Predicting the Death of IPS, Antivirus and Security as we Knew it

Gartner proclaimed the death of intrusion detection, so why not call for the death of intrusion prevention systems, maybe antivirus, and hell: the death of security as we know it.  Commercial security is such a money making machine that security companies will convince you that security-as-you-know-it is still valid. Time to admit it.  While the security industry has been incrementally improving itself, hackers have innovated.

It is often said that security fails because it lags behind technology. That if the creators of the Internet were more security minded we would not have the mess we have today.  Yet, we introduced the web browser (NCSA Mosaic web browser in 1993) and mobile code (JavaScript in 1995), fully aware of security and still failed to implement a secure design. It is not a lag between a user’s desires for new features and the security controls to implement them safely, it is a lag between money and security.

There needs to be a recognized need, before security is developed.  Which means, we first need to demonstrate a significant amount of financial loss before companies pay for a security product. This is further complicated by the ability to sell a solution to those who need it.  Security budget describes their line items in terms of existing products. The result is that companies incrementally improve existing products to the need, as opposed to developing new solution.

While attacking has changed from targeting services to targeting the user’s systems, the security industry has been modifying their service-side solutions to address user side exploitation.  I am saying user-side exploitation, not vulnerability.

What are the aspects that keep security-as-we-knew-it at a critical point?

  • Security companies are incrementally improving technology while attackers are innovating it.
  • Solutions, like the DAT file, have reached their end-of-life as a standalone solution.
  • Companies attempt to incremental improve server-side solutions to address user-side attacks.

Point One: Incremental Improvement versus Innovation The reason why the industry lags is simple: Incremental improvement has a quicker impact to profitability than do innovative solutions. Companies already have products and customers.  Customers expect the focus and function of a product to remain the same.  Intrusion Detection Systems made incremental improvements towards firewalls creating the IPS.  But what of application aware firewalls? First, the concept has been around for some time, and the big boys didn’t start addressing them until they began eating into the market share of traditional firewalls.

Point Two: Antivirus DAT definitions have reached their limits The DAT file determines the number of signatures that an antivirus engine can have. One cannot say the DAT is dead, for the DAT contains heuristic and code along side file definitions.  However, the way we think of DAT files is becoming wrong.  The problem is that the signature part of the DAT cannot keep pace with the number of signatures needed to track all the new malware. Two causes of this explosion are the technology advances in packer technology and the increase in user-side attacks.

Packers are programs that obfuscate programs.  In the old days, packers were like wrappers.  A packer unwrapped a file, kind of like unzipping it, and then executed it.  Modern packers interweave the packer code with the program they are protecting. They use a combination of obfuscation tricks and encryption making automated analysis difficult.  The advances are largely due to the fact that there is a legitimate force paying for packer technology, anti-software piracy companies.  Packers protect program from pirates.  So, the battlefield is: the software pirates and antivirus companies on one side; and the software companies and malware writers on the other side.

Another reason for the explosion in the volume of malware is its use in cyber theft.  We often talk about botnets as if it is a technology.  When an attack goes against a user, the attacker should expect either a proxy, or a network address translation (NAT) firewall/router.  The later being the home NAT router.  This means that all these attacks need the infected machine to call out to establish a connection.  This call back requires a program.  This program is the malware.  So, all user-side attacks have malware today.

Putting the two together means that the average attacker is targeting the user with a user-side attack that has a uniquely packed malware program.  Instead of hackers having a common binary, they have common code that when packed creates unique binaries.   All these unique binaries creates the storm of malware, which is too many for a DAT file.

Point Three: Server Side Products leave the User Vulnerable The lag in major security companies to address the shift in corporate attacks from server-side attacks to client-side attacks is an excellent example of where security fails.

Companies have invested in vulnerability prevention as the mainstay to defending the network.  It started with SATAN in 1994, and Dan Farmers motto of protecting the network by breaking into it.  The theory is based on NSA’s risk model.  That the combination of opportunity, threat, and vulnerability create risk.

There are many aspects to this theory that are flawed when implemented as a stand-alone approach to security.  First. not all vulnerabilities are technical ones.  The most common vulnerability is user error (or more precisely, user ignorance). We see this in social engineering, misconfigurations, and users downloading and installing fake antivirus.  Second, keeping up with the vulnerabilities is actual hard.  There are about thirteen critical vulnerabilities a day according to the National Vulnerability Database. Lastly, it is sometimes difficult to define and detect a vulnerability being used.  Most vulnerabilities in the wild cannot be detected, as the attackers have learned to hide the vulnerability in the attack.

The scan philosophy focuses on services that a system has, which has nothing to do with user-side attacks.

Conclusion The industry is racing to a breaking point.  The number of compromised systems and finical loss  are increasing.  Once it becomes to unprofitable to operate in this manner, the need will force a change.  The problem is that the industry will be unprepared to change.  There remains small pockets of innovators; but without funding and recognition, their solutions will not be ready to be implemented on the scale that is needed.

Comments

  1. HI,
    I rode your article with great interest. I’m asking myself what do you think useful today to protect a company. I personnaly agree with this position: https://www.trustedsec.com/december-2012/the-defensive-security-strategy-what-strategy/ : #1 Protecting the Perimeter , #2 Protecting the Employees, #3 Monitoring and Detection ..etc cf article. I think most combination of security is to include defense in depth, giving strong defense and alerting : Monitored, Controlled, Minimized, and Current Tao of security (regarding Richard Bejtlicht) in priority to sensitive assets, and incorprotating security as an examiner/validator on future process. MY question to you is now what do you think useful in security today ? Thanks and nice article, great ideas.

    • First, I am excited at how many people are involved in security. There is a tremendous amount of hype in the industry, but there is an equal amount of people who actually believe in security and take time to learn it.

      In short, I am digging password management systems (like 1password) that handle large complex passwords when interacting with services outside an organization or from one’s house. Also, systems that use two-factor authentication when possible (such as Google’s). Management of external authentication I find as the biggest frustration in organizations. Having a system that emails you a link to create a new password sucks, they generate huge vulnerabilities. Worse, password management eats up so much budget on customer support. Having systems that allow for a local password login (not crossing the network) and then manage external passwords as a creating better security while proving ease-of-use.

      As for big picture useful, I believe that an organization starts with common components, the tao approach you describe. Such as, dividing the network to address server-side communications (external connections to network services) and client-side communication (users of the organization that communicate to internal services and external ones). The former is dominated by firewalls, IPS and integrity checkers; while the client-side is dominated by AV, HIPS, Authentication Services and NAT. I would first insure an infrastructure had these basics for a prevention-based architecture (attempt to remove vulnerability, threat and opportunity). More advanced clients will have monitoring capability in order to have an additional (responsive) layer. This aims at the detection, mitigation and recovery.

      What I see as becoming the issues are client-side attacks (content attacks), bring your own device (BYOD) and cloud services. Security is there to ensure operations, and so its not there to hinder productivity arising from new applications, personal devices and flexible cloud services. Hence I see security products that support productivity (i.e. do not add complexity) to these enhancements extremely useful/necessary. Advanced firewalls that can handle HTML5, Content aware firewalls, Cloud Firewalls/Proxies, and Cloud Key management systems are needed, and I am excited to see what happens in this area.

      These topics are fairly complex, and lead to good ideas for future blogs.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: