The security industry is awash in guilt over the failure to stop hackers. RSA chairman Arthur Coviello said “security vendors and practitioners need to shift their strategies beyond signature and perimeter-based defenses and collaborate to develop and adopt new intelligence-based approaches to information security”.
And this mea culpa follows another one from McAfee who wrote in an August 2011 report, “The security industry may need to reconsider some of its fundamental assumptions, including 'Are we really protecting users and companies?’”
One reason for the guilt trips? The inadequacy of anti-virus.
Today, the enterprise desktop security software spend is $3.4bn worldwide. Consumers will spend even more – nearly $5bn – on anti-virus this year. However, new virus detection remains quite low. For example, one of the most prominent virus kits – the Blackhole exploit – was missed by 30% of anti-virus packages. In other words, out of nearly $8bn in spending, at most around $2.4bn is spent with some efficacy. That’s a lot of wasted money.
As many of us in security know, evading anti-virus is not complicated. In fact, virus evasion is a growing industry unto itself. In 2010, the ‘Verizon Data Breach Investigations Report’ observed, “This year nearly two-thirds of malware investigated in the Verizon caseload was customized – the highest we have ever seen.” Translation: malware/virus writers know that evasion is the name of the game. The individual behind RankMyHack.com had this interesting perspective on anti-virus.
The big money comes from silent espionage, viruses that do nothing but silently record your keystrokes and send them to a remote location, or viruses that in one blast steal all the information stored in your browser cookies.
To be clear, anti-virus is needed. But the important thing is to stop wasting so much time and – more importantly – money on products whose rate of return is so poor.
So what should companies and consumers do? Rebalance their portfolios.
In finance, when stocks over or under perform, you dump them for other investments to adjust your risk. Today, anti-virus is an underperforming asset that deserves rebalancing. I can’t speak for everyone, but we see more customers operating on the assumption that anti-virus will fail. One of our customers relies on database security controls to monitor and block aberrant access to sensitive data (e.g., malware accesses databases at inhuman speeds, so it should be blocked). How many more such companies exist? I’m not sure. But it’s a safe bet that their numbers increase daily.
What if companies took some of the billions spent on anti-virus and put it toward employee education? Companies could also consider newer technologies. Our report on Anonymous highlighted the successful role a web application firewall played in thwarting data theft and DDoS. What if just a small fraction of companies with transactional websites rebalanced a portion of security spend on WAFs to minimize data breaches? (Yes, I work for a WAF vendor, but I don’t need to visit a confessional having made the previous statement).
The security industry – companies and analysts – prefer inertia to keep anti-virus spending exactly where it is. But their motivations aren’t sinister. It’s much more complicated than that.
|"Today, anti-virus is an underperforming asset that deserves rebalancing" |
In 2010, Harvard Business School professor Richard Tedlow published a book, Denial, about companies that fail to see critical shifts in their markets. In it, he explains that “Denial is more endemic to older firms because it so often results from stubborn adherence to a once-accurate perception of reality that has gradually become obsolete. In the words of John Kenneth Galbraith, one's view of the world ‘remains with the comfortable and the familiar, while the world moves on.’”
Yes, we need new layers of defense, but we would be well served to take better advantage of the technologies already in place before running for the new ‘security thing’.
Meanwhile, the world moves on. Our Anonymous report explained how hacktivists don’t rely on malware. Nonetheless, I was criticized for “hyperbole” when I called anti-virus “useless.” In the case of hacktivism, however, anti-virus is useless.
As we point out in the report, hacktivists merely mimic the approach deployed by for-profit hackers. And when it comes to private hackers and malware, the 2010 Verizon report explained how customized evasion has been commoditized and become “more accessible to an ever-increasing pool of criminals by an extensive ‘malware-as-a-service’ market. We find it hard to foresee anything but trouble here for the good guys.” [Emphasis mine.]
What we are seeing reminds me of Keith Richards during the height of his drug addiction: “I've never had a problem with drugs. I've had problems with the police.”
Tedlow’s book details denial with mostly “old school” companies, such as Sears. Denial in the security industry, however, is exponentially more complicated. Sears only had to deal with fickle consumers. In security, in addition to buyers, we must throw adversaries into the mix who are – by definition – early adopters and innovators. This dynamic makes any stock volatility look downright docile.
If our stocks performed this badly, financial advisors would be lightning-quick to suggest shifting investments.
Time to rebalance your software security portfolio.
Rob Rachwald is the director of security strategy at Imperva.