A Case of Double-Dipping
For companies such as Symantec, which sells the Sana-powered Norton AntiBot and anti-malware subscriptions, it's a nickel-and-dime situation.
Symantec officials say Norton AntiBot is for a specialized, technical market segment looking for high-end tools to deal with botnets, but Jaquith said it's a case of anti-malware companies double-dipping. "Ultimately, it's hard for an enterprise to justify paying twice for botnet protection when they're already paying for anti-malware protection," he said. "You can make the argument that anti-botnet can be intrusion and extrusion detection and pay for that as a separate layer of defense, but even that's a bit of stretch."
John Mitchell, professor of computer science at Stanford University and co-director of Stanford Computer Security lab, said there has been a noticeable shift in the types of emerging zero-day malware threats that result in identity theft, computer crashes and drive-by malware downloads.
"Current technologies are slow to adapt," Mitchell said, suggesting there's a legitimate need for newer, more powerful products capable of disrupting botnet activities.
Dan Geer, vice president and chief scientist at Verdasys, said traditional anti-virus technologies "have peaked" and are unable to cope with the rapid pace of sophisticated virus payloads. "I don't think anti-virus protection can get better than it is today. The problem with that is that, when anti-virus fails, the effects of a successful attack are difficult to reverse," Geer said.
This is where anti-botnet tools come in, said Tripp Cox, Damballa vice president of engineering. The 25-employee company has raised about $8 million and has introduced two enterprise-facing products that promise protection from bot armies.
Damballa's products, which include an in-the-cloud monitoring component that runs alongside technology deployed on corporate networks, can be used to identify and isolate communications between compromised drones and the command-and-control centers on the Internet that pass instructions between hijacked machines.
"The threat itself is no longer just a virus or a piece of spyware. It's a multi-network, multi-faceted type of threat," Cox said. "There are multiple command-and-controls and multiple attack capabilities. You really can't depend on anti-virus protection anymore. If you are running a business, you need a combination of multiple security tools. Signature-based anti-virus serves an important purpose, but you can't look at bot armies the same way you look at a virus attack. There are bots that can update themselves every 30 minutes. You can't expect signature-based anti-malware on a desktop to be effective against that."
For Damballa, NovaShield and the venture capital firms pumping money into anti-botnet solutions, that's the marketing message.