Who’s killed the virus?

The shift towards targeted attacks for financial gain has left viruses behind — there are more efficient ways to exploit users. But the antivirus market is still thriving, with billions of dollars being spent on the latest security software. Eliot Beer reports on the future of the virus and the steps that security-conscious users should take.

  • E-Mail
By  Eliot Beer Published  November 19, 2006

|~|doo200p.jpg|~|Trend Micro’s MEA managing director Justin Doo says: “There’s still a high degree of expectancy that AV will protect you.”|~|Gone are the days when an enterprise - or any user of a PC connected to the internet - could install a straightforward antivirus (AV) solution on each machine, and sit back safe from attacks. Viruses, at least in the strict, traditional sense, are in decline - the only reason it is not yet terminal are the steady stream of new variants of existing viruses which appear on a daily basis. In the strict definition, a virus must be able to replicate and execute itself - most worms and Trojans do not qualify under this category (although the line between some worms and classic viruses is thin). The reason behind the decline of the virus can be expressed in one word: money. “Who killed the virus? Criminals killed the virus,” says Justin Doo, managing director for the Middle East and Africa (MEA) at Trend Micro. The rise of criminal gangs seeking to use malware for financial gain is probably the single biggest cause behind the decline in infection rates and the release of new viruses. Instead of aiming to target as many machines as possible, malware writers now focus on compromising smaller numbers of PCs for specific purposes. There is no doubt that this trend has become pervasive: the IBM Global Business Security Index, released earlier this year, named financial gain as the number one motive for cyber criminals. "Has antivirus met its realistic end? The hones answer is yes, if we’re looking at pure-play AV,” says Trend’s Doo. “Looking back five or six years ago, and where the AV industry was then compared to now - we’re no longer able to fight the battle with just an AV solution.” Other vendors are all of the same opinion; universally, the big AV firms are now supplying security suites in preference to solo AV products. Patrick Hayati, regional director of McAfee Middle East, the number two AV firm is one of the few dissenters. He says: “There is a view that the traditional virus is disappearing - this is right, and wrong at the same time. There are a lot of variations on the old ones that are appearing - and these need to be addressed as if they were new viruses. There are very few new ideas, new ways to create a virus. “This is why organisations feel more secure today when it comes to virus attacks, because they’re not seeing new names. However, if they stopped doing their updates, they would get harmed, because of the new variations. An average organisation today stops 10 million attacks a month. Our largest client in the Middle East stops more than 100 million attacks a week - mostly viruses.” Because of this shift away from viruses, even if it is not as extreme as some make out, observers are expecting a degree of consolidation in the AV and security market, as the large players snap up small but innovative firms to bolster their security suites. “Rather than the big vendors relying on development to try and offer these solutions, I think they will start encompassing the niche and visionary players,” says Kevan Reade of Fusion Distribution. “We already see this with people who are not even in security; companies such as EMC and Microsoft are busy buying in security to add to their product ranges. “What I think we’ll find with AV vendors in the future is they will encompass the niche players, to add that technology to their product suites. In five to 10 years, I think we’ll only have three or four big players in the AV market.” One possibly significant risk, which some security pundits have been hinting at recently, is the move to target malware - including viruses - at particular AV and security solutions. The aim, though, is not to target the application itself, but merely to make sure the malware is able to slip past the security system. Having a market with only a few large vendors makes this much easier for virus writers, and correspondingly tougher for enterprise security and IT managers. McAfee’s Hayati is pretty scathing of this view: “I don’t believe the malware writers target security applications - they target verticals, industries, but not applications. And even if they did - and I don’t accept the premise - this would be good news for McAfee, as the virus writers would be going after the number one AV system, which is not us at this moment in time.” The premise does certainly have a number of problems, not least of which is that applications are still probably harder to outmanoeuvre than the users. While there is an education gap between IT professionals and end users, hackers will always have a reasonably soft entry point into IT infrastructures. One method of countering any attempts to engineer malware to sneak past particular security applications is to remove the applications from the malware writers’ sight. This approach is now becoming possible, with the rise of managed services which are delivered remotely, rather than the traditional antivirus or security suite installed on client machines. “There is an issue around virus writers targeting only a few big players; but vendors such as McAfee and Symantec are now moving towards managed services, says Maxim Shirokov, business development manager for the Middle East and Africa at Kaspersky Labs in Russia. ||**|||~|hayati200p.jpg|~|Patrick Hayati, regional director for McAfee Middle East says: “There is a view that the traditional virus is disappearing - this is right, and wrong. An average organisation today stops 10 million attacks a month; our largest client stops 100 million a week.”|~|“If they can keep their solutions in-house, keep the proprietary solutions, then this will go some way to addressing the problem.” Vendor consolidation aside, the shift away from pure AV does have the potential to leave some enterprises behind, especially those without a dedicated security manager. Trend’s Doo recounts the story of a naïve manager from Saudi Arabia more than a dozen years ago: the executive at a university asked Doo to explain the concept of AV, then asked the price. Doo says: “We told him the price for 200 PCs, and he started to laugh – I’ve never had anybody laugh during a sales presentation, not since I had started. I asked him what was so funny. ‘I find it funny because for this money I can buy five PCs,’ he said. “But if you’re PC gets infected, you need to protect it, I said. ‘No, no – if that happens, I just throw it away, and get another PC.’” Doo says he still comes across similar attitudes today: “There’s still a very high degree of expectancy that an AV solution will protect you. I’ve had senior people in organisations here ask me: ‘Why, if we have your AV, why do we still get hit? We’ve paid for this to protect us, you should refund us.’ Because of the way it had been presented to them, as non-technical people, they had an expectancy level that was inappropriate when compared to the investment level.” Shirokov echoes Doo’s comments: “For organisations without a dedicated person to look after their security strategy, the threat is very real. To a certain degree, yes - they do need to understand that AV is no longer the only threat they’re facing in their IT environment. “I think this is something that will take another couple of years - by then, most people will understand that AV in its wider sense means a little bit more than viruses - it also includes tools to deal with other malicious software, and spyware and spam as well. It also depends on the vendor to explain the situation; if we are confronted with such a problem with a certain customer, Kaspersky has to do its best to explain to them that this product is for these levels and threats.” On the vendor side of the equation, there are drives afoot to make security easier to handle - more flexible and configurable for IT and network managers, more transparent for end users. This is complicated by the conventional wisdom that organisations should adopt a multi-vendor approach to security, eliminating a single point of failure for the system which becomes a risk if an end-to-end solution is adopted from one vendor. Sushma Kajaria, business development manager for security at Dubai-based distribution house Online Distribution, points out that this best-of-breed approach can bring problems: “Do enterprises really want to have a complex network security infrastructure, where one change has to be made on 10 different products? I don’t know how manageable that would be.” “The alternative is to go for an end-to-end solution - most enterprises I have seen in the Middle East do go for a single solution from a single vendor,” she adds. “But there are organisations, specifically in Saudi Arabia, which do look for best-of-breed security systems. Looking at verticals, the financial industry goes for best-of-breed solutions, especially in Kuwait and Saudi Arabia. Banks have taken this approach - say Trend Micro at the gateway, Cyphertrust handling messaging security, Symantec running client and server.” Kajaria's acknowledgment that certain enterprises, particularly large financial organisations such as banks, do favour multi-vendor infrastructures, due to the nature of their businesses, does chime with the orthodox view. But she says one of the key advantages now of an end-to-end solution is the ability to manage a security infrastructure from a centralised system. “Administrators can manage and enforce security policies much more easily - if customers are going for point products, this is something they might lose out on,” she says.||**|||~|kajaria200p.jpg|~|Sushma Kajaria, business development manager at Online Distribution, says: “Most enterprises I have seen in the region do go for a single solution from one vendor.”|~|Online Distribution is in fact in a slightly strange situation, in that it represents Trend Micro on the antivirus side, and Juniper on networking. Juniper’s partnership with Symantec has potentially put companies in Online’s position in conflict with their own partners. Kajaria denies this is significant, though. “From Juniper’s point of view, the solutions of the two companies are very complementary,” she says. “This tie-up will definitely give a better choice to the enterprise market for high-performance security solutions, especially Juniper’s UTM (unified threat management) customers. “At Online, we look at the positive side; we look at Juniper and Symantec UTM appliance and firewalls for the gateway, which then gives an opportunity for Trend on the client/server side, and with messaging. I don’t feel Trend is losing out to the Juniper-Symantec tie up at all,” she adds. Another key trend is the rise of Network Access Control (NAC), a set of technologies and policies to help ensure only trusted devices and those with up-to-date operating systems and antivirus or security packages are allowed on a corporate network. Dr Anton Grashion, EMEA security strategist at Juniper, sees NAC as having the potential to offer serious amounts of control to enterprises. “One of the things about making it more visible to policy makers, but invisible to users, is this huge surge in end-point compliance - there are lots and lots of vendors springing up out there because it is such a hot area,” he says. “How do you make things easy to manage? You drive things with a policy - as soon as someone connects to my network, I’m going to dynamically provision an agent which will check the compliance of the machine - how legal is it, is the user who they say they are? This is where the network is overlapping with the client side. “The last person you want arbitrating on whether their machine should be patched is the user - they should just be doing their job,” he adds. “It’s down to the companies themselves, and therefore the vendors they rely on, to make this happen. “I’d like to see a lot less security, in terms of visibility, but obviously we need a lot more security; because that predator/prey relationship, with the network as the nice juicy antelopes, is not going to change - the predators are not going to go away because we aren’t going to stop making antelopes.” Trend’s Doo says much the same thing: “Wittingly or unwittingly, the users within a corporate network are proportionately a bigger threat, during certain points of their operational lifespan, than the external threat that we all know about. This is because there is a much more lackadaisical approach to internet security from a corporate perspective, especially when there is an IT department within the organisation in question. “Recent studies have borne out the belief that people are far more likely to take chances with their IT infrastructure as a user, if they know they have a support department to fall back on if it all goes wrong,” he adds. This raises the issue of where organisations should concentrate their AV efforts. With a lot more security and intelligence being moved onto the network and away from clients and servers, is there an argument for moving AV purely onto network appliances, thus removing a number of user-related risks from the equation? Overwhelmingly, from vendors the answer is no. What is more, they insist this is not a bid to sell more AV licences. The reason is, as Doo and Grashion point out, many of the biggest threats to an organisation’s IT system come from within, and relying on scanning at the network level could well mean doing a less-than thorough job. “Viruses are almost a special case when it comes to security - if you’re just trying to do AV on the network, looking at the network stream, you’ll miss huge amounts of threats,” says Grashion. Viruses need to be recombined into their component parts - you need to do the compound document dissolve and reconfigure. So I do think you need AV everywhere.” At the moment, then, despite a strong drive away from viruses, organisations are facing a very real risk from virus-borne threats. Between ‘legacy’ viruses roaming and being reissued, and users being less-than-vigilant about IT security, enterprises need to take care. The virus may have passed on, but its dead hand still has influence today.||**||

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code