In the “duh” reporting on the moment, securityfocus reports that:

The number of signatures required to detect malicious code skyrocketed in the first half of 2008.

While I may mock them (gently of course) for reporting something which is obvious, the growth curve is impressive:

The data — part of the F-Secure’s IT Security Threat Summary — showed that the company currently requires nearly 900,000 different signatures, also referred to as “definitions” or “detections,” in its product to catch current threats, up from 500,000 signatures at the end of 2007.

The solution of course, is to stop writing signatures. There are a virtually infinite number of pieces of malware that can be written, and trying to write a signature for each and every one is an exercise in futility. We’ve seen it time and again – blacklisting does not work in the long run, it is not scalable, and is inherently reactive rather than proactive.

I went to a medical school graduation last night, and the keynote speaker gave a speech wherein he pointed to three things that were changing the way medicine is practiced. The first was the sequencing of the human genome, the second was the IT revolution, and the third was the fact that medicine is now being treated as a market commodity. While all are interesting, it was his comments on the first factor (the human genome) that bear some commonality with information security professionals. For millenia medicine has been a reactive science. Someone gets sick, so doctors try to find a cure. Although the human genome is clearly not the only think to bring about a change in the way medicine is practiced, it was pointed to as a major landmark in the shift of medicine from reactive to proactive. Doctors can now know ahead of time if someone is at high risk for certain conditions, and begin treatment before a patient actually exhibits symptoms. (I know this is an oversimplification, but it’s the principle that matters).

Information security has been struggling with a similar transformation for several years now. Everyone seems to realize that reactive information security is not the way to go in the long run, yet not many people can figure out how to get away from it. We’re still stuck in our test-patch-repeat mindset. Maybe we need something similar – something like the sequencing of the human genome – to shake things up.