Companies Defect as Anti-virus Software Struggles with Worms

The latest threats have companies reconsidering their anti-virus tools, wondering if AV is becoming irrelevant. Increasingly, companies are looking at application-level personal firewalls and all-in-one gateway hardware for PCs.

Can anti-virus software providers protect companies against today’s most pervasive threats? Here’s the problem: Anti-virus software is excellent at stopping viruses, and after a new virus appears, patches usually follow within 24 hours. However, companies today have plenty of other concerns, from worms and Trojan code to spyware. Stopping each type of threat requires a different approach.

Given the rapid spread of new vulnerabilities of late, more and more companies are asking whether PC anti-virus software is the answer to their business-disruption problems. Some companies, fed up with the problems, have issued ultimatums to their anti-virus vendors, while others have already defected, reports analyst Jim Hurley, vice president of security and privacy at Boston-based Aberdeen Group. Security Strategies spoke with him about anti-virus tools today, and whether they're still the medicine companies need.

Are anti-virus companies slow to the game when it comes to newer types of threats?

Oh, yeah. That’s why an awful lot of businesses have continuously suffered over the last year or two—because the game has changed. It went from a virus that was essentially a payload activated off a disk to something that is rapidly spread over the world over common network protocols by worms, with the payload being able to then find additional network routes to other locations to infect other devices and keep the cycle going.

[Yet] a lot of anti-virus vendors are still looking at it from a “How do we scrub the payload?” perspective instead of a “How do we avoid introduction of the worm altogether?” perspective. It’s a different problem that requires something other than payload scrubbing. That’s [the problem] we’ve seen in the [past week], with this new so-called virus [MyDoom].

Are these newer threats really the responsibility of anti-virus companies?

Customer perspective is, “My business is being disrupted.” [In one case,] they lost a lot of money because their customers weren’t just down the street, but over the Internet. We know of another client, a sales organization, that was down for five days and they lost a lot of money because their business depends upon turns [sales].

It’s an interesting dilemma that companies find themselves in, because on the one hand they want to use the ability of the Internet and network protocols to reach out to their customers, and to more rapidly respond to customer requirements. The business need is real. The problem is that there seems to be a cognitive dissonance between the application controls, policies, and procedures we have in place for combating potential business disruption.

So the real question I’m asking is, is the current solution being delivered to market relevant for the relevant problem?

What drove you to ask that question?

One of the consistent things we’ve seen over the last year and a half with our corporate clients is this growing concern about whether anti-virus is going to keep up with the new business disruptions they’re facing from worms. Their response was that the anti-virus just wasn’t cutting it. It got so bad midway through last year that some of our clients gave ultimatums to their anti-virus suppliers—[fix it] or lose their business. That was really … a wake up call.

What exactly did companies ask their anti-virus suppliers to fix?

They were asking their trusted suppliers to help them out. It wasn’t necessarily "is this technology better than another," though for some companies that we’d worked with, they’d already made the decision that anti-virus suppliers were not going to help them out. That’s why they went and installed [other software and hardware].

What did companies turn to when moving beyond anti-virus?

We’ve seen a great deal of uptake for application-level personal firewalls for PCs. Some … are only deployed on a PC, others are a combination of a software agent that’s very lightweight, with the control logic back on a server somewhere. [Also] we’ve seen a great deal of uptake on anti-spyware, and gateway-based, multifunction [boxes] that include such things as anti-virus, anti-spam, content filtering; the list just goes on and on.

Is there a sea change toward all-in-one, gateway hardware?

I wouldn’t call it a sea change, but it’s definitely been a direction. There are a number of motivations—there might be reduced labor costs, without having to go to every PC and keep it updated. One of the consistent problems we’ve found is no matter what companies do, users disable the security software on their PC. So whether the ability to filter for a virus or worm is put in a gateway is almost a secondary issue. The most important is, where are the relevant or most recent updates stored, and we’ve seen them stored at a gateway. [This isn’t] just from a security standpoint; it’s just easier to try and manage things from a central location rather than try to get out to every location.

Could all-in-one gateways radically improve organizations’ security?

I think that’s too hopeful … there’s still real value in anti-virus. Because if a [PC] is dead, you still need to recover it, and that’s fundamentally the real value anti-virus offers today. Because if there is a real problem that does damage the system, you might be forced as a matter of recourse to put a boot floppy in to get it up and running.

We saw that last year with a lot of the worms; a lot of organizations were having to [visit sites] or instruct [onsite] people in recovery. We know of one retail company supposedly in the business of serving customers that couldn’t because the systems were down. They had to fly the floppy in and walk it [from computer to computer]. Hoping that centralization is going to be the panacea is … a mirage. But [that approach] is cost-effective … [even though] it might not have anything to do with reality in terms of [lower] risk.

If anti-virus vendors pushed out updates more quickly, would that help?

The problem is not whether the anti-virus suppliers catch it quickly; normally they do … in the first 24 hours. The big suppliers at least have done a good job of creating an update network that pushes out updates to clients—consumers or companies—quickly.

The problem you get into is how quickly does a consumer and a corporation get to take advantage of that? If you’re in a corporate setting with 2,500, 10,000, or 50,000 desktops, the ability to get that stuff out is going to take some time. We’ve found that a lot [of companies] figure on a seven-day turnaround time. There’s a latency for them to get it out and update it.

So where do anti-virus vendors need to go?

I’ll beg off that question. We’re not trying to make a happy marriage for any one party or the other.

Do you recommend companies employ personal firewall software?

There are a lot of approaches. One is adding a PC firewall. We’ve seen that work. Another alternative is putting a gateway multifunction device in front of your mail server that combines anti-virus, anti-spam, a whole bunch of things; we’ve seen that work.

A third approach that we’ve seen work—and this is an interesting one—is network traffic analysis that occurs between the PC devices and the servers for a given kind of application. I don’t know what you call it, there isn’t [one] product name, but there are different products targeting different aspects of the [traffic analysis] equation.

How does it work?

For e-mail [for example] there is a typical set of profiles for network protocol that occur for different kinds of mail operations, and when those network protocols and services deviate considerably from a typical protocol, it tends to indicate that there’s something amiss in the environment. That allows an organization to be immediately notified there’s something wrong, [then] to investigate it, [then] to see if they need to throttle something back to cut it off. We’ve seen organizations move to the next step where if they’ve identified a [problem] they proactively block it.

Many companies seem to regard spam as a security issue; is that part of the trend you’ve outlined here?

Spam is a business disruption issue. There are threats [related to] active code that might have to do with spam, but at that point you’re on the far common reaches of the problem.

From a technology perspective, the commonality between spam and anti-virus is very interesting, because the [pattern-matching principles employed to stop it] work on the same technology principle. And you’re [also] dealing with business disruption.

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.