Who you gonna call? Bugbusters

Under John Thompson, software security giant Symantec has turned viruses into healthy profits, writes Stephen Pritchard
Click to follow
The Independent Online

August was one of the cruellest months for the IT industry. Within the space of a few weeks, computer systems were crippled by two computer "worms", Slammer and SoBig. These worms, a variant of a computer virus spread through email attachments, cost global businesses millions, if not billions, of dollars in down time and lost productivity.

But for the computer security company Symantec, the month was anything but cruel; hectic would be a more appropriate word. The business, best known for its Norton anti-virus software, has 20,000 sensors in 180 countries constantly monitoring traffic going over the internet. Whenever there is a serious virus or worm outbreak, Symantec's anti-virus engineers will be among the first to know.

It is this team, and the company's rapid response technology, that its president and chief executive, John Thompson, credits with keeping the company in pole position in the computer security business. What's more, it stayed in profit during the IT industry's worst-ever down- turn. Symantec's turnover will exceed $1.7bn (£940m) in the financial year ending in April, and is expected to top $2bn in 2004-05. For Thompson, outbreaks such as the Slammer worm are less of a business opportunity and more of a warning sign. He admits that the publicity did Symantec no harm, but describes August's boost to sales as a "bubble".

Thompson believes that Symantec's success comes from reading the markets accurately, something that rivals - including IBM and Microsoft - have failed to do. Yet its success is tempting those rivals to target Symantec's market, and maybe even the company itself. "It's clear to me that security for individuals and business users has been one of the most robust IT markets, even in the face of the huge downturn," Thompson maintains.

Competitors, he suggests, failed to anticipate the way the computer security business, and in particular the threats that drive it, would evolve. In the early 1990s, the main threat to businesses came from software viruses; in the mid-1990s, it was "macro" viruses that used the scripting language in programs such as Word and Excel to create damage. But these viruses, critically, spread only if users copied a virus-carrying application on to their computers and ran it, or in the case of the macro viruses, opened an infected file on their PCs.

Today's "blended" threats are much more sophisticated and dangerous. They also spread more quickly, because of the internet. They are smarter, attacking computing infrastructure such as mail servers directly. They can often spread without human intervention. They are better at evading detection, so that established anti-virus techniques, such as scanning files for particular "signatures" in the computer code, are no longer sufficient.

Virus and worm writers are becoming more adept at exploiting vulnerabilities in operating systems, Thompson cautions. "Last year's Slammer outbreak exploited a vulnerability first discovered the year before. The next generation of viruses will spread more quickly. But Blaster circulated just 26 days after identification of the problem. As the landscape evolves, the propagation of attacks will accelerate from days, to hours, to minutes."

Symantec's engineers are worried by "Warhol" threats, named after Andy Warhol because they can spread across all vulnerable computer systems within 15 minutes. The Slammer worm, Thompson says, was the first glimpse of this threat, because it affected 90 per cent of computer systems in under 10 minutes.

Worse still are flash threats, which could spread across the internet in as little as 30 seconds. Thompson admits his researchers have yet to find a flash threat, but if a virus or worm is possible, it will almost invariably happen in practice, sooner or later. This poses a problem for the computer industry, not least because virus and worm outbreaks seriously undermine public confidence in technology. Software companies such as Microsoft are in a constant game of catch-up with virus writers and hackers.

So far, businesses with strong IT security policies have been able to avoid the worst of the threats by keeping anti-virus and firewall software up-to-date, and applying "patches" to operating systems as quickly as possible. Most of last summer's problems could have been prevented had businesses acted quickly to install the maintenance updates that companies such as Microsoft publish on their web sites.

However, Thompson points to computer security risks known as "day zero" threats, which act to exploit system weaknesses the moment they are discovered. With these viruses, even the most alert IT managers will not be able to update their systems quickly enough.

This race against time is prompting computer security companies to look again at how they protect their customers. One single line of defence such as anti-virus software is not enough. Instead, businesses and individual computer users will need to turn to layers of protection, and to more intelligent software that monitors systems for suspicious behaviour. Automation, Thompson suggests, is the only way to ensure that computer systems are safe in the future: viruses, worms and other malicious applications spread so fast that humans cannot keep up. The problems of the volume and speed of threats, he believes, play to Symantec's strengths. The group has moved into the managed security services market, where its engineers run security software on behalf of customers, monitor incoming information and send alerts when there is a serious problem. Another strategic decision that is paying off was to combine conventional anti-virus software with firewalls and programs that detect intrusions from cyberspace. It is this layered approach to security that Symantec's rivals have failed to copy with the same success.

Symantec also has an early warning system in its armoury. As a software company, it operates a common infrastructure to deliver updates of its security programs to its customers. It is this infrastructure that gives Symantec customers a far better chance of beating security threats. Thompson claims that this technology, known as Live Update, sets the company apart from its competitors. "It is not just scanning technologies for viruses or denial of service attacks that gives us the edge, but the response infrastructure, early warning systems and global support capabilities," he says.

Emulating this infrastructure is more difficult than writing the security programs themselves, he suggests. It is one reason why large IT companies have not successfully re-entered the security software market. "The price of entry is a lot higher, and building it from scratch would be time-consuming," he points out.

But while Thompson is confident that Symantec can maintain an edge over rivals, he doubts that virus writers and cyber criminals will scale back their efforts even if most people do invest in security software. "Even when everyone has anti-virus, firewall and intrusion detection software, the people who perpetrate cyber-crime will not be deterred." he warns. "The social hacker or the script kiddie [an amateur who downloads hacking tools from the internet] may be put off, but the criminals who do real damage will be more determined."