Exploit—was missed by 30% of antivirus packages. In other words, out of nearly $8B in spend, at most around $2.4B is spent with some efficacy—but $5.6 billion isn’t. That’s a lot of wasted money.
As many of us in security know, evading antivirus is not complicated. In fact, virus evasion is a growing industry unto itself. In 2010, the Verizon Data Breach report observed, “This year nearly two-thirds of malware investigated in the Verizon caseload was customized—the highest we have ever seen.” Translation: malware/virus writers know that evasion is the name of the game. (For more on this, see my colleague Noa Bar Yosef’s detailed, excellent explanation in an SC Magazine column.) The individual behind RankMyHack.com had this interesting perspective on antivirus—from a hacker (!):
The big money comes from silent espionage, viruses that do NOTHING but silently record your keystrokes and send them to a remote location, or viruses that in one blast steal all the information stored in your browser cookies.
To be clear, antivirus is needed. But the important thing is to stop wasting so much time and—more importantly—money on products whose rate of return is so poor.
So what should companies and consumers do? Rebalance their portfolios. In finance, when stocks over or under perform, you dump them for other investments to adjust your risk. Today, antivirus is an underperforming asset that deserves rebalancing. We can’t speak for everyone, but we see more customers operating on the assumption that antivirus will fail. One of our customers relies on database security controls to monitor and block aberrant access to sensitive data (e.g., malware accesses databases at inhuman speeds so that should be blocked). How many more such companies exist? Not sure. But it’s a safe bet that their numbers increase daily.
What if companies took some of the billions spent on antivirus and put it towards employee education? Companies could also consider newer technologies. Our report on Anonymous highlighted the successful role a web application firewall played in thwarting data theft and DDoS. What if just a small fraction of companies with transactional websites rebalanced a portion of security spend on WAFs to minimize data breaches? (Yes, I work for a WAF vendor but I don’t need to visit a confessional having made the previous statement).
The security industry—companies and analysts—prefer inertia to keep antivirus spend exactly where it is. But their motivations aren’t sinister. It’s much more complicated than that.
In 2010, Harvard Business School professor Richard Tedlow published a book, Denial, about companies who fail to see critical shifts in their markets. In it, he explains that “Denial is more endemic to older firms because it so often results from stubborn adherence to a once-accurate perception of reality that has gradually become obsolete. In the words of John Kenneth Galbraith, one's view of the world ‘remains with the comfortable and the familiar, while the world moves on.’” One security analyst gives us a perfect illustration:
Yes, we need new layers of defense but we would be well served to take better advantage of the technologies already in place before running for the new security thing.
Meanwhile, the world moves on. Our Anonymous report explained how hacktivists don’t rely on malware. Nonetheless, I was criticized for “hyperbole” when I called antivirus “useless.” In the case of hacktivism, however, antivirus is useless. As we point out in the report, hacktivists merely mimic the approach deployed by for-profit hackers. And when it comes to private hackers and malware, the 2010 Verizon report explained how customized evasion has been commoditized and become “more accessible to an ever-increasing pool of criminals by an extensive ‘malware-as-a-service’ market. We find it hard to foresee anything but trouble here for the good guys.” [Emphasis mine.]
Tedlow’s book details denial with mostly “old school” companies, such as Sears. Denial in the security industry, however, is exponentially more complicated. Sears only had to deal with fickle consumers. In security, in addition to buyers, we must throw adversaries into the mix who are—by definition—early adopters and innovators. This dynamic makes any stock volatility look downright docile.
If our stocks performed this badly, financial advisors would be lightning quick to suggest shifting investments.
Time to rebalance your software security portfolio.