Sitewide
RSS Feed:
Come in, Antivirus Software, your time is up!
 |
By: Robin Bloor Published: 28th March 2006 Copyright © 2006 |
Delicious
Digg
reddit
Facebook
StumbleUponSunset on Antivirus
When I was first briefed, about a couple of years ago, by Securewave, a European security start-up that was establishing itself in the US, I concluded that their approach to IT security would eventually supersede antivirus software. Securewave could have aggressively marketed the fact that it made antivirus software defunct, but it didn't. You can't take on industry giants when you have a very limited marketing budget, can you?
The next company I came across with a similar proposition was Bit9. They didn't have an identical approach to Securewave, but it was very similar...
Put simply, the approach of both companies is like this: You fingerprint valid executables. You stop anything that is not authorized from running. You allow self-authorization, but you quarantine anything that is authorized by the PC user until it has been authorized officially. You can do this on servers too. The details of how and the various nuances vary.
The point is that it stops viruses stone dead—including ALL zero-day exploits. Actually it also stops a good deal of bad user behaviour too, like loading your own applications. That's its major function. The killing of viruses is a simple side effect. It won't stop buffer overflow attacks by hackers, but it will stop the successful overflow-attacker-hacker from doing much to subvert the attacked machine.
So last week I ran into a third vendor with this kind of security technology: AppSense. AppSense has come to market quite recently with its security offering, but it has a highly functional capability because it has been making a tidy living from selling management software in the Citrix environment and now it has specialized some of this for security market. Three times is the charm, I guess. Here's the point: AppSense has one customer that has installed AppSense and thrown away all the antivirus software it previously ran. (No problems experienced, by the way).
Like Securewave, AppSense is not going to pick a marketing fight with the big antivirus vendors, but nevertheless the tide has now turned and soon it will be racing in.
Antivirus software is no longer required.
It's over for antivirus software.
Come in antivirus software, your time is up.
There you are; I've said it thrice and what I say three times is true.
Dummy? I Say, Do You Know Who I Am?
I took part in an editorial meeting last week for the “SOA For Dummies” book, that we are writing (Judith Hurwitz, Carol Baroudi and I). Actually we are really writing two books, a minibook (roughly about 60 pages) which explains Service Oriented Architecture, and the full Dummies book which covers the same ground, but goes into much greater detail in respect of XML, UDDI, WSDL and the rest. The minibook will not be generally available in book shops, but IT vendors are able to buy tailored version of this for distribution to customers (with logo and some bespoke pages). We already have one such vendor who has signed up for 10,000 copies of this. So we are currently “writing ‘til the keyboard smolders” to get the minibook completed.
We had a teleconference with our “Dummies” editor this week and the one surprising fact that came out of it was that Dummies books are rarely used as part of academic courses. The reason for this is the word “Dummies”. While the world and his dog understand that the Dummies brand is intended to denote “readability and accessibility”, academia has problems with it.
While Dummies books are sometimes listed as additional reading for students, only one or two have ever been used directly on academic courses. (The Internet for Dummies, C++ and Java, are the exceptions that prove the rule.)
SAP Zapped?
SAP's competitors are probably smiling. A report from Nucleus Research does an analysis of SAP customers and concludes that SAP customers are roughly 20% less profitable than their peers. This directly contradicts the recent SAP advertising campaign which suggests quite clearly that SAP customers are more profitable than the average.
Explain the difference:
Clearly someone is being economical with the truth and the suspicion naturally falls on SAP. As far as I can tell from the pdf file that Nucleus Research published, all they've done is compile a list of every publicly-traded company identified on SAP's Web site as a SAP customer and assessed their actual return on equity—compared to that of their industry sector. You could do the calculations yourself on a spreadsheet. It's not hard, you just need to grab the financial data from somewhere on the web (like Bloombergs).
