New security vendors take on sophisticated attackers

Why waste your time creating another variant of Netsky when someone is willing to pay you $10,000 to get root on a university database or break into TJX's network? ,

Code Red? Dead. Zotob? Dead. Blaster, Sasser and Slammer? Dead, dead and dead. AV vendors have learned their crafts well and have done a terrific job of fine-tuning their products over the years to such a degree that the virus authors largely have moved on to other pursuits.

A new report from security vendor MessageLabs shows that for the first time the ratio of phishing attacks to legitimate emails is higher than that of viruses to legitimate emails. In January, one in 93.3 messages contained a phishing attack; one in 119.9 emails held a virus.

It was just a couple of years ago that mass-mailing viruses and network-aware worms were wreaking enough havoc to show up on NPR and the nightly news. Hardly a month went by without the appearance of some major piece of malware, almost all of which exploited some flaw—usually with an available patch—in Outlook, Exchange or IIS.

Behind the firewall with Dennis Fisher: TJX breach: There's no excuse to skip data encryption Federal government pushes full-disk encryption Security pros glean insight from '06Microsoft Kernel Patch Protection should be lauded Microsoft Vista could improve Internet security Oracle should heed critical report touting SQL Server security

But those days are gone. Microsoft took the lion's share of the blame from users for the virus and worm epidemic, and with good reason. In those years they were slow to release patches and much less open about their process and timeline that they are now. Since then, the company has not only revamped its patching and updating process, it has cleaned up its coding practices, as well, which has led to fewer easily exploitable vulnerabilities for virus authors to target.

And the AV vendors have trimmed their reaction times and improved the quality of their heuristics to the point that anti-virus software is now a commodity, a feature included in UTM appliances, IPS systems and, now, Windows Vista.

This is all good news for the average user. Viruses are going the way of the Amiga and OS/2 Warp and security vendors and OS makers are building better products. But the catch is that the criminals could not care less. They've been too busy writing custom Trojans, spambots and amazingly clever phishing attacks to notice. Why waste your time creating another variant of Netsky when someone is willing to pay you $10,000 to get root on a university database or break into TJX's network?

Clearly, play time is over. Once the Russian mafia and South American cartels are involved—and make no mistake, they've been involved for several years—the game changes for good.

The big problem that this shift has caused for enterprises is that most of the security vendors have been caught looking like the CIA circa 1999. They're still fighting the last war instead of the one that's now at hand. Outward facing, signature based technologies designed to identify known threats that come in neat little packages are of little use in preventing sophisticated, targeted attacks that exploit zero-day flaws. By the time these attacks are discovered, the damage is done and the bad guys have moved on to the next one.

There is some hope on the horizon, however. A handful of start-ups and forward-thinking security companies are developing technologies that show promise in preventing unknown attacks and protecting machines with zero-day vulnerabilities. Determina, a small Redwood City, Calif., company, has a system it calls the Vulnerability Protection Suite, which uses a virtual machine architecture to prevent any malicious or unapproved code from executing on a protected machine. And Solidcore Systems has developed a change-control system that tracks all changes in an environment and prevents any unauthorized changes to a machine. These approaches share a common philosophy of protecting the machine itself and enforcing known good behavior rather than attempting to identify and stop potentially bad behavior.

Given the level of venture capital investment in security start-ups in the last few years, there are surely other small companies in stealth mode or just getting off the ground right now that are working on the next wave of innovative products. Let's hope so. The way things are headed, we're going to need their help.