Malware boom puts pressure on second-tier AV labs

Security experts predict only a few of the largest labs will be able to compete in anti-virus research in the long run

Over the first six months of 2007, anti-virus applications market leader Symantec found a total of 212,101 new malware variants, an astonishing 185 percent increase over the second half of 2006, totaling an average of well over 1,100 unique samples arriving per day.

With the volume of malware attacks growing so rapidly, the pressure on AV research labs to find and defend against new threats to keep their products up to date and customers ahead of the curve has never been greater.

Based on the sheer number of threats, and the sprawl of massive research operations such as Symantec's 40,000-sensor-strong Global Intelligence Network, some experts maintain that only a few of the largest labs will be able to compete in the long run.

Beyond Symantec and its biggest rivals -- including McAfee, Microsoft, and Trend Micro -- it will be unlikely that additional AV researchers and technology vendors will be able to remain relevant, said Neil MacDonald, a longtime security industry analyst with Gartner.

"As the number of exploits takes off exponentially, there won't be many that can keep up," McDonald said. "Only a few like Symantec, Microsoft, McAfee, and Trend will be able to handle the research load, or it will require a significant amount of additional investment for any others to compete."

Even with security applications becoming increasingly proactive -- using behavior monitoring and heuristics tools to ward off threats and eliminating the need for humans to create an electronic serum for every new variant -- the expert contends that smaller labs won't be able to offer the same level of intelligence as their larger brethren, which he said will lead to future consolidation among those being left behind.

"It's a condition that will benefit larger vendors, but that's not necessarily a bad thing, and in that sense the security industry is maturing like the rest of the IT industry as customers don't need point solutions that drive up complexity and costs," MacDonald said. "There will always be a need for smaller vendors and startups to solve new problems, but there's no reason for that approach to anti-virus or anti-spyware anymore, and customers are going to draw the line at what level of AV is good enough."

The analyst's argument echoes the sentiments expressed by many industry pundits over the last several years who have said that AV technologies are rapidly becoming commoditized.

However, those individuals running second-tier threat research labs counter that the analyst's theory ignores the fact that traditional signature-based techniques for protecting customers represent only a last line of defense in the makeup of their companies' cutting-edge anti-malware applications.

Along with all the other systems defense tools they provide to customers with their virus signature updates, the researchers challenge that the innovative detection and prevention technologies they've built to help keep up with the flow of new attacks represent yet another equalizer -- and a unique differentiator that they will use to go to market against larger rivals.

"What is being described is history, when one researcher wrote one signature for every virus; of course the volume has increased, but we're using automated systems to do a lot of the analysis and write the detection routines," said Graham Cluley, senior technology consultant at Sophos, an AV vendor with more than 1,000 employees.

"Even if you look at our Web site, a lot of the virus descriptions on there were actually written by computers, and we've also made huge leaps, as have others, in terms of producing proactive detection," he said.

Cluley argues that well-established second-tier AV shops including Sophos, Kaspersky Lab, Panda Software, and F-Secure -- that have been in the end-point protection business for years -- will still be able to carve out profitable portions of the overall security market.

The expert said that more than 70 percent of the new attack variants discovered by Sophos in the last year were found using automated tools such as the company's behavioral genotype technology -- which claims the ability to predict which programs are malicious before the applications themselves are ever run.

"There's absolutely no evidence that we can't compete with the 500-pound gorillas," said Cluley. "People have been saying that AV is a commodity for years, and it's true that many customers want integrated security tools, but the people who are saying that only the largest can survive are looking at modern AV in a very old-school way."

Some industry analysts agree that at least part of the AV commoditization debate is based in market nomenclature, since signature-base tools represent only one flavor of the integrated security applications being delivered by almost all "anti-virus" vendors.

Larger vendors may lead the way with the broadest array of security technologies in their suites, but the different varieties and combinations of tools being offered by many of the providers will still appeal to individual companies and customers of various sizes, said Chris Christiansen, analyst with IDC.

"AV is actually becoming end-point security, but for the sake of marketing some of the same wording is being used, even though all of these companies' products contain a far wider-range of capabilities that signature-base AV," he said. "Focusing on the sheer number of bodies that any one company has in the lab is missing the point; it's more of an effort to develop automated capabilities to recognize variants."

On Tuesday, Kaspersky Labs held an educational event for customers just outside of Boston, during which company founder and chief executive Eugene Kaspersky laid out the wide range of financially motivated threats that are being aimed at businesses and end-users, and told the story of building his one-man startup into the 800-employee organization it is today.

At the heart of the firm, he said, are Kaspersky's "woodpeckers," the virus researchers who spend their days picking away at the newest threats that arrive at the Russian firm's honeypots.

Confronted with the argument that the comparatively modest size of the company will serve as a handicap when lined up against its largest competitors, Kaspersky leaders said that the notion overlooks the realities of the market.

"It's not about headcount, it's about the quality of the people, it's about designing the systems to test the malware samples, and it's about the systems of delivery for getting the signatures to the end users," said Steve Orenberg, president of Kaspersky Lab USA operations. "There are such a wide range of factors that figure into the process; it's not all about the number of people you have looking at the attacks."

Orenberg said that Kaspersky Lab will continue to win new customers using its unique malware-hunting technologies, speedy virus update services, and its products' low impact on the system resources of the devices they run on -- all of which he lists as advantages over larger AV providers.

Eugene Kaspersky pointed out that AV market watchers have been making the same commoditization arguments for a long time -- even while his company has continued to grow -- and said that the most accurate anecdote to depict his firm's ability to compete with bigger players can be found in the world of automobiles.

"People have been saying that the only difference between the different AV systems is marketing and that the quality is similar, but I don't think that's ever been true," said Kaspersky. "The large AV companies out there are like Toyota, Ford, and GM, and the smaller companies like us are more like Lamborghini; the only difference is that we develop Lamborghini technology, but sell it for the same price as a Ford."