Ceaselessly, with no end in sight despite outlays that amount to a tax on doing business, the decades-long struggle against malware drags on.
Today, around 5% of the average IT budget is devoted to security, estimates John Pescatore, a director at the SANS Technology Institute. Cybercrime (including malicious insider attacks and theft of devices) costs U.S. corporations an average of $11.6 million yearly, according to an October 2013 study by the Ponemon Institute that was sponsored by HP Enterprise Security. This cost represents a 23% increase over last year's average of $8.9 million per company.
Asked why malware is the war without end, experts commonly embrace either a military or an ecological metaphor. Those with the military viewpoint say flawed defenses have led to a stalemate. The ecology-minded don't see it as a war to be won or lost -- they see an eternal cycle between prey and predator, and the goal is not victory but equilibrium.
One who favors the military metaphor is David Hoelzer, director of research for Enclave Forensics in Henderson, Nev. "We are essentially going in circles," he says. "We improve only after our adversaries defeat our defenses. Most software is still riddled with vulnerabilities, but the vendors typically make no move to fix one until it becomes publicly disclosed. Coders are not trained in security, and 'well written' means 'under budget.'"
Security consultant Lenny Zeltser chooses the ecology metaphor. "Attackers take advantage of the defenders, and the defenders respond. It's part of the cycle," he says. "If attackers get in too easily, they are spending too much to attack us. If we are blocking 100% of the attacks, we are probably spending too much on defense. We have been in a state of equilibrium for some time and always will be. But being complacent is dangerous, as we must constantly apply energy to maintain the equilibrium."
Developments in the financial sector offer an example of why it's important to constantly apply energy to maintain the equilibrium. A new report from Trend Micro points out that attacks aimed at stealing online banking credentials recently surged to a level not seen since 2002.
Nevertheless, experts agree that progress has been made -- even if only toward the maintenance of ecological equilibrium or a military stalemate.
The wins so far
At this point, "there are no types of malware for which there are no defenses that we are currently aware of," says Roel Schouwenberg, a researcher at anti-malware software vendor Kaspersky Lab.
"We no longer see the kinds of big spreading malware that we saw three or four years ago, [such as] the ILOVEYOU virus of 2000," adds William Hugh Murray, a security consultant and a professor at the Naval Postgraduate School.
Interviews with analysts and executives at security vendors McAfee, AVG and Kaspersky Lab suggest that the following are the four principal weapons that make this possible:
• Signature detection. This approach gives you the ability to spot malicious code, among other things.
• Behavior monitoring. By adopting this technique, you can do things like spot malicious activity in a computer or determine if a suspicious file will respond to virtual bait
• Blacklisting. This is a mechanism for blocking access to sites and files that are included on a list of undesirable entities.
• Whitelisting. With this approach, essentially the opposite blacklisting, users are only allowed access to sites and files on a list of entities known to be harmless; access is denied to sites and files that aren't on the list.
Each of the four has its supporters and detractors, and all the anti-malware software vendors queried for this article said they use some form of all four weapons, in combination.
Other defenses include firewalls, which can prevent intrusions and -- with Windows at least -- are part of the operating system, and periodic vendor patches to address vulnerabilities.
A question sometimes raised is whether there are more advanced weapons that we haven't yet learned about. "I've heard that [the anti-malware vendors] have better defenses up their sleeve that they choose not to release since they are not necessary yet, and they don't want to tip their hand," says Zeltser.
The vendors deny this. "Our secret weapons are in force every day -- it's a daily battle," says Tony Anscombe, an executive at anti-malware software vendor AVG Technologies. Indeed, if vendors had something that can stop all viruses "it would be foolish to wait to use it," says Kevin Haley, spokesman for anti-malware software vendor Symantec. "It would be a competitive advantage" to help sell more software, he points out.