Thursday, September 13, 2007

anti-virus as a commodity

i was reading the daily incite yesterday (as i tend to do) and i noticed one of the items was about anti-virus... it had an element that was pretty usual fare from mike rothman in that he talked about how this or that just reinforces his point that anti-virus has become a commodity - and i don't necessarily disagree with him, in fact i think i've said things that were more or less in line with that in the past...

however, as i was reading this particular instance i realized that there was a fundamental assumption to the idea that anti-virus is a commodity - the assumption that when it comes to choosing an anti-virus all malware is created more or less equal - and i began to wonder if that was really a justified assumption to make...

this may seem like nothing more than playing devil's advocate but humour me... let's look at what i think is a fairly typical thought pattern for calling av a commodity (from mike's post):
The one thing I come away with is that all the products are decent, thus I'm going to state the obvious. AV (and other malware defense) suites are true commodities. All stop viruses and other malware attacks.
so my question is what if we stopped treating the threats anti-virus deals with as one big amorphous mass but instead looked at the various subsets of malware and more specifically, drew a distinction between what is new and what is not... would av look like a commodity then? is the commoditization perspective born of an oversimplification of the problem? if we started paying specific attention to performance with new malware, wouldn't that provide a basis for vendors to differentiate themselves from the competition in a truly meaningful way? the retrospective testing at av-comparatives.org seem to show some significant variation in performance between the different products available so it certainly seems that if you drill down into the problem space that anti-malware products are suppose to address things can look a lot different than they do from a bird's eye view...

this isn't the only example of things looking different when you start considering the details... a few days earlier marcin wielgoszewski
posted this question about best of breed vs bundles... i have to admit if i were confronted with this question framed the way it was there i might actually go with bundles, but that really says more about the power of framing than it does about the efficacy of bundles... this is actually something that builds on the product class X is a commodity result from before because it only considers the presence of various broad classes of security technologies in the bundles and not the specific underlying properties of each implementation... if you were to again dig deeper into what the capabilities of the products are and evaluate what kind of coverage you get against the types of threat agents you're trying to defend against you're going to wind up not only with a much more granular picture but one that could easily lead to a different bundle selection... in fact, i feel rather confident that if you dug deep enough you might even see a picture where no bundle gave you satisfactory coverage... of course then you'd have to decide whether or not that level of granularity is worth it but that's another analysis entirely...

not that any of this is to say that anti-virus is not a commodity, i still think there's a level of abstraction or frame of reference where that's a perfectly valid thing to say - but it's not the only frame of reference... the more general you go the more true it becomes, but at the same time the more details get glossed over (and the devil is in the details)... i think it's important sometimes to question the assumptions that bind us to a particular frame of reference so as to remind ourselves that there are others out there that may be equally good or possibly even better depending on the circumstances...

2 comments:

Mike Rothman said...

Questioning assumptions and looking at the issue through a few different lenses is always valuable. And I think the vendors definitely want you (and everyone else) to think that there is a difference in malware types.

The reality is that customers don't care. They want to be protected, whether the vector is XSS, Trojans, rootkits, spyware, et al. And the endpoint security suites (read AV) need to do that.

So regardless of the lens I use, I still come up with generally the same picture.

kurt wismer said...

ok, but you do realize that when you qualify things with "customers don't care" that you're actually constraining yourself to a single lens (the perspective of the market)...

i don't disagree with the fact that as far as the market is concerned av is a commodity, but i also know that i don't always see it that way myself...