The number and complexity of cybersecurity tools have grown at a dizzying pace in recent decades. As cyber threats like ransomware became more numerous and complex, antivirus and threat management tools expanded to meet these challenges. Security experts now often find themselves with too many choices and a market too rich with options. Choosing, running and training on these tools can become a problem.

From the first “computer worm” to ransomware, let’s review the evolution of cyber threats and the expanding cybersecurity ecosystem.

The birth of the cybersecurity industry

With no public internet, computer security in the early days focused mainly on passwords protecting computer systems one at a time. Even 60 years later, passwords remain a foundation of a healthy cybersecurity practice.

In the 1970s, an ethical coder created a program called Creeper, a “worm” that moved from system to system, leaving a message behind on the ARPANET. (ARPANET was the Advanced Research Projects Agency Network, an arm  of the U.S. Department of Defense and the forerunner of today’s internet.) A colleague of the Creeper programmer created a program to destroy it called Reaper. It found and deleted the virus, creating the first antivirus program. These were the first virus and antivirus programs, but that didn’t remain true for long.

In the late 1980s, the Morris Worm, a self-replicating malware program, served as a wake-up call to the industry. Designed to demonstrate a known vulnerability, it slowed down the internet and caused widespread damage. The Morris Worm clarified the need to hold back a growing threat landscape and gave rise to the first firewall. Firewalls slowly emerged from labs in the late 1980s, but the firewall industry would take off in the next decade.

In 1987, the first true commercial antivirus solution came out from the German company G Data Software for Atari systems. McAfee was also founded that year and launched VirusScan. Several more antivirus products followed.

The 1980s began with no real commercial cybersecurity products. They ended with several firewall projects and antivirus products on the market, and the trend would only continue.

Download the guide

Mainstreaming of the internet and the start of perimeter protection

The history of the “worldwide web” began in 1989, and its spread in the early 1990s made the internet mainstream. The decade started with fewer than 3 million internet users and ended with around 281 million. With millions of people putting their personal and financial information online, cyber criminals emerged to exploit it.

In the 1990s, cybersecurity tools focused on perimeter protection — firewalls and intrusion prevention systems — as well as antivirus software. Firewalls transitioned from lab projects to commercial products, with the second generation coming out of AT&T Bell Labs, which called their technology Circuit Level Gateway. This introduced the first stateful firewall, a firewall that monitors the complete state of active network connections. In 1994, Check Point launched Firewall-1, which was a milestone among commercial firewall solutions by offering a popular and easy-to-administer cybersecurity tool that used a graphical user interface.

With a firewall, packet filters could protect a safe internal network by hunting for known malicious traffic. These steadily became more refined and varied, but the basic concept stayed the same. Building a moat around corporate networks and applications was the method of the era.

The first virtual private network (VPN) was developed inside Microsoft in 1996 to extend the protection of the firewall to remote users “dialing in” with modems. It would later be used broadly for both security and privacy, enabling remote user activity to be hidden from internet service providers and public Wi-Fi. The technologies underlying VPN products — Internet Protocol Security (IPSec), Internet Key Exchange (IKE ) and, by the end of the decade, Layer 2 Tunneling Protocol (L2TP) — vastly improved VPN security as products spread.

Centralized security for the new millennium

Many of the attack types spreading widely today, like ransomware (the first instance of which happened via floppy disk in 1989), emerged as a more widely used technique in the mid-2000s. During this time GPCode, TROJ.RANSOM.A, Archiveus, Krotten, Cryzip, MayArchive and other new ransomware attacks emerged. Ransomware became more attractive to threat actors with the rise of difficult-to-trace cryptocurrencies. Malware posing as antivirus became a major point of social engineering around ransomware attacks.

After 2000, the concept of the SOC (security operations center) came into vogue, an all-hands-on-deck control center featuring a room full of specialists monitoring and stopping security events across the whole enterprise. In the case of smaller teams, a Managed Security Service could accomplish this job. Either way, they probably used a security information and event management (SIEM) platform. This approach was an early attempt to deal with overcomplexity in both attack variants and security tools.

A SIEM is a collection of software systems that find, analyze and display data from devices, software and logging systems, or external sources. Today more than 60 companies sell SIEM solutions.

The SIEM idea has been more recently replaced by the emergence of real-time security intelligence platforms aimed to prevent problems like ransomware rather than find them after the fact. These use big data analytics to discover trends.

This kind of control room approach to cybersecurity could involve thousands of different solutions and products. They not only deal with a wide range of attack types but also with a wide range of solutions.

Next-generation firewalls emerged in 2008 and proliferated in the 2010s. Driven by Palo Alto Networks, these firewalls used application-aware packet filtering, user-based access control (regardless of the system’s IP address or device type), built-in IPS filtering and other advanced techniques that proved powerful when combined. By the end of the decade, there would be hundreds of firewall solutions.

The ransomware worm WannaCry emerged in 2017, spreading virally and demanding Bitcoin payment. During this decade, cybersecurity tools got way more modern, using network behavioral analysis and web application firewalls.

Today’s cybersecurity ecosystem is overwhelmed by choice

We start the new decade paralyzed by choice. Every security solution, starting with passwords and including firewalls, antivirus and antimalware, VPNs, two-factor authentication solutions, biometric tools, encryption products, hardware-based security, enterprise key management, container and Kubernetes security, confidential computing and many more, began as single solutions. More providers emerged, more solutions emerged and the tool landscape became more complex.

We find ourselves where market size itself is a security threat. The time and energy it takes to evaluate and choose from the incredible variety of solutions has become a significant investment, and the mastery and training of these solutions is another challenge altogether.

The proliferation of threats and solutions is unlikely to change. So for today’s cybersecurity and the battle against ransomware, the focus is on solutions that bring order to the chaos. Threats will continue to evolve at a faster pace and solutions must evolve with them. The next historic milestones for the cybersecurity ecosystem will be cloud-based tools paired with artificial intelligence and intelligent automation to target ransomware and today’s other threats.

Learn why IBM Security is recognized as a leader in managed security services, combining AI, threat intelligence and response to deliver better security outcomes.

More from Risk Management

Back to basics: Better security in the AI era

4 min read - The rise of artificial intelligence (AI), large language models (LLM) and IoT solutions has created a new security landscape. From generative AI tools that can be taught to create malicious code to the exploitation of connected devices as a way for attackers to move laterally across networks, enterprise IT teams find themselves constantly running to catch up. According to the Google Cloud Cybersecurity Forecast 2024 report, companies should anticipate a surge in attacks powered by generative AI tools and LLMs…

Mapping attacks on generative AI to business impact

5 min read - In recent months, we’ve seen government and business leaders put an increased focus on securing AI models. If generative AI is the next big platform to transform the services and functions on which society as a whole depends, ensuring that technology is trusted and secure must be businesses’ top priority. While generative AI adoption is in its nascent stages, we must establish effective strategies to secure it from the onset. The IBM Institute for Business Value found that despite 64%…

Ermac malware: The other side of the code

6 min read - When the Cerberus code was leaked in late 2020, IBM Trusteer researchers projected that a new Cerberus mutation was just a matter of time. Multiple actors used the leaked Cerberus code but without significant changes to the malware. However, the MalwareHunterTeam discovered a new variant of Cerberus — known as Ermac (also known as Hook) — in late September of 2022.To better understand the new version of Cerberus, we can attempt to shed light on the behind-the-scenes operations of the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today