What is Missing from the Symantec Internet Threat Report – Signatures

Life has been busy at Triumfant, and I finally had enough of a break to read the Symantec Internet Security Threat Report for 2010 released last month. The Symantec report is extremely thorough and very well done and provides lots of insight into what those of us in IT security battle daily.

After reading the document, it struck me that there were no mentions about signatures. I have used the Symantec report as the baseline to build the Triumfant Worldwide Signature Counter, so I am very much attuned to the signature statistics in the report on a yearly basis. So I did a search to be sure and, sure enough, no mentions. It is like the scene from “The Ten Commandments” when Seti the King decrees “Let the name of Moses be stricken from every book and tablet”.

Just for comparison’s sake, I then brought up the 2009 report (released in 2010) and performed a search on the word “signature” which returned 37 hits. To be fair, some of those mentions were in footnotes, but there was also this direct reference:

“Symantec created 2,895,802 new malicious code signatures in 2009, a 71 percent increase over 2008; the 2009 figure represents 51 percent of all malicious code signatures ever created by Symantec.” (Symantec Global Internet Security Threat Report Volume XV, P. 17)

Could it be? Did the Triumfant Worldwide Signature Counter drive Symantec to take the entire notion of signatures underground? Or was it the idea of having to enumerate a signature count that now exceeds 10,000,000 (11,143,811 as of this morning)? Don’t worry – even though I am admittedly shallow and self-centered even I would not take full credit for this shift. However…

In a May 4, 2011 press release about their updated reputation based offerings, Symantec said the following: “The sheer volume of sophisticated attacks targeting organizations of all sizes poses a daunting challenge for traditional signature-based security solutions that can’t keep up.”

Triumfant agrees, and has been saying so for the past three years. When we introduced the Signature Counter in 2009, the web site said: “The point of the counter is simple: malicious attacks are growing in both volume and complexity, and the sheer volume is reaching a point where it begins to surpass the collective capability of security vendors to keep pace.”

Okay, so maybe we influenced the issue. The idea behind the Signature Counter was to create awareness.

Now that we have clearly come to grips with the signature problem, the discussion has to shift to detection taking a prominent seat next to detection. We call that “The New Math Endpoint Protection” and you can get more details here (rather than read about it from one of the big vendors in 2014). The Symantec report for 2010 says that they recorded three billion malicious attacks last year. Those are the ones that were detected – the mind boggles at how many more got through undetected. Moving past signatures was a big step – now we must embrace the notion of detecting the attacks that get through. More on that soon.