SAP claims that the Nucleus stats are invalid. Well they would, wouldn't they. There are some murmurings on the web that support this, which may be SAP-inspired or, alternatively, they are spontaneous expressions of interest in statistical methodology. One of the SAP customers mentioned in the Nucleus report, Perrigo, claimed on www.line56.com that Nucleus had, in its case, made an incorrect calculation because it had included $400 million in acqusition-related, one-time charges and expenses. This meant that Perrigo was shown to have an ROE (return on equity) of -62.6 percent rather than +11.1 percent.
That, however, only challenges one result and, to be honest, if Nucleus Research used the same calculation method for all companies then this wouldn't materially alter the findings—unless, of course, the proportion of SAP customers suffering one-time charges is greater than the average. (This is unlikely, but possible). Demir Barlas of Line56 points out that if you remove the five worst ROEs amongst SAP customers (Perrigo, Shanghai General Motors, Loewe, Eastman Kodak and Capstone Turbine) from the Nucleus stats then the average SAP customer does better than its peers. (Which is a bit like saying that if you removed all the goals that Manchester United scored against us, we'd have beaten them). Barlas claims that these five companies skew the data, but seems to forget that they are the data.
Nevertheless, getting rational about this, Nucleus has not got a reasonable statistical model (and I don't believe that any stats that SAP may have used are firmly grounded either). To claim any valid correlation you really do have to have a population of companies that have done exactly the same thing (implemented exactly the same SAP modules at exactly the same time). I severely doubt if such a population exists. Also, using just the population of companies mentioned on the web site is a dubious selection process. It does not constitute a true random sample, and although one might expect it to skew positively it could conceivably skew negatively.
No competent independent statistician would back the claims of Nucleus. However, SAP has not published the stats that it based its advertising campaign on—and because of that, it deserves what it has got. Give me a good reason why they didn't publish, please. (I severely doubt if SAP will do it now.)
Anyway. Let's be honest, SAP applications are not what makes a company successful, any more than Oracle databases, IBM servers, Windows desktops or Cisco routers. It's having IT staff that read this blog that makes a company successful.
We're done here.
Reader Comments
We are no longer accepting comments against this item. We suggest contacting the author directly.
28th March 2006: 'K.' said:
Hi Robin, application finger printing is nothing new and in fact is one of the oldest antivirus defenses around. Many years ago one of the better products was Untouchable from Fifth Generation Systems (which was really from BRM based in Israel). Others existed as well but Untouchable was one of the better ones. Even today these type of both passive (on-demand) and active (real-time) finger print applications exist. You can look at Adinf and even Tripwire as examples and the product you mentioned AppSense or many, many others.
The major problem with such technologies is that they are quickly proven to be less than favorable by consumers because using such a finger printing technique is cumbersome and challenging for all but isolated systems. It is not practical for mainstream, enterprise deployment so in the end the consumers drove these products from the market not major antivirus companies.
Even Fred Cohen who coined the phrase "computer virus" and authored many book on the subject developed a real-time finger print based antivirus defense system many, many years ago.
So in the end, you can easily see that finger printing antivirus defenses which is also known and intergrity based protect is really an old technology that now and they gets new life for a brief moment when some company "finds" it again.
28th March 2006: 'Robin Bloor' said:
There's a significant difference between the first generation attempts referred to above and the products offered by Securewave, Bit9 and AppSense. That much is clear from the growth rates these companies are achieving and is explained by the fact that these companies have managed the quarantine process in an effective way.
28th March 2006: 'K.' said:
The companies in the past also had brief success as well. These change detection technologies are nearly the perfect defense but are impractical to use. Take for instance Faronic's Deep Freeze which is a highly mature product but it is only popular in environments where change is severly limited like school labs. Outside of this it is to hard or near impossible to maintain.
