Skip to Content

Targeted Hacking Forces a New Reality on Antivirus Companies

An influx of advanced malware will force big antivirus companies to either evolve or cede turf to a crop of startups.
February 14, 2013

When the New York Times revealed this month that hackers had recently breached its networks, what turned the heads of security experts wasn’t that the attacks had occurred. It was a top antivirus company’s unusually candid admission about the limits of its own technology.

Symantec was put on the defensive because its software only once detected and quarantined any of the 45 pieces of custom malware the hackers had used to target the New York Times and ferret out certain reporters’ e-mails, a heist the newspaper itself reported in a news article. According to a Times spokeswoman, the paper did have the latest antivirus software on all computers on its network; but to guard against so-called advanced persistent threats, “antivirus software alone is not enough,” read Symantec’s statement.

That its core product was essentially useless against the attack—allegedly sponsored by the Chinese government—came as no surprise to those in the know. But the blunt admission points to a rapidly changing computer security landscape and a growing threat to Symantec’s $6.7-billion-a-year business. A recent study by Imperva, a California data security startup, found that antivirus products from top vendors detected less than 5 percent of more than 80 new viruses tested.

As attacks become more targeted and customized (see “The Antivirus Era Is Over”), startups are positioning themselves as alternatives to conventional antivirus vendors. Some are advocating that security managers, especially those on a budget, use free or low-budget antivirus software to catch simple, common viruses, and invest in specialized services to better protect key assets.

Ashar Aziz, chief information officer of one startup selling technology to ward off a “new breed of cyberattacks,” argues that the faulty assumption that antivirus software is effective against today’s cyber threats has created “a wide and gaping hole” in every security architecture that exists. “I have yet to go into an organization and find that they are completely clean. It has never happened,” Aziz says.

Rather than using a blacklist to block known threats—the conventional method employed by antivirus software—FireEye works by assuming everything is suspect and testing programs in a safe “sandbox” before allowing them to run on a machine. In November, the CEO of the major security vendor McAfee left to join FireEye, which claims that nearly 30 percent of Fortune 500 companies are its customers and has raised more than $100 million in venture capital funds.

FireEye is far from the only startup gaining traction as malware becomes more targeted and as the latest methods of the most sophisticated hackers become more quickly democratized and disseminated.

And while the established industry is clearly aware of the shortcomings of its long-held defensive approaches, it may have been slow to adopt new methods. Imperva’s director of security strategy, Rob Rachwald, believes the industry has expended less effort on staying on the cutting edge of protection, and more on developing “nice whiz-bang dashboards” to impress customers. Aziz, who now works side by side with McAfee’s former CEO, says the large vendors are now racing to catch up to where FireEye began in 2004.  

From the perspective of Liam O’Murchu, Symantec’s manager of security response operations, these views that his company’s products aren’t keeping up are already outdated.

The California-based business now sells advanced detection methods and includes some in its standard antivirus programs. These include programs that score links sent via e-mail or IM and applications based on the reputation of their source, scan for suspicious patterns of behavior, and look to predict the behavior of a file itself. In development, says O’Murchu, are technologies designed specifically to protect against so-called “zero-day” attacks, so named because software makers aren’t yet aware of them and thus have had no time to react. These are the kind of attacks that well-funded criminal organizations or governments are most likely to use (see “Welcome to the Malware-Industrial Complex”).

The way companies approach security will likely change, as will the services they buy, says Nicolas Christin, a security researcher at Carnegie Mellon University, though he also notes that some alternative approaches may be less effective than many security sellers make them seem. For example, he says, even a behavioral detection engine still requires some definition of what “bad behavior” looks like, and that might not always be obvious.

According to a survey of 670 companies conducted by the Ponemon Institute, advanced persistent threats and “hactivism” were the biggest headaches for IT departments last year, and many blamed higher IT operating expenses on malware.

The experiences of Mandiant, the security company that worked with the New York Times to respond to and root out the attack on its networks, bear this out. It used to be that only a large Wall Street bank had to worry about targeted malware, says service director Marshall Heilman. Now, not only are small regional and community banks targeted, but so are payment processors. “If you are a successful company, then you are probably doing something interesting” that could attract hackers, he says. A detailed account of how Mandiant tracked an attack on the South Carolina Department of Revenue last November shows how easily these attacks can occur and how long they can go undetected. 

The Times, for its part, hasn’t given up on its antivirus company yet. “For now, we are continuing to use Symantec,” says spokesperson Eileen Murphy.

Keep Reading

Most Popular

open sourcing language models concept
open sourcing language models concept

Meta has built a massive new language AI—and it’s giving it away for free

Facebook’s parent company is inviting researchers to pore over and pick apart the flaws in its version of GPT-3

transplant surgery
transplant surgery

The gene-edited pig heart given to a dying patient was infected with a pig virus

The first transplant of a genetically-modified pig heart into a human may have ended prematurely because of a well-known—and avoidable—risk.

Muhammad bin Salman funds anti-aging research
Muhammad bin Salman funds anti-aging research

Saudi Arabia plans to spend $1 billion a year discovering treatments to slow aging

The oil kingdom fears that its population is aging at an accelerated rate and hopes to test drugs to reverse the problem. First up might be the diabetes drug metformin.

Yann LeCun
Yann LeCun

Yann LeCun has a bold new vision for the future of AI

One of the godfathers of deep learning pulls together old ideas to sketch out a fresh path for AI, but raises as many questions as he answers.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.