Threat Prevalence: Your breach will have to wait

Recently I attended a security conference hosted by a major vendor, with many of our security vendor peers in attendance. One of the more interesting presentations and related discussions centred around speed of reaction to new threats, and the priority in which they were treated.

It was no surprise (at least it shouldn’t be a surprise anymore to anyone in the industry) that the time-to-protect i.e. the time on average from when a new threat was first received into the malware repository to when a signature was published was measured in days. It is a bit disheartening that with all the tools and automation available this mean time to protect hasn’t been reduced further. It is of course a challenge for security vendors who typically now must parse through 100K+ of unique malware binaries every single day and find the hidden gems buried in there that represent truly new threats needing new signatures. An already outdated stat from Kaspersky has anti-malware vendors creating 3,500 new signatures every day in 2009 from 30,000 unique daily binaries. Any individual vendor is likely to publish dozens, if not hundreds, of signatures on any given day. All to catch yesterday’s (or the day before..) threats, while new ones are constantly piling in.

ok that’s bad, but we’ve gotten used to it. There was more bad news though for enterprise customers. A typical AV vendor has no choice but to prioritise signature writing according to threat prevalence. This is where the failure of signatures is not just a technical failure, but an economic one as well. Virtually every vendor publishes some variation of a ‘top 10 threats’ list or report highlighting what threats their users are most likely to encounter. It follows of course that vendors will write signatures precisely for these threats first. Guess where the targeted attack hitting your enterprise fits on the long tail?  Not anywhere near your vendor’s priority list is a safe guess. If you’re responsible for 20,000 desktops and have a 7 figure annual infosec budget you might believe you have a lot of sway with your vendor. But economics dictate otherwise, especially for a security vendor that has a substantial consumer customer base. No matter how severe the threat, and how weak the detection, if that threat is specifically targeting your enterprise its economic impact for the vendor will be small in relation to any broad-based attack affecting retail consumers. Caveat emptor!

For a whitepaper on ECAT or to request more information, please click here .