March 11, 2010, 4:40 PM — At the RSA Conference in San Francisco last week, security vendors pitched their next-generation of security products, promising to protect customers from security threats in the cloud and on mobile devices. But what went largely unsaid was that the industry has failed to protect paying customers from some of today's most pernicious threats.
The big news at the show had to do with the takedown of the Mairposa botnet -- a massive network of hacked computers that has infected half of the Fortune 100 companies. So-called advanced persistent threat (APT) attacks, such as the one that compromised Google systems in early December, were another hot topic.
Both Mariposa and the Google attacks illustrate the same thing, however. Despite billions of dollars in security spending, it's still surprisingly hard to keep corporate networks safe.
That's because for these advanced attacks to work, the bad guys need to find only one vulnerability in order to sneak their malicious software onto the target network. Once they get a foothold, they can break into other computers, steal data, and then move it offshore. The good guys have to be perfect -- or at least very quick about spotting intrusions -- to keep APT threats at bay.
Traditional security products are simply not much help against APT attacks, said Alex Stamos, a partner with Isec Partners, one of the companies investigating the APT attacks. "All of the victims we've worked with had perfectly installed antivirus," he said. "They all had intrusion detection systems and several had Web proxies scan content."
The problem is that the bad guys can buy this technology too, and test and re-test their attacks until they slip through. "Anybody can download and try every single antivirus engine against their malware before they ship it," Stamos said.
Emphasizing this point, antivirus testing company NSS Labs created a variation on the known Internet Explorer 6 attack, used in the Google incident, and tested it against seven popular antivirus products. NSS also tested the original attack code against the same antivirus products. The tests, conducted two weeks after the bug was made public, found that only McAfee's antivirus product stopped the new variant of the attack.
One company, AVG, didn't even stop the original attack, according to NSS. Eset, Kaspersky, Symantec, Sophos, AVG and Trend Micro all failed to block a variant of the Aurora exploit.
But AVG said in response that its products detect the Aurora attack. A spokesman said the results were due to flaws in NSS's testing methodology. However, the company does not dispute the claim that its product failed to detect variants of Aurora.
Antivirus companies could "definitely be doing a better job," said NSS President Rick Moy. "They should be implementing more vulnerability-based detection. There's a little too much focus on the malware payload."
Paul Roberts, an analyst with industry research firm the 451 Group, put it more strongly: "Enterprises are very dissatisfied with the level of protection they're getting from their end-point antimalware suites," he said. While antivirus companies are experimenting with ways to block programs based on an analysis of different factors, such as the file's behavior, its age, origin and how widely it is being used, these features are often turned off because they end up blocking legitimate programs, Roberts said.
Many security experts now agree that patches, up-to-date antivirus, plus intrusion detection systems are not enough to protect companies from the worst of today's cyberthreats.
"The security industry's going to have to think about selling solutions that actually work with this type of environment," Isec's Stamos said. "Basically nothing that people have bought over the last 16 years is going to help them stop a single guy sitting at a computer who is a Windows shellcode person targeting one person, and spending months to break into that computer." Shellcode is the initial payload program hackers use to install further programs, once they have hacked into a system.
But that message hasn't quite sunk in everywhere in the corporate world, said Paul Melson, information security manager with Priority Health, in Grand Rapids, Michigan. "A lot of companies have either turned their security teams into compliance teams or are still fighting the same fight they were fighting six or seven years ago."
The antivirus vendors argue that their products still serve a purpose, and indeed, nobody in the corporate world is turning them off.
