In the military we had an expression to describe when people got so focused on a single source of feedback that they ignore other data, to their detriment. "Scope-Lock" described pilots who fixed their attention on the radar display and didn’t look up to see the power lines. 25 years later I can still clearly recall the "that data does not fit the reality I have constructed " look (always accompanied by rapid blinking) on a captain’s face when I said to him "sun rises in the east" when he was leading 100 former friends on a back-bearing: i.e. going the wrong way.
On Friday I looked at the scopes provided by a few security vendors on the current worldwide malware threat . Here are the screen captures:
Symantec 
McAfee 
Fortinet 
IBM/ISS
Cisco 
So, the bigger antivirus companies seem to agree and they both have a 4 point scale. When we start looking at others, things deviate. Fortinet and IBM seem to disagree greatly (a light-hearted thought is that they each have HR policies hiring exclusively optimists or pessimists in their threat warning centers – philosophically, each would have advantages…).
Those who are not security pure-plays like Cisco don’t grade severity but warn of activity within a 24 hour window. Microsoft didn’t seem to have a gauge, which I attribute to their patch timetable being well known and a reverse indicator of threat, providing a remedy (patch or other guidance) and an indicator of severity. Many other IPS and antivirus companies I looked at didn’t provide any easily-found gauges on their public websites, but may do so on their customer consoles.
Kaspersky provides a similar view to that of Cisco. Although jaded security professionals could also take the threat warning as their moment of zen:
Overall, the results seem so varied it really gives me low confidence in the value of these gauges. Also, most paying enterprise customers will be getting important update alerts from their vendors anyway. Consumers and businesses without a security team getting console level updates need a way to find out if they need to do something unusual beyond the usual cycle of updates, such as when a major exploit or large denial of service attack is expected or underway. BUT without getting Chicken-Little’d (there were 1000 critical exploits observed in Punxsutawney this hour!) or having to check a web site.
FUD marketing makes customers angry (unless they are looking for analyst quotes to get budget). Help them solve a problem, don’t be one.
And yes, virus activity is normal.
3 responses so far ↓
1 Stiennon // Oct 20, 2008 at 7:37 pm
Good ‘un Greg. You should create your own threat level site that screen scrapes each of the other ones. Don’t forget the TSA’s which is perpetual Orange.
-Stiennon
2 Threatful Thursday: The Most Dangerous Malware is What Isn’t Being Blocked // Nov 6, 2008 at 8:21 am
[...] while back, Greg Young blogged on the variety of security threat metersĀ out there. Most of those are based on the known vulnerabilities out there and the attacks being [...]
3 In search of a standard for displaying security threat levels | Zero Day | ZDNet.com // Sep 24, 2009 at 9:32 am
[...] explained by Gartner’s Greg Young, security vendors routinely offer different threat levels on the same day, which adds to confusion [...]
Leave a Comment