Want 'perfect' security? Then threat data must be shared

Roger A. Grimes

I mean, it's great if you tell me that a new phishing campaign is underway with the email subject line "Nude pictures of Kate Upton," but to be honest, I'd rather my anti-malware product handle the email and block it before it gets to my desktop. In fact, this is the way most anti-malware is supposed to work. It just doesn't work super-accurately.

All together now
The real disconnect is that many times, a new malware campaign may take just a few minutes to be noticed by one anti-malware vendor, but it may take hours or even several days to be noticed by your particular anti-malware vendor.  

For example, I love to submit new malware files to VirusTotal. It takes your suspected malicious files and runs it against dozens and dozens of anti-malware programs. No matter what malicious file I submit, there always some anti-malware engines that recognize the malware and some that don't. While writing this sentence, I submitted an old copy of the Melissa macro virus from 1999. Only one out of the 51 anti-malware engines recognized it, and it was not the one you would guess.

Why didn't more of them recognize it? I don't know. But what I do know is that when I submit a brand new malware program, rarely does at least one anti-malware engine fail to recognize it. Individually, each engine misses stuff -- but together they are deadly accurate. Give me the collective thoughts and information from all malware vendors, and I have nearly perfect information. Give me less, and I end up with gaps.

I would love a world where all anti-malware vendors submitted their verified telemetry with a centralized Internet service, which could be queried by any software or device to deliver protection to end users. VirusTotal does this on a limited scale, but we need more. Let's put all this information into the cloud and make it accessible by anyone. Anti-malware vendors would certainly use this enriched information -- and produce products that will protect us better.

Instead, we have imperfect collectors, each in their own silos, trying to use incomplete information to deliver perfect protection. It doesn't work that way. It would be better if all the information collectors submitted their information to the centralized database, improving the database as a whole, and then used that improved database to better the world.

The current model isn't working. I have this fantasy where all buyers refuse to buy inaccurate products (most of which promise us 100 percent protection nonetheless). This would force all the individual vendors to play better together, share more information. We would all benefit.

I have a dream, too.

Source: InfoWorld

Previous Page  1  2