Improving defenses

Information security companies are working to bolster their defenses, and antivirus products have become a focal point for activity.

Antivirus vendors endeavor to churn out signature files — the .dat files that identify viruses — as soon as new threats are discovered. But the process of constantly updating antivirus products is a difficult tactical battle, said John Watters, president and chief executive officer of iDefense Inc. Virus writers have become "effective at coming out with a new variant at a pace [anti-virus vendors] can't catch up with," he said.

Customers face exposure from the time a malware or hybrid threat is first identified to the time vendors update their antivirus signatures. Another critical issue: Signature-based products can only ward off known threats.

"Signature-based antivirus software isn't enough anymore; it needs to be complimented," said Jon Oltsik, senior analyst for information security at Enterprise Strategy Group.

Antivirus vendors are supplementing their signature-based products with detection methods that guard against unknown threats. One such approach is behavior-based technology, which analyzes the behavior of a given piece of code to check for undesirable characteristics. Network Associates Technology Inc., for example, offers Entercept, an intrusion-protection system, which employs both signatures and behavior rules.

Eset Co. Ltd., meanwhile, uses heuristics technology in its NOD32 antivirus software. One aspect of the technology analyzes instructions in a suspicious file or a piece of code to determine whether a virus-like pattern exists, said Anton Zajac, Eset's chief executive officer. The company's heuristics approach also lets code run in confined, virtual memory within a PC to check for suspicious activities, said Maros Mozola, vice president of business development at Eset.

Another tactic, which goes beyond product technology, is to anticipate what's coming next in the world of viruses, worms and other threats. Michael Rasmussen, a principal analyst with Forrester Research's security group, said some organizations are pursuing security intelligence.

Most anti-virus vendors run their own intelligence-gathering operations, but Rasmussen also pointed to independent intelligence firms. One such company is iDefense, which collects information on vulnerabilities and emerging threats. Watters said such intelligence can help organizations implement an interim patch in the time gap between threat and remedy. Workarounds may include changing a configuration setting on an e-mail gateway or firewall. The idea is to "close the gap and not rely just on the vendor to update," Watters said.

Oltsik added that proactive firewall management, aggressive filtering and constant monitoring should also complement traditional anti-virus ware.

Sources: Computer Associates International Inc., F-Secure Corp., Network Associates Technology Inc. and Symantec Corp.