Malware boom forces security vendors to roll out upgrades every 40 minutes

[Reefa]

A boom in cybercrime levels is forcing security vendors to release defence updates every 40 minutes, according to security firm Symantec.

Senior manager for Symantec Security Response Orla Cox reported the development during a briefing attended by V3. "We're seeing more sophisticated attacks than ever before and people want security," she said.

"Nowadays we are rolling out virus signature upgrades around every 40-50 minutes. They're rapid response upgrades that go through partial vetting. We then follow them up with three upgrades per day that are fully certified."

Cox said Symantec began rolling out the rapid updates to help mitigate the growing number of malware variants and active cyber campaigns targeting its customers.

"It's been about shaving off minutes for the last couple of years. If you came to us a few years ago it was one [update] and before that it would have taken hours. The rapid updates are for people that need a rapid response, like those suffering an infection."

She said Symantec blocked 568,700 web attacks on its customers and detected a massive 1.6 million malware variants per day in 2013. But despite helping customers, Cox said the company's rapid update cycle has increased the risk of pushing out an update with a false positive signature.

"The biggest quality issue we face is the danger of false positive definitions. There's a risk of detecting something clean as malicious, that's the big no no in our industry, so it's as much about building definitions libraries about legit files as malicious," she said.

False positives are updates from security providers that list legitimate files as malware and block them from running. In the past the faulty updates have caused damage to many companies. In 2013 Malwarebytes crippled thousands of its customers' machines when it issued a false positive update.

Cox said the influx of new threats has also forced Symantec to expand its analysis procedures in recent years. "We've had to evolve how we work, it's not just about providing protection and moving on any more. Threats and the landscape have changed and to address this we've begun doing intelligence work," she said.

"We do bespoke research on occasion, with both customers and law enforcement. These situations are ones where we have the skills they don't – that's the benefit of us being here every day, reverse-engineering malware.

"Doing this over the years we've had to develop a number of systems and now we're trying to understand the individual attacks in the context of who did them and why."

Symantec is one of many technology firms to begin adopting an intelligence-based approach to cyber defence. Facebook unveiled a new automated ThreatData security service designed to detect and catalogue new malware families earlier in March.

Source