Malware boom puts pressure on second-tier AV labs

Over the first six months of 2007, anti-virus applications market leader Symantec found a total of 212,101 new malware variants, an astonishing 185 percent increase over the second half of 2006, totaling an average of well over 1,100 unique samples arriving per day.

With the volume of malware attacks growing so rapidly, the pressure on AV research labs to find and defend against new threats to keep their products up to date and customers ahead of the curve has never been greater.

Based on the sheer number of threats, and the sprawl of massive research operations such as Symantec's 40,000-sensor-strong Global Intelligence Network, some experts maintain that only a few of the largest labs will be able to compete in the long run.

Beyond Symantec and its biggest rivals -- including McAfee, Microsoft, and Trend Micro -- it will be unlikely that additional AV researchers and technology vendors will be able to remain relevant, said Neil MacDonald, a longtime security industry analyst with Gartner.

"As the number of exploits takes off exponentially, there won't be many that can keep up," McDonald said. "Only a few like Symantec, Microsoft, McAfee, and Trend will be able to handle the research load, or it will require a significant amount of additional investment for any others to compete."

Even with security applications becoming increasingly proactive -- using behavior monitoring and heuristics tools to ward off threats and eliminating the need for humans to create an electronic serum for every new variant -- the expert contends that smaller labs won't be able to offer the same level of intelligence as their larger brethren, which he said will lead to future consolidation among those being left behind.

"It's a condition that will benefit larger vendors, but that's not necessarily a bad thing, and in that sense the security industry is maturing like the rest of the IT industry as customers don't need point solutions that drive up complexity and costs," MacDonald said. "There will always be a need for smaller vendors and startups to solve new problems, but there's no reason for that approach to anti-virus or anti-spyware anymore, and customers are going to draw the line at what level of AV is good enough."

The analyst's argument echoes the sentiments expressed by many industry pundits over the last several years who have said that AV technologies are rapidly becoming commoditized.

However, those individuals running second-tier threat research labs counter that the analyst's theory ignores the fact that traditional signature-based techniques for protecting customers represent only a last line of defense in the makeup of their companies' cutting-edge anti-malware applications.

Along with all the other systems defense tools they provide to customers with their virus signature updates, the researchers challenge that the innovative detection and prevention technologies they've built to help keep up with the flow of new attacks represent yet another equalizer -- and a unique differentiator that they will use to go to market against larger rivals.