2,600,000
An Up-to-the-Second Representation of the Signature Problem
The Worldwide Malware Signature Counter is a representation of the estimated number of signatures required by signature based defensive software such as antivirus tools to meet the expanding volume of malware threats. The point of the counter is simple: malicious attacks are growing in both volume and complexity, and the sheer volume is reaching a point where it begins to surpass the collective capability of security vendors to keep pace. In 2008, the pace translated to Symantec writing a new signature every 20 seconds; in 2009, the pace quickens to one every eight seconds.
How the Counter Works
There is obviously no way to have an exact count of the required number of signatures needed at any one point in time, but we do believe this counter is built on sound and conservative assumptions. The counter is based on data from the "Symantec Global Internet Security Threat Report - Trends for 2008", published by Symantec in April of 2009 which provided a year-by year summary of the cumulative number of signatures. At the beginning of 2007, there were approximately 1,000,000 signatures in total. The report states that in 2008, Symantec wrote 1,600,000 signatures, bringing the total cumulative count to 2.6M signatures at the start of 2009. The signature activity in 2008 represented a 265% increase in the total number of signatures year over year. If you graph the numbers from the report, the increase in signatures appears to be geometric, which would lead to the conclusion that the increase in total signatures in 2009 would in fact exceed the 265% seen in 2008. In the name of fairness and a desire to be conservative, we chose to use the same growth rate in 2009 as occurred in 2008, so the counter may in fact may prove to have underestimated the problem when the 2009 results are tallied.
++ Click on the Chart to Enlarge ++
Something Will Have to Give
If you translate the 1.6 million signatures written in 2008, the number breaks down to 133,000 signatures per month, roughly 4,400 signatures per day, or 3 per minute, and ultimately 1 every 20 seconds. This pace will only accelerate over time. It is not unreasonable to expect that the response times from detection to the release of a new signature will lengthen, increasing potential exposure. It is also reasonable to ask the question regarding quality control and testing given the accelerating pace. It is good to remember that many of these same tools have remediation processes that use pre-written scripts - meaning that they suffer from the same limitation as detection signatures in that they require prior knowledge of the problem. As a result, for every new signature vendors that use this approach must write both a signature and a remediation script, thereby doubling the load. Something will have to give, and it won't be the relentless cyber criminals.
It is Not Just About Volume
Malicious attacks are growing in complexity and velocity. The public, bulletin board attacks carried out by lone hackers of five years ago have been replaced with dynamic precision-guided attacks carried out by well organized cyber criminals who value stealth and non-detection above all else. The signature based technologies such as antivirus software and firewalls are buckling under the evolving cyber threats, and new tools such a heuristics still require some previous level of knowledge of the attack to work. It is no wonder that Gartner assessed the ability of these tool to protect organizations as "declining" and noted that "Gartner clients suffered from rising infection rates in 2008 and early 2009"(1).
Real Time Malware Detection and Remediation Without Signatures
Triumfant Resolution Manager has the ability to detect, analyze, and remediate malicious attacks in real time without the need for signatures or any prior knowledge of the attack. Triumfant scans every machine down to the most granular level and can detect the changes to a machine that indicate a potential attack. Triumfant's patent pending analytics can then verify that the machine is in fact under attack and eliminate the false positives that have plagued anomaly detection in the past. Because Triumfant can detect each and every change to a machine, it is uniquely capable of synthesizing a situational remediation on the fly to not only stop the attack, but repair all of the collateral damage of the attack. Open ports are closed, modified configuration settings are restored, and registry entries are repaired, effectively eliminating the costly process of re-imaging the machine. The ability to build these sophisticated remediations without human intervention significantly shortens the time between detection and remediation.
Learn More
To learn more about how Triumfant Resolution Manager can help your organization detect the malicious attacks that evade traditional signature based defensive software, click here.
(1)Gartner: Magic Quadrant for Endpoint Protection Platforms; May 4, 2009
top