You are being sucked into what is commonly known as the "Perfect Defense Syndrome" No one defense is or ever can be perfect. Finger print (change detection) technologies can be overcome as they depend on execution (installation) of something before detection (prevention) of the change can be identified. Here for example is where antivirus applications are very powerful if they are updated for the malicious application. Prescreening will notify of the existence before execution which is the most ideal prevention. If the malicious application is unknown and allowed to execute then that is where finger print (change detection) is powerful and a good defense but more vulnerable than presreening. I would consider such defenses as a last resort. I view such technologies as being like bullet proof vests. It is far better to prevent ever being shot (antivirus) than depending on the shot at and depending on the vest (finger print / change detection) to keep you safe. If the "vest" fails well... your dead.
A combination of prevention and change detection is far superior than any one single defense.
28th March 2006: 'asmoot' said:
So K. would you like to come clean and tell us which of the antivirus companies you work for. You seem very adamant that the solutions Robin is talking about are not viable. This means we can all assume that you have evaluated all of them.
What do you suggest people do during the 2-3 days it usually takes from the time a threat is identified until their AV db is actually updated. How do companies figure out if their pc's have been infected or not. I don't think anyone would really reccomend completely eliminating AV solutions but they do leave some gaping holes in their protection coverage.
31st March 2006: 'bob' said:
just install linux -no av. easy.
31st March 2006: 'wolfgang' said:
Eine der größten Änderungen, die resultierend aus der Bewegung zu Service orientierter Architektur geschehen wird, ist die drastische Änderung in der Definition einer verpackten Anwendung. Denken Sie an dieses, Robin. Was ist eine verpackte Anwendung? Es ist, in seiner einfachsten Form, die Kodifizierung eines Satzes Geschäftsprozesse. Mit der Bewegung in Richtung von SOA könnten wir anfangen, die loser verbundenen Dienstleistungen zu sehen, die mit dem werdenen Prozeß die neue Definition der verpackten Anwendungen kombiniert wurden. Auf diese Art würden Sie wirklich nicht eine traditionelle Anwendung haben -- eher würden Sie eine Ansammlung Dienstleistungen haben die zusammen an der Laufzeit kombiniert wurden, die Geschäftskontext verstand. Selbstverständlich würde dieses nicht notwendigerweise einfach zu erzielen... sein, aber ich denke, daß wir den Anfang einer sehr interessanten Umdrehung zeugen. Was denken Sie, Robin?
31st March 2006: 'Robin Bloor' said:
OK, so my money says that most of you readers out there do not read German. So let me give you the gist of the above posting. It's about SOA. It suggests that with SOA the whole nature of the packaged application will change and that this will spark a revolution in this area of software. It asks me if I agree.
I do.
As the posting suggests, with SOA it will be possible to provide applications that are truly flexible. Throughout the history of packaged applications it has been necessary to change the way the business worked in order to make best use of the packaged software. With SOA the boot goes straight onto the other foot. You will change the package to work in the way that you want it to work.
This, IMHO, is why SAP and Oracle are deeply into SOA. They would prefer to provide flexible business frameworks than straight packages. The package then simply becomes a starter pack.
31st March 2006: 'Andy Hayler' said:
The article on SAP's claims further devalues the outrageous claims made in its advertising.
31st March 2006: 'Nick Gatt' said:
Very similar to software metering it seems... However something like this in place of AV will require a HUGE attitude change in employers and employees plus tremendous processes to ensure you get it right. This costs time & money. Probably cheaper and resource effective to stay with good AV that includes spyware detection and buffer overflow attempts. Besides, how much more difficult would your day-to-day job be if you could not run that .exe NOW because it had not finished approval and fingerprinting? Is it really worth it? Proper AV and security implementations allow greater flexibility - at least for the meanwhile anyway!
2nd April 2006: 'Robin Bloor' said:
Curious how some of the postings I've attracted about AV are completely misleading about the products I'm talking about (AppSense, Bit9, Securewave). The above objection, for example, is completely spurious.
The messages above were all contributed by IT-Director.com readers. Whilst we take care to remove any posts deemed inappropriate, we can take no responsibility for these comments. If you would like a comment removed please contact our editorial team.