Targeted Hacking Forces a New Reality on Antivirus Companies

When the New York Times revealed this month that hackers had recently breached its networks, what turned the heads of security experts wasn’t that the attacks had occurred. It was a top antivirus company’s unusually candid admission about the limits of its own technology.

Symantec was put on the defensive because its software only once detected and quarantined any of the 45 pieces of custom malware the hackers had used to target the New York Times and ferret out certain reporters’ e-mails, a heist the newspaper itself reported in a news article. According to a Times spokeswoman, the paper did have the latest antivirus software on all computers on its network; but to guard against so-called advanced persistent threats, “antivirus software alone is not enough,” read Symantec’s statement.

That its core product was essentially useless against the attack—allegedly sponsored by the Chinese government—came as no surprise to those in the know. But the blunt admission points to a rapidly changing computer security landscape and a growing threat to Symantec’s $6.7-billion-a-year business. A recent study by Imperva, a California data security startup, found that antivirus products from top vendors detected less than 5 percent of more than 80 new viruses tested.

As attacks become more targeted and customized (see “The Antivirus Era Is Over”), startups are positioning themselves as alternatives to conventional antivirus vendors. Some are advocating that security managers, especially those on a budget, use free or low-budget antivirus software to catch simple, common viruses, and invest in specialized services to better protect key assets.

Ashar Aziz, chief information officer of one startup selling technology to ward off a “new breed of cyberattacks,” argues that the faulty assumption that antivirus software is effective against today’s cyber threats has created “a wide and gaping hole” in every security architecture that exists. “I have yet to go into an organization and find that they are completely clean. It has never happened,” Aziz says.

Rather than using a blacklist to block known threats—the conventional method employed by antivirus software—FireEye works by assuming everything is suspect and testing programs in a safe “sandbox” before allowing them to run on a machine. In November, the CEO of the major security vendor McAfee left to join FireEye, which claims that nearly 30 percent of Fortune 500 companies are its customers and has raised more than $100 million in venture capital funds.

FireEye is far from the only startup gaining traction as malware becomes more targeted and as the latest methods of the most sophisticated hackers become more quickly democratized and disseminated.

And while the established industry is clearly aware of the shortcomings of its long-held defensive approaches, it may have been slow to adopt new methods. Imperva’s director of security strategy, Rob Rachwald, believes the industry has expended less effort on staying on the cutting edge of protection, and more on developing “nice whiz-bang dashboards” to impress customers. Aziz, who now works side by side with McAfee’s former CEO, says the large vendors are now racing to catch up to where FireEye began in 2004.  

From the perspective of Liam O’Murchu, Symantec’s manager of security response operations, these views that his company’s products aren’t keeping up are already outdated.

The California-based business now sells advanced detection methods and includes some in its standard antivirus programs. These include programs that score links sent via e-mail or IM and applications based on the reputation of their source, scan for suspicious patterns of behavior, and look to predict the behavior of a file itself. In development, says O’Murchu, are technologies designed specifically to protect against so-called “zero-day” attacks, so named because software makers aren’t yet aware of them and thus have had no time to react. These are the kind of attacks that well-funded criminal organizations or governments are most likely to use (see “Welcome to the Malware-Industrial Complex”).

The way companies approach security will likely change, as will the services they buy, says Nicolas Christin, a security researcher at Carnegie Mellon University, though he also notes that some alternative approaches may be less effective than many security sellers make them seem. For example, he says, even a behavioral detection engine still requires some definition of what “bad behavior” looks like, and that might not always be obvious.

According to a survey of 670 companies conducted by the Ponemon Institute, advanced persistent threats and “hactivism” were the biggest headaches for IT departments last year, and many blamed higher IT operating expenses on malware.

The experiences of Mandiant, the security company that worked with the New York Times to respond to and root out the attack on its networks, bear this out. It used to be that only a large Wall Street bank had to worry about targeted malware, says service director Marshall Heilman. Now, not only are small regional and community banks targeted, but so are payment processors. “If you are a successful company, then you are probably doing something interesting” that could attract hackers, he says. A detailed account of how Mandiant tracked an attack on the South Carolina Department of Revenue last November shows how easily these attacks can occur and how long they can go undetected. 

The Times, for its part, hasn’t given up on its antivirus company yet. “For now, we are continuing to use Symantec,” says spokesperson Eileen Murphy.