The recent surge in malware attacks against zero-day flaws in some of the most widely used software packages is confirmation of an IT administrators worst nightmare: Stand-alone, signature-based anti-virus software offers no protection from sophisticated online criminals.
During 2006, there was a wave of zero-day attacks against Microsoft Office applications—through vulnerabilities known only to the attackers—that bypassed all anti-virus protection at the network and desktop level. Because traditional anti-virus technology depends on the ability to quickly capture malware samples, reverse the code for the specific characteristics, and then write and release detection signatures, the zero-day attack presents a major dilemma.
“Signatures have been dead for a long time now,” said Roger Thompson, an anti-virus pioneer who now runs the Atlanta-based Exploit Prevention Labs, in an interview with eWEEK. “[Attackers] use new packers or tweak their code so that its different enough to bypass signatures for a short while. By the time you get a signature out, its too late. Theyve already hit enough targets.”
The death of stand-alone, signature-driven anti-virus software has forced incumbent security software vendors to reshape their product lineups. Industry heavyweights such as Symantec, McAfee and Trend Micro are all rolling out converged suites, offering multiple capabilities including anti-spyware, personal firewall and endpoint policy enforcement, with intrusion prevention as the foundation.
In Moscow, the state of security is not lost on Eugene Kaspersky, founder and chief technologist at Kaspersky Lab, a privately held, 700-employee outfit.
“Were already there,” Kaspersky declared, when confronted with the anti-virus eulogies. “There are no stand-alone anti-virus products anymore. Its now anti-everything. You have to do things like behavior blocking and heuristic detections and add anti-spam, anti-spyware, anti-rootkit capabilities to your software,” Kaspersky said in an interview with eWEEK.
Kaspersky, a former military officer who founded the company in 1997 and oversaw its expansion into the United States, Europe and Asia, said he still believes theres value in the ability to respond to malware outbreaks in real time.
“Were losing this game with computer criminals. There are just too many criminals active on the Internet underground, in China, in Latin America, right here in Russia. We have to work all day and all night just to keep up,” Kaspersky said.
In a room full of flat-screen monitors, Kaspersky shows off his “woodpeckers,” a youthful crew of virus hunters responsible for tracking computer threats in real time and working around the clock to write and ship signatures to millions of computer users.
This is the companys secret sauce: its highly touted ability to ship anti-virus signatures every hour on the hour, seven days a week, 365 days a year.
“We just cant depend on signatures,” Kaspersky said. “You need information backup, you need parental controls, you need anti-phishing. Its a different world today. Ten years ago, we were fighting against smart kids who hacked as a hobby. Now, were dealing with criminal gangs that control your computer to make money. Different world, different protections.”
The new protection suites must also feature data leak prevention and patch and configuration management; be bundled in a single console; and, more important, be sold at heavily reduced prices.
“This has been a great party while it lasted,” said Jon Oltsik, an analyst with Enterprise Strategy Group. “These guys have been making money hand over fist, but things are changing. Customers are demanding more, and the [security companies] are now living in a competitive, lower-market world.”
Oltsik said he believes the security improvements in Windows Vista and Microsofts aggressive approach to selling its enterprise and consumer security offerings—directly and via the channel—will definitely affect smaller players such as Kaspersky Lab, but, in a discussion with eWEEK, he stressed that the bigger incumbents will feel it even more.
“I dont think anyone should be underestimating Microsoft,” Oltsik said, pointing out that the company has pushed into the markets through acquisitions of Sybari for enterprise-grade anti-virus and Giant Company Software for anti-spyware and real-time malware protection.
Sybari has undergone a major makeover and is being rebranded as Microsoft Forefront; Giants technology is now powering Microsofts Windows Defender software.
Strategy for Growth
In an interesting twist, Microsoft resells Kaspersky Labs anti-virus scanner to enterprise customers as part of Forefronts multiscanner strategy. The Kaspersky Lab anti-virus kernel also is integrated in products sold by a range of IT vendors, including Aladdin Knowledge Systems, F-Secure, G Data Software, Deerfield, Alt-N Technologies, Microworld and Borderware.
This puts Kaspersky Lab in the unique position of competing against its OEM partners. As a differentiator, Kaspersky said the company is shipping the new Version 6.0 engine in its own product suite and is licensing the 5.0 version to partners.
“I think youll see Microsoft being very aggressive on pricing. It will push prices down throughout the sector,” Oltsik said.
According to data from research company Gartner, the global market for computer security protection could top $10 billion in 2007, making it a lucrative target even for Microsoft.
On the consumer side, Microsofts OneCare security suite is struggling to gain a foothold, despite the companys heavy investments in virus research. In a research note released in January 2006, Piper Jaffray analyst Gene Munster used NPD Group retail sales data to show Microsofts security suite has less than 1 percent market share.
“While OneCares exact market share is debatable, its safe to conclude that OneCares market share is fractional at best,” Munster said.
This comes as a big surprise to John Pescatore, a Gartner analyst. “Microsoft spent three years building this product, investing heavily in the technology, but it doesnt appear they are spending any money to market the product. Ive seen television ads for the Zune, but I cant recall seeing an ad for OneCare,” Pescatore said in an interview with eWEEK.
Natalya Kaspersky, who keeps a close watch on the companys day-to-day operations in the United States, United Kingdom, France, Germany, the Netherlands, Poland, Japan and China, shrugged aside suggestions that Microsoft will use its marketing might to roll over rivals and painted a picture of a company on the rise, building out new technologies and pushing into new markets.
One such rollout is Infowatch, a Kaspersky Lab subsidiary headed by Andrey Nikishin that offers a multilayered approach to data leak detection and prevention. Founded in 2003 and launched primarily in the Russian market, InfoWatch provides monitoring software for e-mail, Internet and Web usage, mail storage, and mobile devices.
The company is positioning InfoWatch as technology to help businesses manage compliance requirements and track internal data theft, even from mobile devices.
Nikolai Grebennikov, deputy director in Kaspersky Labs department of innovative technologies, said Kaspersky Labs new Internet Security 6.0 software will hold its own against the competition. “We have the best virus detection rates and the fastest response time to new threats. We do hourly updates and support more than 1,200 formats of archives and compressed files,” said Grebennikov.
Grebennikov said the company has worked hard on improving scan speeds and system loads by scanning new and modified files only, caching data from previous scans, and suspending scanning in case of increased user activity.
The new security suite also has been fitted with a new system for anti-virus scanning of compound objects, optimizing system performance.
This helps to address a long-standing complaint that anti-virus software with multiple executables eating away at system resources is an impediment to proper computer usage.
Another big addition, Grebennikov said, is the addition to the software of rootkit detection and removal. He said new proactive detection technology will block hidden objects (stealth rootkits), keystroke loggers, buffer overflow attacks, data execution attacks and backdoors that turn infected machines into zombies in botnets.
“These integrated threats are the scariest,” Grebennikov added. “Anytime you find malware thats using rootkit techniques to hide, you have to get really nervous. Some of these threats are very, very sophisticated.”
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Ryan Naraines eWEEK Security Watch blog.