Blogger: Diana Kelley
At the end of the film "Harold and Kumar go to White Castle," Harold, emboldened by 30 sliders and an evening of raucous adventures in New Jersey, decides it is time for him to face his fears and declare his affection for Maria. He declares his intentions to his friend Kumar, who, perhaps made sleepy rather than energized by the sliders, responds, "still not getting it!"
Like Kumar, it appears that IT is also, "still not getting it!" when it comes to malware. Case in point, the recently published CIO Insight survey reports that while only 12% of respondents reported that money or property had been stolen through electronic means, a whopping 48% of companies reported penetration by viruses, worms, and Trojans in the past 12 months.
48%. Essentially HALF of all reporting enterprises were hit by some form of virus or worm last year. In most cases, 52% success equals failure. And maybe it is for AV - but maybe not. Another data point - 33% reported that their companies had been penetrated by spyware or other malware. Now contrast these numbers with the fact that 99% of the companies spent money on AV/spyware/malware detection in 2006 and 97% plan to spend on AV/spyware/malware in 2007.
Hmmmm, we spent money on AV, it didn't work and half of us were penetrated, so let's keep spending! More must be better, right? Not to mention that many security assessments will mark down an organization for not having AV, the PCI DSS explicitly states AV must be on Windows machines in the payment ecosystem, and the generally accepted rule is that we're better off with AV than without it.
But is that true? Are we better off? What's the real cost of deploying and managing traditional AV products versus their overall effectiveness? Is AV worth that cost? I'm not talking about the standard hand waving of "oh signatures won't work," but a real shift in thinking. If the 52% represents real dollar savings over and above the cost to purchase and deploy the AV and that also outbalances the costs associated with the 48% penetrations - then it could be success from a bottom line perspective. But it might not be.
We know that 99% of the companies in the survey spent on AV last year, and half of them got hit. What we don't know is if that money was well spent. What we need are metrics that study percentage of attack for companies that use mitigating controls (such as perimeter and host firewalls, intrusion prevention and white listing) in lieu of AV and in addition to AV. We need a quantitative survey of the effectiveness of various measures. As far as I know, we don't have these yet. Let me know if you know of any.
We have an industry that continues to throw money at technology with a high penetration rate. What we don't have are numbers that tell us whether that rate is acceptable or not. What we are is, "still not getting it."