Thursday, October 13, 2005

fyi Malware Naming Plan Gets Chilly Reception

All:

Pointer to article:
http://www.eweek.com/article2/0,1895,1868236,00.asp

Kobielus kommentary:
Yes, yes…Beelzebub has a thousand names, and every one inflicts a private pain.

CME’s aims are laudable. But objections to the plan are grounded in realism. How can any single surveillance center tag all new malware signatures uniquely, quickly, and definitively? How can the diverse anti-malware vendors’ proprietary naming schemes be harmonized quickly around a common threat registry? How can a centralized naming registrar move quickly enough to provide the anti-malware community with the ammunition necessary to ensure a common, continuing defense against all such threats? No easy chore, as this article notes. Not as fine-grained as naming every raindrop that falls from the heavens, but not as coarse-grained as assigning nicknames to hurricanes.

Clearly, this is a federated identity management problem, where the entities being identified are programmatic constructs that were designed to evade identification, and the identity providers (IdPs) don't want to slave to a single master registry. In the anti-malware space, what we have are diverse IdPs-—the anti-malware vendors--each with their own identity registration practices. As regards the CME initiative, the general industry goal is to federate everybody’s malware identity registration schemes to a common identity hub: possible managed by Mitre. The general concern is that the CME hub won’t be able to move fast enough to uniquely identify malware species and signatures to allow the “federated” anti-malware vendors to organize more effective common countermeasures.

I’d like to suggest that the CME be regarded not as a common malware registry but as a meta-registry—essentially, a meta-directory responsible for tracking the correspondences between diverse anti-malware vendors’ nomenclatures. Just as wars are fought by those entrenched on the front lines, the first defense against all incoming threats will continue to be the anti-malware vendors’ own round-the-clock operations centers, which will need to automatically forward all reports to the common industry-wide nerve center for further analysis. As an always-on-call resource, the common CME anti-malware nerve center will help the industry regroup to finetune their defenses. It will also help each vendor to determine “lessons learned” elsewhere on new threats, and to correlate divergent nomenclatures, to eliminate unnecessary cross-vendor confusion.

How will anti-malware vendors compete when they’re sharing all their latest threat intelligence with the world? Just the same way that continuous news channels compete—by boasting that they “got there first” with breaking coverage of the new threat, and with effective analysis geared at providing “news you can use.”

News you can use to protect your—or your customers’--precious computers from the next cyberplague.

Jim