Read ‘em and weep. Doesn’t matter what it is, how much you spent onit, or what you’ve done it implement it, its outlook is about as goodas the Cleveland Browns’ Super Bowl chances. Got your attention? That’sthe idea. This type of apocalyptic proclamation has been alive and wellin information security over the past few years and never ceases to getits share of eyeballs and chatter. Gartner fired a shot across the bowa while back with the “IDS is dead” statement and similar things arenow being said about antivirus. The siren call of these alarmiststatements has proven irresistible, but I’ll offer that while they makefor catchy headlines, they obscure a more complex, but much moreaccurate reality. In this spirit, I’ll offer up a couple of alternateheadlines that are a lot less captivating, but also do a better job ofhitting the mark, in my eyes.
News flash: This technology has to evolve to stay relevant
A snoozer of a title for sure, but this is genuinely what has happenedwith both intrusion detection systems (IDS) and antivirus (AV). IDS hadto evolve into intrusion prevention systems (IPS). The false positiverates were too high, they had to move in-line, and IDS didn’t actuallyblock attacks (or customers didn’t use the capability), while producingenough data to make your head swim. Does this mean that IDS “died” andthen rose again from the ashes as IPS? There are certainly some seriousdifferences between IDS and IPS, but I think that’s a little generous,to say the least. Do you think IPS would have happened if IDS had notappeared first, contributed to industry learning, and whetted theindustry appetite for IPS? Perhaps, but I think a more reasonableexplanation is to consider it an evolutionary step rather than arevolutionary change and entirely different product category, despitemarketing claims to the contrary.
Ditto for antivirus. Purely reactive models and older products willnot keep pace with today’s ceaseless number of variants and complex,evasive threats. Nonetheless, this assumes a pure file-scanning modelis at play, without specific detections, as well as an absence ofvulnerability exploit blocking. I’d argue that those conditionsdescribe yesterday’s antivirus solutions and you’d be ill-served indeedto rely upon them as your primary defense. The majority of threatstoday find their way onto a system by exploiting vulnerabilities and itsure would be better to block them before they land on a system thanhave to clean them off, right? Symantec (and other major players aswell) have been routinely blocking file-based exploits for a while now,particularly those delivered via HTTP (for example, during the WMFoutbreak). In these scenarios, the malware may be packed andundetected, but it never has the chance to hit the system since it’sblocked at the exploit. Secondly, generic detections for families ofthreats are now commonplace. Heuristics are also increasingly common inantivirus solutions to compliment reactive definitions or signatures.We’ve had heuristics for blocking mass-mailing worms from propagatingfor some time and with the inclusion of WholeSecurity heuristics (forcapturing keyloggers and screengrabbers) in newer products such as Norton Confidential,some of the more popular tools in the crime-ware kit are renderedineffective. Lastly, Symantec has leveraged a Veritas-based technologyin a newly delivered AV engine which enables direct volume access todetect and remove the spate of threats using kernel-mode rootkits.
Does this mean that all the grim stories of poor AV detection ratesare false? Not necessarily. Nor does it mean that AV is in its deaththroes or failing to innovate to keep pace with the rapid evolution oftoday’s threat landscape. And even reactive signatures, downplayed bymany today, will continue to serve a role in the currentcompliance-oriented world where HIPAA, GLBA and disclosure laws requirean organization to know exactly what happened on a system by knowingthe specific malware variant in question. In summary, the real answeris more complex and makes for a befuddling, rather than an eye-catchingheadline.
News Flash: This technology is no silver bullet
I grew up in Battle Creek, Michigan. The winters could getbone-chilling cold. Having a warm coat and a good set of thermals wasessential. Nonetheless, you would have been nuts to walk out the doorwithout your gloves and hat on as well. Wool socks and a scarf didn’thurt either.
The way some organizations seem to be protecting their systems todayis like sauntering out into the winter chill with their coat on butnothing else. Now, it might be a great coat, but it’s just not made tokeep your hands toasty and your head warm. Ditto for firewalls andantivirus. Both are essential, but they were not designed to blockexploits inside network traffic or recognize and block a fraudulent Website. It doesn’t make much sense to curse your coat for a cold head andhands, nor should you spite your AV or firewall for not preventingevery possible bad thing from happening to your systems.
This is where the concept of security suites and defense in-depthcomes into play. Today, every major security vendor that has a stake inprotecting the host has one of these suites or setups, for the exactreason I mention above: each component of a security suite has a uniqueand important role to play in protecting the system and the user. Thethreat environment, as the prognosticators mentioned above rightly callout, is too complex and aggressive to think you can weather the stormwithout a multi-layered defense provided by a suite. And, even if youhave a suite, but it is a couple revisions behind, you might havedressed with all the right protection for the winter storm, but muchlike a fierce winter wind penetrating a threadbare jacket, the bad guyshave a way of finding the holes in aging defenses.
While AV and firewalls are essential, I’d argue that today the roleof blocking vulnerability exploits is one of the most important andleast understood. Why? Threats center their attention on important newvulnerabilities such as MS06-040.The vulnerability is released and it’s only a matter of days (if nothours) until readily available malware source is recompiled with thelatest exploit code. This is happening faster than many organizationscan test and deploy patches. Moreover, with zero-day exploits such as WMF and VMLfor Internet Explorer, there’s no initial patch to deploy to plug thehole. IPS and AV file-based exploit blocking provide criticalprotection during such a window of exposure, defending the host evenwhen it’s outside the confines of a well protected corporate network.
Does this approach work? You bet. We had IPS protection for MS06-040on 8/8 and the first worm was seen exploiting the vulnerability on8/11. To date, there have been 40+ worms seen exploiting the flaw, noneof which mattered a bit (even outside the perimeter) if you hadhost-based IPS protection. Anecdotally, I can tell you that ourcustomers on a recent version of SCS report back very few issues tosupport. Mind you, this does not mean IPS is the panacea, it onlydemonstrates that it is an essential layer of protection that shouldnot be ignored.
So, bundle up, the Internet security climate is as fierce as ever.The end of IDS, AV, or most other security technologies is not upon us,but they are all evolving technologies and expecting any one of them tobe enough protection (especially older versions) is like running outinto a blizzard in a t-shirt. (By the way, I love the Cleveland Browns,but I’m looking past my emotions and with a 1-4 start, I’m willing tobet that this year they’ll be sitting on a couch watching the SuperBowl, just like me.)