Skip to content

The Malware Problem


I like the term ‘malware.’ If you step out of the marketing for a minute, it’s a very simple, clear term to describe software that does something bad in your execution environment. A virus is a kind of malware, and so are rootkits, malicious shell code, and just about anything else you don’t like the result of.

In reading Wendy Nather’s discussion of “The Malware Detection Dilemma” I’m fascinated by this sentiment: “People are giving up on prevention.” 

The principle here, if you accept that sentiment as true, is that a strategy of rapid and effective detection is better than one of prevention. I find myself asking if that’s true in any other discipline?

There’s a classic analogy (for me anyway) between information security and fire fighting. It’s most often used to explain why prevention is a better investment than detection, though almost always a secondary investment. You’ll never prevent every fire, so you have to detect and respond, but once you have hit the maximum cost/value intersection on that activity, you then invest in prevention. Why? I mean, you could put an active fire response unit in every building or on every floor of every building. We could all carry fire extinguishers with us at all times. We don’t do that, though, because it’s not worth it. Let’s put that another way: the increase in cost of these measures does not equal or outweigh the value delivered. Instead, we invest in prevention because that investment, when you already have detection in place, is worth it.

Shift back to information security now. Does the analogy hold? Sure, I think it does. What doesn’t hold, however, is the assumption that we’re in the same place with costs and outcomes. With fire fighting, the fire doesn’t change behavior so much. With information security, we are dealing with rapidly changing technology on both sides. Perhaps we did hit a threshold with detection a few years back, and we rightly shifted to prevention as the preferred investment, but then the conditions changed in both platform and malware, such that the detection cost/value threshold shifted. Now we’re back to detection being a required investment.

While Nather looks at what’s after ‘advanced’ for anti-malware, she’s only looking at one side of the coin (or perhaps it’s a multi-sided die). We also have to consider what’s next for prevention, for platform, and for attack technology. All three are shifting and while we invest in detection, it may very well be that the next shift is in a next generation platform or prevention technology.

Post a Comment

Your email is never published nor shared. Required fields are marked *