Reacting to Attacks Dooms Us to Failure

I want to talk about something that’s been troubling me for some time now. The IT industry, as a whole, is spending an enormous amount of time, effort, and money on reactive solutions that are doomed to failure.

I’d even argue that they have already failed us.

No, I’m not saying that we have to abandon everything we’ve done, but I am saying that we do need to be careful not to rely on reactive solutions as our sole means of defense. I have no doubt that our current reactive practices are resulting in undue expenses and, in turn, erosion of customer confidence.

Let’s start by taking a quick look at how we got ourselves into this predicament …

Back in 1987, I was working in a university computing facility when we got hit by one of the first PC virus outbreaks ever recorded. That attack was followed shortly after by a wave of first-generation PC anti-virus products. The product approach that quickly dominated the market was the signature-based anti-viruses that we’re all now accustomed to. Later, as firewalls, intrusion detection systems, and other protective products have joined the general security market, many have followed suit — perhaps inadvertently — by sticking with signature-based products.

What these product solutions all have in common is a human element: When a new virus, attack, Trojan horse, spyware, etc., is discovered, an engineer at the product vendor analyzes the malware carefully. Once analyzed, the vendor releases a ‘signature’ of some sort that matches the malware and enables the product to identify it thereafter. Of course, that signature only works if the vendor distributes it to all of its customers and then customers install it across all of their systems.

In today’s world, it’s a pretty safe bet that the time from analysis to deployment of a signature set is, at a bare minimum, a full business day for products that have the very best signature distribution capabilities.

In a similar vein, our operating system and application product vendors use a reactive-based model for distributing product updates, service packs, and patches. Just because a vendor makes a patch available doesn’t mean that the user base of that product is now protected.

We don’t need to look any further than the headlines to validate that this process is failing.

Although this approach may have been adequate throughout the 1990s, today’s unprecedented levels of connectivity and desktop computing extensibility have made it obsolete and unacceptable. According to recent media reports, new viruses, such as Mydoom and Bagle, are showing up and spreading at rates that we’ve never seen before.

We can no longer keep up with this pace using reactive solutions. The best we can hope for is to delay the inevitable.

These factors are what have brought me to the conclusion that we can no longer continue this way. We need to move forward to other solutions.