Back to Top

Sunday, October 26, 2008

Stepping beyond the vendor-centric security solution

Even these days too many organisations have a "one silver bullet solution" mentality when it comes to IT security. Most often the software presented as solution is an AV package. However, I argue, this is far from sufficient and the better solution would be to have experienced and knowledgeable people implement and maintain a multi-layered defence system. This - I argue - is much more effective and many times it can be done at a comparable or even lower price point than the vendor solution.

My argument rests on three simple pillars:

  1. The loss created by complex attacks increases exponentially.
  2. The cost to perform a complex attack increases linearly
  3. Security products can only detect/prevent well-known attacks. They have a certain capability to identify machine generated variations of these attacks, but can always be circumvented.

You can see my argument below visually:

On the horizontal axis you have the probability of a given attack occurring. This is the inverse of the difficulty (the knowledge required) of performing a given attack (that is to say that attacks which are difficult/require advanced knowledge will be more rare).

On the vertical axis you have the typical damage on an attack. The solid line is an approximation of the attack complexity versus damage relation. Intuitively it is easy to see that as the complexity of an attack increases, so does the damage created by it (assuming it was successful). Two arguments for this reasoning would be: (a) complex attacks are more rare, meaning that if they occur, they are targeted towards the most important asset(s) of a given organisation and (b) if the attacker needed to use more complex methods, it is because the system was better protected, meaning that probably they had information of higher value.

The dashed line represents the resources needed by the attacker to perform an attack of a given complexity. The important thing here is that it increases much more slowly than the damage.

The zones marked A, B and C represent the areas "covered" by different types of setups. Some preliminary remarks: even the most basic solution (a single product) covers some area (meaning that the "AV is dead" movement is exaggerated). An other important remark is that no solution covers the entire scale. This means that we are doing risk management not complete risk prevention, regardless if we like it or not.

In what follows I will talk in some detail about each interval. To set the correct expectations: this article talks about larger organisations, not home users. It can be adapted to the home-user scenario if we talk managed security, however this is not the primary target of this description.

For the sake of completeness I include the "no protection". In this case the attacker has any number of possible ways to compromise the systems:

  • Exploiting the browser
  • Sending executable attachments
  • Using autorun malware
  • ...
This scenario (fortunately) is very rare in organisations these days, because almost all computer users understand that they need some level of protection (although they probably do not have a good understanding about the threats).

The second scenario is that the organisation has one type of security product deployed on every node (this usually means an AV suite). Today this is the most common scenario because from all the security vendors, AV companies are the biggest and thus have the strongest (oldest) marketing message.

AV has its use, however is not the be-all-end-all of IT security which the marketing makes out to be. The biggest problem (from the point of view of an organisation) is that it only protects against common (shotgun) type attacks (and even against those it doesn't have a 100% effectiveness). Lets look at this point a little bit closer:

  • AV is a reactive technology. It can only detect (types of) malware which it saw on time or an other. It functions by the cycle somebody gets infected - samples get to the company - detection is added. Do you want to take the chance of playing labrat (getting infected) with your systems?
  • AV is good at detecting large-scale (so called shotgun style - because you can't use a shotgun precisely, you just aim approximately in a direction) attacks. The detection rates quickly fall when we are talking about targeted attacks (this goes back to the previous point - in a targeted attack the samples are not widely distributed, so the chances of the AV vendor getting them in time to add detection are slim). Now think about it from a business owner point of view: what is more dangerous for your company: a generic attack which probably aims to collect information which may not even exists on your machines or is of little or no value to the organisation (like gaming passwords) or a targeted attack which goes for the "crown jewels", the most important information you possess? The value proposition of an AV is the exact opposite of the true business needs.
  • AV tests use pretty numbers to hide the fact that even if we limit our scope to the "shotgun style malware" (where these products perform the best), the products can only provide ~95% protection (if updated properly) or ~70% (if the updates are lagging - which can happen for many reasons). This literarily means that even with an up-to-date AV product you are vulnerable to hundreds of thousands of malware.

The third scenario is that the organisation uses multiple products (AV on the desktops, AV + Anti-Spam on the mailservers, maybe an IDS product, etc). This likelihood of this scenario increases with the size of the organisation (meaning that larger organisations are more likely to have more of these products). The main problem with this scenario is that often these systems are implemented in a "fire and forget" type of manner, ie. (a) they are not constantly monitored and (b) they are not customised to match the given situation as closely as possible. Again, this is mostly due to product marketing promising that "you only have to buy product X, plug it in and you are magically secure (pixiedust included ;-))".

These types of networks provide more security than just a single product (although probably not proportionally more security with the money invested). Given that multiple products are in place, shotgun-style malware is almost completely prevented, or at least its presence is quickly detected an can be contained. There is however still a "wide-open door" for custom, targeted attacks (these types of organisations are the best to work for if you are a penetration tester ;-), because after you show them 101 holes in their system, their conclusion is that "we need to buy security product Q in addition to the current products X, Y and Z" and next year (month, quarter, etc) you can come back show an other 101 holes which still exists, even though vendor Q promised them that they protect against them).

To make the examples more concrete: lets say that the organisation has AV on the desktop, AV on the servers/gateways and an IDS product (typical setup). Now the penetration tester comes in and writes a simple executable which searches for documents with certain keywords in them and sends them back to its server. This executable won't be detected by the AV products since it is not a widely distributed malware family (in fact at the start of the process it exists only on the researcher's computer). Now the penetration tester tricks some users into executing this program (by sending them emails from the "IT department" for example). The IDS probably is not customised to alert on executables (because it would interfere with the IT department downloading software), but even if it is, the researcher can just simply ZIP the executable and send it that way - ZIP decompression is included in Windows since XP.

Now the final and most fortunate situation is when all this software is in place, but also there are competent people with a good understanding of the threat landscape and the business needs in place to configure and maintain them.

This means that:

  • desktop computer use an up-to-date version of the OS...
  • centralised logging is implemented and logs are analysed...
  • the network is segregated based on business needs...
  • security software is customised extensively to fit the organisation...
  • periodical checks are performed to ensure the effectiveness of the controls...
  • ...

Unfortunately I have yet to see an organisation which has (or at least aspires to have) this level of security. Observe that the elements in that list are people centric rather than product centric. This means that given the right people you can use open source (and mostly free as in beer) products (because the people know how to configure them right), but the inverse is not true! (meaning that there is no product which will work long-term reliably and deliver the promised results without the right configuration and maintenance).

These environments (multi-layered software with knowledgeable people) are highly resistant to IT attacks and have the same (or possibly lower) associated cost than a multi-layer software environment with no knowledgeable people. To come back to the previous penetration test example:

  • The execution attempt would have caught at the IDS level (which was configured to alert on executable when they are downloaded by the end-users but not by admins).
  • The whitelisting application on the desktop wouldn't have allowed the user to run it.
  • The IDS would have detected sending out documents
  • ...

To come full circle: there is no "perfect solution" for the IT security problem. The attacker may (1) invest a lot of effort and break through every layer of defence or (2) avoid some of them or even (3) come from a different direction (think insider, think infected company laptop). Products can do only so much. Skilled people are needed to customise and maintain the systems.

In conclusion - the two most important thing for an IT security person are:

  • To understand the business needs and know what to protect
  • Understand possible attack vectors to the level that s/he could perform them. Such level of knowledge is essential to evaluate products and understand remaining weaknesses in the network.

And for an organisation the most important asset are the good IT security persons, infinitely more important than any products.

1 comment:

  1. Anonymous3:33 PM

    man, you're good..keep it up..!

    ReplyDelete