Software and services that deliver early warnings of trouble on the Net are the latest big advance for the $27 billion computer security industry. Unlike traditional antivirus or intrusion-detection software that builds walls around corporate networks, early-warning systems scan the Web for new viruses and alert companies to the danger. Instead of waiting for the virus to hit, they dispatch instructions on how to close network holes, patch faulty software programs, or, like IronMail, automatically erect defenses against new outbreaks. While early warnings can't yet make corporate networks impervious to attacks, computer security experts predict they could eliminate as much as 50% of the damage from viruses over the next three years -- when used in conjunction with traditional defenses. "It's like a Doppler radar system that identifies where the next threats are going to occur," says analyst Allan Carey of market researcher IDC.
A growing number of tech companies are entering this new market. While it's still a sliver of the total computer security business, with $50 million in sales last year, revenues of early-warning systems are expected to grow at an annual clip of 20% or more over the next few years. That's slightly faster than the overall security market, which is expected to grow 19% this year.
The new technology is emerging in response to ever more effective virus makers. They are getting so expert that the gap between the time when they learn of vulnerabilities and when they exploit them is closing fast. Sasser hit just 17 days after Microsoft revealed a flaw in Windows on Apr. 13. Security experts predict hackers will soon be producing new viruses in a matter of hours. "People are sick and tired of being hit blind," says Alfred A. Huger, senior director of engineering at computer security giant Symantec Corp. in Cupertino, Calif. (SYMC
Security specialists have dreamed up several kinds of early-warning techniques, each with its own strengths. TruSecure, based in Herndon, Va., and Symantec use technicians working around the clock to monitor Web traffic. Symantec's team taps into 20,000 sensors placed at Internet hubs in 180 countries to spot e-mail and other data packets that seem to be carrying viruses. It then evaluates the suspicious items to see what new viruses are on the loose -- and alerts customers to update their antivirus software. As an added element of its service, TruSecure sends technicians posing as hackers into online virus-writer communities to find out what they're plotting. TruSecure boasts that it even contributed to arrests of the authors of the Melissa, Anna Kournikova, and Love Letter viruses.
Other security companies rely on software alone to do their monitoring. CipherTrust and MessageLabs Ltd. in Cirencester, Britain, mine huge databases of e-mail compiled from their customers, comparing them with the 90,000 known viruses and with new e-mails zipping into corporate networks. The technique is predicated on the fact that 95% of new viruses are variants of older ones. Their systems quickly spot the new variations, automatically fashion defenses, and send e-mail alerts to clients about what's coming their way. "If we can catch the old things, we can catch the new things," says Alex Shipp, chief virus technologist at MessageLabs.
Even with early-warning systems, computer users will be vulnerable to attacks. As security software becomes more robust, virus makers work overtime to get around it -- banding together and rapidly turning out new versions of digital diseases. Since the original Sasser virus was launched on May 1, at least three variants have been unleashed. Indeed, the early-warning systems have their blind spots: E-mail-scanning software can't spot altogether new viruses, while manned Net-watching services are useful only if corporations quickly update antivirus software, say executives.
Still, the systems are an important new weapon in the hands of corporate-security czars. Verisign Inc. in Mountain View, Calif., was able to warn 1,000 corporate clients of the impending arrival of Sasser 21 days before the virus started attacking corporate networks. Verisign's software- monitoring system on the Internet had noticed so-called pre-tremors, small spikes in Internet traffic that signaled that virus makers were testing to see if they could breach corporate networks. Verisign's monitors picked up the activity, analyzed what the hackers were doing, and alerted clients to close the network access points being targeted. That's a satisfying turn of events. Early-warning systems are at last letting companies use technology to get a jump on the bad guys. By Brian Grow in Atlanta