Malware boom puts pressure on anti-virus race

Anti-virus application vendor Symantec found a total 212,101 new malware variants over the first months of 2007, an astonishing 185 per cent increase over the second half of 2006, totalling an average of well over 1100 unique samples arriving per day.

With the volume of malware attacks growing so rapidly, the pressure on anti-virus research labs to find and defend against new threats to keep their products up to date and customers ahead of the curve has never been greater.

Based on the sheer number of threats and the sprawl of massive research operations such as Symantec's 40,000 sensor-strong Global Intelligence Network, some experts maintain that only a few of the largest labs will be able to compete in the long run.

Beyond Symantec and its biggest rivals -- including McAfee, Microsoft, and Trend Micro -- it will be unlikely that additional researchers and technology vendors will be able to remain relevant, said Neil MacDonald, a long-time security industry analyst with Gartner.

"As the number of exploits takes off exponentially, there won't be many that can keep up," McDonald said. "Only a few like Symantec, Microsoft, McAfee, and Trend will be able to handle the research load, or it will require a significant amount of additional investment for any others to compete."

Even with security applications getting increasingly proactive -- using behaviour monitoring and heuristics tools to ward off threats and eliminating the need for humans to create an electronic serum for every new variant -- the analyst contends that smaller labs won't be able to offer the same level of intelligence as their larger brethren, which he said will lead to future consolidation among those being left behind.

"It's a condition that will benefit larger vendors, but that's not necessarily a bad thing and in that sense the security industry is maturing like the rest of the IT industry as customers don't need point solutions that drive up complexity and costs," MacDonald said.

"There will always be a need for smaller vendors and startups to solve new problems, but there's no reason for that approach to anti-virus or anti-spyware anymore, and customers are going to draw the line at what level of AV is good enough."

The analyst's argument echoes the sentiments expressed by many industry pundits over the last several years who have said anti-virus technologies are rapidly becoming commoditised.

However, second-tier threat research labs counter that traditional signature-based techniques for protecting customers only represent a last line of defence in their companies' cutting-edge anti-malware applications.

Researchers claim that the innovative detection and prevention technologies they've built to help keep up with the flow of new attacks represent yet another equaliser -- and a unique differentiator that they will use to go to market against larger rivals.

"What is being described is history, when one researcher wrote one signature for every virus. Of course the volume has increased, but we're using automated systems to do a lot of the analysis and write the detection routines," said Graham Cluley, senior technology consultant at Sophos, a security vendor with about 1,000 employees.

"Even if you look at our website, a lot of the virus descriptions there were actually written by computers and we've also made huge leaps, as have others, in terms of producing proactive detection," he said.

Cluley argues that well-established second-tier shops including Sophos, Kaspersky Lab, Panda Software, and F-Secure -- that have been in the endpoint protection business for years -- will still be able to carve out profitable portions of the overall security market.

Cluley said that over 70 per cent of the new attack variants discovered by Sophos in the last year were found using automated tools such as the company's behavioral genotype technology -- which claims the ability to predict which programs are malicious before the applications themselves are ever run.

"There's absolutely no evidence that we can't compete with the 500-kg gorillas," said Cluley. "People have been saying that anti-virus is a commodity for years, and its true that many customers want integrated security tools, but the people who are saying that only the largest can survive are looking at modern anti-virus in a very old-school way."

Some industry analysts agree that at least part of the commoditisation debate is based in market nomenclature, since signature-based tools represent only one flavour of the integrated security applications delivered by almost all "anti-virus" vendors.

Larger vendors may have the broadest array of security technologies, but the different varieties and combinations of tools offered by many providers will still appeal to individual companies and customers of various sizes, said Chris Christiansen, an analyst with IDC.

"Anti-virus is actually becoming endpoint security but for the sake of marketing some of the same wording is being used, even though all these companies' products contain a far wider range of capabilities than signature-based anti-virus," he said. "Focusing on the sheer number of bodies that any one company has in the lab is missing the point; it's more of an effort to develop automated capabilities to recognise variants."

Confronted with the argument that the comparatively modest size of the company will serve as a handicap when lined up against its largest competitors, Kaspersky Lab leaders said that the notion overlooks the realities of the market.

"It's not about headcount: it's about the quality of the people, it's about designing the systems to test the malware samples, and it's about the systems of delivery for getting the signatures to the end-users," said Steve Orenberg, president of Kaspersky Lab USA operations. "There are such a wide range of factors that figure into the process."

Orenberg said that Kaspersky wins new customers using its unique malware-hunting technologies, speedy virus update services, and its products' low impact on the system resources of the devices they run on -- all of which he lists as advantages over larger providers.

Eugene Kaspersky pointed out that market watchers have been making the same commoditisation arguments for a long time -- even while his company has continued to grow.

"People have been saying that the only difference between the different systems is marketing and that the quality is similar, but I don't think that's ever been true," said Kaspersky. "The large anti-virus companies out there are like Toyota, Ford and GM, and the smaller companies like us are more like Lamborghini. The only difference is that we develop Lamborghini technology but sell it for the same price as a Ford."