Symantec After New York Times Attack Says Antivirus Isn’t Enough

Photograph by Max Oppenheim

The hacking of the New York Times illustrates the limitations of antivirus software sold by Symantec and others in catching attacks. It’s a cat-and-mouse game where the mouse usually wins.

Symantec, the world’s biggest antivirus-software maker, built a $15 billion empire on the back of a technology that it acknowledges doesn’t work that well at all.

The New York Times, a Symantec customer, reported today that its computer network was hacked repeatedly by attackers in China, and that Symantec’s programs didn’t catch the breaches. In response, Symantec put out a statement that said “anti-virus software alone is not enough.”

Other security technologies are needed to stop an attack like the one that hit the Times, Symantec said. While that may appear to be a bizarre admission from an antivirus maker, it’s no secret among security companies — and their customers — that antivirus programs are becoming less useful.

While security software is good at blocking malicious software it’s seen before, changing just one line of programming code can make a piece of commonly used malware invisible. Sophisticated attacks using custom software often doesn’t trigger alarms. Even Symantec itself was hacked and had some of its code stolen.

The shortcomings of antivirus software provide a sales opportunity. Worldwide spending on security software is projected to top $20 billion this year, according to Gartner. While Symantec doesn’t break out revenue from antivirus software, it’s a significant part of the company’s consumer and corporate security businesses, which had sales of $4.07 billion the company’s latest fiscal year.

While antivirus software often won’t stop advanced attacks, technologies based on analyzing attack patterns and the digital fingerprints of software can help thwart some sophisticated threats, said Cris Paden, a spokesman for Symantec.

The New York Times is still a Symantec customer, according to Eileen Murphy, a spokeswoman for the newspaper. The software was deployed properly on all machines in the Times’ network and did not spot the hackers’ malware, she added. The Wall Street Journal also reported that its systems were breached.

Bloomberg LP, the parent of Bloomberg News, is aware of attempts to infiltrate its computer systems and “the company’s security was not breached,” said Ty Trippet, a spokesman.

So in the cat-and-mouse game between security companies and the hackers they’re paid to stop, consider the latest breaches examples of how sometimes the mouse gets away. In fact, the mouse often gets away. The security industry has a funny solution: sell you a bigger cat.

What do you think about this article? Comment below!