Wednesday, November 26, 2008

clarification on my morro worse case scenario

well, it looks like a blog conversation may be forming, or perhaps not - we'll see how things go but rich mogull has put up a response to my earlier post on morro, which in turn was partially a response to him (see, a conversation)...

rich doesn't exactly agree with my worse case scenario, but let me be clear it was a worst case scenario (one based in part on the idea rich put forward about microsoft gobbling up the consumer av market) - things can easily go differently if we just keep our eyes open for the signs and avoid them... that being said, the reasons he doesn't agree with me just don't make sense to me...

ignoring whether or not i'm assuming anything about the nature of the av market (granted i don't have the insider knowledge a member of the industry would have, but malware/anti-malware is my main focus as a security blogger), the fact is that there is a non-negligible amount of innovation in it... it may not be a lot (it depends on how you quantify things) but it's certainly not zero... zero innovation is what will happen when there's only one game in town - history has already taught us this and one of the same principals (microsoft) was involved then too...

lets look at some of his specific reasoning:
Morro will be forced to innovate like any AV vendor due to the external pressures of the extensive user base of existing AV solutions, changing threats/attacks, and continued pressure from third party AV.
the problem with this is that rich has already posited the scenario where microsoft gobbles up the consumer av market... what other pressures would it be subject to in that case? there is no extensive user base of existing av 'solutions' (hack, cough, i nearly choked on that term) when microsoft gobbles up the market because there are no other consumer products worth mentioning besides morro... as a result there's no real reason for them to keep on top of the changing threat landscape (anymore than there was for them to keep on top of the changing web landscape) because, once again, they're the only game in town...

Morro will force AV companies to innovate more. Morro essentially kills the signature based portion of the market, forcing the vendors to focus on other areas.
actually, if morro gobbles up the consumer market then whatever other av companies are left will be strictly enterprise av companies and they won't be affected by morro in the least since morro is not an enterprise av product...

there's also the question of ease of evasion... rich is right that it's already pretty easy for anyone to evade the current crop of customer-side scanners... that said, it would still be far easier if there was only one product... it's the difference in complexity of evading a single product versus the complexity of evading all of them - the two scenarios aren't even in the same ball park...

while we're on the topic of low innovation and ease of evasion, however, it seems a good time to mention a rather game-changing innovation that's been popping up in various products recently - scanning in the cloud... panda (not exactly one of the big three) brought this technology to market long before symantec, mcafee, or trend jumped on the bandwagon - but jump they have, and mcafee's artemis has even been included in virustotal... the way i see it this represents a significant innovation and as more and more vendors adopt this approach a number of the currently popular passive evasion techniques (such as targeted attacks and malware q/a) are going to increasingly become obsolete...

so it would seem that the state rich thinks we're currently in (low innovation, easy evasion) is one we may be getting out of, without any help/pressure from a certain known monopolist...

0 comments: