Security; The non-commodity

Thursday, March 21, 2013

Oliver Rochford


For most users and businesses, their primary contact with the world of security solutions is via antivirus.

In an enterprise environment, a computer comes preloaded with Antivirus. Updates occur centralized and automatically. For most, interaction is limited to the occasional confirmation of a popup. Quarantine and Blocking occur as if by magic; sometimes already on the perimeter , further isolating the user from any interaction.

For businesses, this is of course a good thing. It is in fact the pinnacle of perfection as far as business security theory is concerned.  It has sadly also had some unintended consequences – mainly to be found in the perception and expectations that customers and end-users have developed because of the commoditization of antivirus.

The first misconception, one that still prevails in many circles despite all the evidence gathered and research activity of the past years, is that Antivirus or Malware protection is sufficient protection against the majority of threats and risks. Instead of seeing Antivirus as just one component of the security architecture, intended to provide a last-ditch defense mechanism against known threats.

The second misconception is that all security technologies can be and are automated in this fashion. This can be seen in the way many customers approach stipulating requirements and also the decision-making process in solution selection. Many technologies and solutions, such as SI(E)M, Continuous Monitoring, Threat and Vulnerability Management amongst many others, cannot be simply set up once and then be expected to run with little to no intervention. They require active, living processes and policies, continuous tuning and maintenance, and knowledgeable staff to manage and make use of them.

We see this with centralized log management and SI(E)M, where the solutions are set up in a rush once, and months later after a breach has been called in via a 3rd party, the resulting data provides only forensic data, incomplete and legally unsuitable as evidence.

Solutions are rarely individually vetted for how they approach a given workflow or what philosophies were applied in its design, and many architects define workflows and processes even before familiarizing themselves with the idiosyncrasies and varied feature sets of different vendors. Instead a static list of requirements, the RFI’s and RFP’s are sent out, with whatever products tick the most checkboxes going through to the next, or sadly in many cases, final round.  The mature and stagnant antivirus market has created the illusion that security products within any domain or speciality are directly comparable and differ only marginally. For many, only the price is really important and decisive in conjunction with the feature checklist.

The third misconception is closely related to the second; that signature and checksum based malware detection is sufficient. This misbelief is not based on actual practical evidence. It is driven by the experience and belief that anomaly detection and active intrusion protection cause too much work and false positives.

Ironically, the way that antivirus vendors have historically marketed their products is partly to blame for this attitude. For years customers were promised easy protection. The expectation that many organizations have of not needing to manage a security solution is entirely misplaced and a dangerous fallacy.

As the recent New York Times Breach highlighted, too many organizations avoid using the advanced features available to them. This resistance is based on the experience that using advanced security features like behavioral anomaly detection or automated intrusion prevention can lead to unintended consequences, like preventing legitimate work, or generate copious amounts of false negatives and positives if not managed and maintained actively and regularly by someone of sufficient skill and knowhow.  The sad fact is, many businesses do not make full use of all of the tools they are given and pay for, nor do they approach the topic with anywhere near the understanding that is required. 

The recent attacks against Antivirus for failing in detecting 0day and obfuscated attacks I find unwarranted. There are strong technical reasons why this is not possible. That does not make Antivirus useless though, just as installing CCTV Cameras does not mean you should remove your door locks. They provide better defense together, and cover different risks. So it is with Antivirus. If you think that only detecting and mitigating against known malware is useless, try surfing the net with a windows machine and without malware protection for a few months and then see how you feel.

A good security architect, a few talented Analysts, a CSO that can push through important but initially unpalatable appearing changes, and a Management that sufficiently appreciates the risks involved and understands the need for tighter security are amongst the real requirements for being anything beyond badly secure.

This trend towards commoditization is not only restricted to antivirus. We are beginning to see it in the Intrusion Detection/Prevention, Endpoint Protection, and Firewall technological segments too, and once again, in the minds of many business consumers this trend has mentally already fully occurred.

Taking Intrusion Detection as another example, it has changed from being an activity to now being essentially a function, sometimes just a sub function, of a device. Very few “Intrusion Detection Systems” are actually that. In reality, they are just sniffers applying signatures in the form of patterns. Some “Next Generation” IDS’s apply deeper logic to findings, but essentially they are still very naïve. It’s like calling a submarine a ship hunting and elimination system.  It is no such thing. Only when loaded with the right armament, crewed by competent seamen, and used strategically is it a ship hunting and elimination system. Otherwise it is at best an ugly ship, at worst a watery grave.

Intrusion Detection is really an activity; a continuous task, to be done by an analyst using multiple data sources and tools finely adapted to and finely tuned for a particular network (s) or system(s).

It has come so far, that we have had to create a new term for it – SI(E)M. How crazy is that?

Joke aside, very few customers understand that the hard- and software are only a small part of security. Setting up the solution is important, but it is like fixing up a car. The real fun and benefit come from driving. It can be argued that in Formula One the mechanics and the car design team also contribute to winning the race, but at the end of the day it’s the driver that makes sure that the technology, i.e. the car, and the design and maintenance actually lead to that victory and the finish line.

You cannot really buy security. It is not a commodity. Only certan aspects of it.

Even outsourcing it will only take some responsibilities and tasks off of your hands. You will still need expertise and someone to conduct and orchestrate all of the different security aspects. It outsources the responsibility, but not the risk, meaning that it will never be the case of handing it over to someone else and being able to forget about it. For some companies, outsourcing their security can also have a negative impact on their own defensive posture. Distance breeds unfamiliarity, and in the case of security will lead to even less awareness.

Possibly Related Articles:
Viruses & Malware Budgets Enterprise Security Policy Security Awareness
Antivirus Enterprise
Post Rating I Like this!
Filomena Roberts Security has become quite weak these days as we come to hear a lot of cases of hacking and cyber crime. It has become important to take major steps in this direction.
eye lift creme
Filomena Roberts Security has become quite weak these days as we come to hear a lot of cases of hacking and cyber crime. It has become important to take major steps in this direction.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.