Security threats Toolkit

Change of tactics in war on viruses

Tom Espiner ZDNet.co.uk

Published: 01 Mar 2006 15:35 GMT

...them. Hackers don't want to be seen now," says Trend Micro's Genes.

Trend also argues that monitoring email is no guard against threats brought into the company by teleworkers, and by consultants bringing in infected laptops and USB memory sticks.

In response IronPort claims that its products are designed to work with existing antivirus solutions, rather than being a holistic package. "The way antivirus companies produce signatures complements IronPort. We are the traffic cop that enforces quarantine," says Gillis.

Independent testing
Sophos agrees that IronPort's product complemented theirs, but called into doubt IronPort's motives for calling antivirus vendors' products into doubt. "They would say their solution is better than others, wouldn't they? Don't believe what vendors are saying — let's get independent guys to test their product. Come on, let's face it. It doesn't matter a hill of beans what vendors say, including us," says Cluley.

Analyst house Butler Group claim that a belt-and-braces approach to security makes the most sense; no one technology will provide complete protection. But the organisation's research analyst Alan Rodger admitted that traditional methods of dealing with viruses are limited.

"It's true there are challenges for antivirus vendors. The main challenge is keeping signatures up-to-date," he says. "There is a lag-time [when there is no signature available for new threats]. All protection vendors need to mitigate the threat of lag-time, and customers need to consider that this is a major requirement of security solutions."

The advantage of the approach used by email monitoring companies such as Ironport is the emergence of a new threat and a signature is not applicable, as malware is pre-emptively quarantined, according to Rodger.

Blended is best
"By analysing the characteristics of email, these types of solutions empower themselves," he says. "If you can put something in place that doesn't solely rely on outside input, and allows users to validate emails themselves, this is certainly a valuable layer of a multi-layered approach," Rodger explains.

This multi-layered approach involves buying products that cover all bases. According to Rodger, antivirus solutions can "look at what's out there, and combat other threats. Email protection solutions supply protection for incoming emails, but antivirus combats other threats, for example, those introduced directly to PCs through connected hardware. I would definitely advocate a layered approach, depending on who is accessing the solutions and which solutions that are deployed against a full range of attacks."

Andy Buss, senior analyst for canalys.com agrees that mail monitoring systems can mitigate the effects of infected mail through sender reputation, but that a multi-layered approach is needed.

"It comes down to the complexity of computer clients needs — there is no one size fits all solution," says Buss. "There is a lag time. Antivirus companies do respond with a signature, but until then companies have to rely on heuristics. However, non-signature heuristics can be difficult to use and unreliable. For widespread end-point protection they generally cause more problems than they resolve."

No one-stop-shop
The consensus seems to be that to create the best defence against viruses and other malware, companies will need to develop a blended approach and use a variety of services and techniques. But creating an effective multi-vendor security strategy depends on how well different technologies integrate — something which the security industry must address if it is to serve its customer base properly

"I think this demonstrates the fragmented nature of the antivirus industry. There is no one antivirus and spyware solution. They can be bundled, but they're not integrated. In the future we will get tighter integration, especially with spyware," says Buss.