At the RSA Conference in San Francisco last week, security vendors pitched their next-generation of security products, promising to protect customers from security threats in the cloud and on mobile devices. But what went largely unsaid was that the industry has failed to protect paying customers from some of today's most pernicious threats.
The big news at the show had to do with the takedown of the Mairposa botnet -- a massive network of hacked computers that has infected half of the Fortune 100 companies. So-called advanced persistent threat (APT) attacks, such as the one that compromised Google systems in early December, were another hot topic.
Both Mariposa and the Google attacks illustrate the same thing, however. Despite billions of dollars in security spending, it's still surprisingly hard to keep corporate networks safe.
That's because for these advanced attacks to work, the bad guys need to find only one vulnerability in order to sneak their malicious software onto the target network. Once they get a foothold, they can break into other computers, steal data, and then move it offshore. The good guys have to be perfect -- or at least very quick about spotting intrusions -- to keep APT threats at bay.
Traditional security products are simply not much help against APT attacks, said Alex Stamos, a partner with Isec Partners, one of the companies investigating the APT attacks. "All of the victims we've worked with had perfectly installed antivirus," he said. "They all had intrusion detection systems and several had Web proxies scan content."
The problem is that the bad guys can buy this technology too, and test and retest their attacks until they slip through. "Anybody can download and try every single antivirus engine against their malware before they ship it," Stamos said.
Emphasizing this point, antivirus testing company NSS Labs created a variation on the known Internet Explorer 6 attack, used in the Google incident, and tested it against seven popular antivirus products. NSS also tested the original attack code against the same antivirus products. The tests, conducted two weeks after the bug was made public, found that only McAfee's antivirus product stopped the new variant of the attack.
One company, AVG, didn't even stop the original attack, according to NSS. Eset, Kaspersky, Symantec, Sophos, AVG, and Trend Micro all failed to block a variant of the Aurora exploit.
But AVG said in response that its products detect the Aurora attack. A spokesman said the results were due to flaws in NSS's testing methodology. However, the company does not dispute the claim that its product failed to detect variants of Aurora.
Antivirus companies could "definitely be doing a better job," said NSS President Rick Moy. "They should be implementing more vulnerability-based detection. There's a little too much focus on the malware payload."
Paul Roberts, an analyst with industry research firm the 451 Group, put it more strongly: "Enterprises are very dissatisfied with the level of protection they're getting from their end-point antimalware suites," he said. While antivirus companies are experimenting with ways to block programs based on an analysis of different factors, such as the file's behavior, its age, origin, and how widely it is being used, these features are often turned off because they end up blocking legitimate programs, Roberts said.