In the search for better, faster antivirus detection, many companies are pursuing a "cloud" approach to the problem of identifying viruses and other malicious software. Yet, while most vendors agree that moving the analysis--or intelligence--of the product from the user's computer to Internet-connected servers at a company's facility--the "cloud"--is the essence of a cloud service, they disagree to what extent security firms have moved to the cloud.

"On the surface, it is hard to differentiate because people can use the term 'cloud' really frivolously," says Oliver Friedrichs, CEO of startup Immunet. "When we talk about cloud, we are talking about fairly advanced cloud infrastructure and a real-time capability to look up applications to see if they are malicious."

With Immunet entering the market last month, the competition is heating up. But even the definition of the market is up in the air.

In April, McAfee heralded its Artemis Technology, a service for automating analysis of viruses and other malware, as an effective way to improve antivirus. Later that month, Panda Security claimed to have the first free cloud antivirus solution--a claim that security firm Prevx lambasted a day later, labeling Panda's product "bloatware with a fancy name."

"If we weren't the first, we believe we were one of the pioneers of having the agent watch for malicious behavior and activity and feed it back to our servers," Prevx CEO Mel Morris says.

Morris argues that being a cloud service is not necessarily a binary proposition. Companies' products can adopt more cloudlike behavior. Immunet's service, for example, is not even mostly cloud, Morris argues.

"It does feed back to a centralized database, so I think it has attributes of cloud," Morris says of Immunet's product. "You could say it is 70 percent [traditional] AV and 30 percent cloud. While Panda is 30 percent [traditional] AV and 70 percent cloud."

Yet the services have the same overall goal: to make analysis faster and push the results to users more quickly. McAfee's cloud technology is an offshoot from its quest to create a better automated analysis engine. Its Artemis Technology automatically analyzes up to 95 percent of all potential threats seen by McAfee's users. Panda's Collective Intelligence system crunches through some 37,000 potential threats every day, handling 99 percent of the work in classifying programs.

And while many services may not be completely cloudlike, especially to their competitors, most antivirus companies appear to be including at least the ability to get instant updates from online servers.

"What the antivirus industry is shifting toward is a data-mining problem more than an analysis problem," Immunet's Friedrichs says. "There are so many threats today that an analyst cannot analyze them all, so we are using data-mining techniques to find the needles in the haystack."

Last week, federal prosecutors indicted Albert Gonzalez, a man already charged with stealing nearly 100 million credit- and debit-card accounts from retailer TJX, for allegedly working with three other people to hack into another five companies. Gonzalez and his cohorts allegedly stole at least an additional 130 million credit- and debit-card accounts.

In each case, the initial compromise was through the victim's Web site using a technique, known as SQL injection, that is rarely talked about outside of computer security circles.

The attack takes advantage of website components that allow user input, such as search boxes and login pages. If the Web application does not adequately check the validity of the string of characters, an attacker can enter a specially formatted string that, when processed, will be converted into a database command. Since most Web databases use the structured query language, or SQL, the attack is known as a SQL injection.

"It is a medium-level threat that the rest of the industry has ignored for so long, that the attackers have realized it's a wide-open field," says Dan Holden, product manager for IBM's X-Force vulnerability research team.

Because Web developers are not typically programmers--and most programmers are not adequately taught security practices--online applications are rife with SQL injection flaws.

Big Blue has seen the number of SQL injection attacks double from the first to the second quarter of 2009. In the past few years, vulnerabilities that allow SQL injection to happen have occupied one of the top-three places in the annual list of flaws. Last year, about 20 percent of the 5,600 vulnerabilities entered into the National Vulnerability Database were related to SQL injection.

"Developers are working in high-level programming languages and they just aren't taught to deal with vulnerabilities," Holden says. "Bugs and vulnerabilities occur because people make mistakes, and it's people that program applications."

Underscoring the danger, security firm ScanSafe announced this week that it had found nearly 100,000 Web pages that had been compromised using a SQL-injection attack to include malicious code.

"It is like it has hit puberty," Holden says. "SQL injection has started to come into its own."

Determining whether a software patch has to be applied today, next week, or next month is a major headache for information technology managers. While many software makers offer some system to rank the severity of security flaws, network administrators are still left to create their best estimate of how long they have before online miscreants start using a vulnerability to attack systems.

Security intelligence firm iDefense, for example, has a team of security experts who focus on researching online threats and figuring out which flaws will be targeted by the next attacks.

"I have six guys on my staff whose sole job is to find vulnerabilities in enterprise-level software," says Rick Howard, director of intelligence for iDefense. "So when they see a piece of code, they have a sense about whether it is easy to exploit or not easy to exploit. They spend two days of work trying to figure that out."

Microsoft is trying to make figuring it out a lot easier. Last year, the company launched a program to give IT managers more information by developing a three-level ranking system, known as the Exploitability Index. The program gauges whether a vulnerability is the equivalent of low-hanging fruit for online attackers or a much tougher nut to crack. The three levels are:

1. Consistent exploit code likely
2. Inconsistent exploit code likely
3. Functional exploit code unlikely

Microsoft only considers the question of exploitability for a 30-day period and does not try to forecast beyond that.

In a study released in July, iDefense found that Microsoft did a (relatively) respectable job of predicting whether an exploit would be released. Approximately one-third of all vulnerabilities assigned an Exploitability Index of one--"consistent exploit code likely"--were actually exploited in the 30 days following the release of the patch, while only one in five of the remaining vulnerabilities was exploited. Still, calling one-third correctly means that Microsoft thought it likely that the other two-thirds of vulnerabilities would be exploited and they were not.

Microsoft has done well predicting the relative frequency that software flaws might be used in an attack. (Source: iDefense's "Microsoft Exploitability Index: A Review," modified to correct errors)

"It is hard to figure out whether [researchers and attackers] will go public in 30 days," says Howard. "It is not a bad indicator; it's still not the best indicator."

So far, there is little data on how the bad guys are using the Exploitability Index to focus their own efforts--an initial worry when Microsoft announced the program. The attackers could be focusing on quickly finding the easy-to-exploit vulnerabilities--those ranked first on the Exploitability Index--before companies plug the security holes, or they could focus on finding ways of reliably exploiting the harder flaws, expecting that companies might not patch those as quickly.

"Attackers know that companies and home users don't patch their stuff very well," Howard says, predicting, that "the harder stuff--that is the higher-end hackers--they will save those for bigger projects."