Blog

Earth to Symantec: AV doesn’t stop the APT

By Mike Rothman

If you read saw the press release title Symantec Introduces New Security Solutions to Counter Advanced Persistent Threats, what would you expect? Perhaps a detailed security monitoring solution, or maybe they bought a full packet capture solution, or perhaps really innovated with something interesting? Now what if told you that it’s actually about the latest version of Symantec’s endpoint protection product, with a management console for AV and DLP? You’d probably crap your pants from laughing so hard. I know that’s what I did, and my laundromat is not going to be happy.

It seems someone within Symantec believes that you can stop an APT attack with a little dose of centrally managed AV and threat intelligence. If the NFL was in season right now, Symantec would get a personal foul for ridiculous use of APT. And then maybe another 15 yards for misdirection and hyperbole. To continue my horrible NFL metaphor, Symantec’s owners (shareholders) should lock the folks responsible for this crap announcement out of any marketing meetings, pending appeals that should take at least 4-5 years.

From a disclosure standpoint, we got a briefing last week on Big Yellow’s Symantec Protection Center, its answer to McAfee’s Enterprise Policy Orchestrator (ePO). Basically the product is where ePO was about 5 years ago. It doesn’t even gather information from all of Symantec’s products. But why would that stop them from making outlandish claims about countering APT?

Rich tore them into little pieces, politely rubbishing, in a variety of ways, their absurd claims that endpoint protection is an answer to stopping persistent attackers. He did it nicely. He told them they would lose all credibility with anyone who actually understands what an APT really is. The folks from Symantec thanked us for the candid feedback. Then they promptly ignored it. Ultimately their need to jump on a bandwagon outweighed their desire to have a shred of truth or credibility in an announcement. Sigh.

Symantec contends that its “community and cloud-based reputation technology” blocks new and unknown threats missed by other security solutions. You know, like the Excel file that pwned RSA/EMC. AV definitely would have caught that, because another company would have been infected using the exact same malware, so the reputation system would kick into gear. Oh! Uh-oh… It seems Symantec cannot tell mass attacks from targeted 0-day attacks. So let me be crystal clear. You cannot stop a persistent attacker with AV. Not gonna happen. I wonder if anyone who actually does security for a living looked at these claims. As my boys on ESPN Sunday Countdown say, “Come on, man!”

I’m sure this won’t make me many friends within Big Yellow. But I’m not too worried about that. If I were looking for friends I’d get a dog. I can only hope some astute security marketing person will learn that using APT in this context doesn’t help you sell products – it makes you look like an ass.

And that’s all I have to say about that.

No Related Posts
Comments

@zac. I was howling when I read the analogy between purchasing and the Pointy Haired Boss. Totally awesome, and right on point. You echo my point exactly. Mr. Market is very powerful and we will continue to see FUD as long as it works. So we have to create that “quiet revolution” I talked about in my last Dark Reading post. That’s the only way we can deal with this type of behavior. By not contributing to it.

By Mike Rothman


I’d like to point out one of the massive flaws in our security systems - one that all the vendors out there exploit: those that make the purchasing/planning decisions at most of the businesses / institutions / governments / etc. out there have no more understanding of the technology and risks than the ‘pointy haired boss’.

Sure… we know that APT can be stopped by AV the same way a wishful thinking will fly you to the moon.

But to them the ability to say to their peers/subordinates/random-strangers/reporters “Hey… I fixed it… we’re protected!” is all the carrot the vendors need to come a calling and peddling their wares.

The only realistic solution I’ve thought of is to get all those CISSP card holders to live up to their pledge and do the ethical thing: tell the truth. Dispel the FUD. And for the love of all that is precious (and not just that ring)... don’t sell their “approval” for a damn pay cheque.

Sorry… but people being willfully ignorant and buying snake oil for a quick ego boost annoys me.

By Zac Bergart


Mike,
I’d guess they are taking the approach that “if you build it, they will come”.  They will drive awareness with sales FUD and every new headline that cites APT will resonate all the more.  How many SMB’s knew about cloud before all of them suddenly knew about cloud?  It is like toadstools after a rain!!!

By ds


i had a specific memory of some vendor’s blog post where they mention that their reputation system treats unknown things as suspicious. i thought it might have been symantec, but after a search it turned out to be f-secure.

still not a good fit for thwarting specially crafted data files, though. controlling/containing behaviour of trusted apps is a better approach for that.

By kurt wismer


@kurt - There are lots of ways to describe a reputation system. Having spoken to SYMC about their Insight platform, they focus on identifying bad files based on their network of “sensors,” which is really about AV agent coverage. They used an example in their briefing that indicated they could detect a compromised file based on the breadth of their reputation system. If it’s a mass attack, they could be right (depending on the timeframe). Against a targeted attack leveraging a 0-day exploit, they are wrong. No chance for AV to detect that. So (for once), we seem to be on the same page.

@ds, you are exactly right. It’s about the marketing bandwagon, which is always about selling more stuff. What’s confusing to me is that most SMB customers (who would fall for these shenanigans) don’t know what APT is, aren’t targeted, and don’t really care. So I guess I just don’t understand how that positioning is relevant to their target markets.

My main point was to rail at the continued mis-use of the term APT, and this is one of the worst examples I’ve seen.

By Mike Rothman


The reality here is that SYMC is a very successful security vendor with a lot of customers and many solutions.  They aren’t stupid and press announcements like this aren’t driven by ignorance. 

Sadly, they will sell product to customers based on this.  It speaks volumes about the buyer and their ability to understand complex security issues and appropriate remedies.  In short, most “security” professionals can’t, and many companies don’t even have “security” professionals on staff, esp in the SMB space. 

So, don’t expect SYMC to adhere to strict definitions of APT and don’t be surprised when they overstate their capabilities because it works to sell products and that is their reason for existing.  Also, most people who are buying products today to counter APT won’t ever see one, so SYMC is taking a reasonable gamble that such specious market hype won’t come back to haunt them. 

So, all in all, I guess SYMC’s response to the headline “AV doesn’t stop the APT” would be “So what?  APT sells AV! =P”

By ds


Hilarious Mike.

By Tiffini Schwarzkopf


Hi Mate,
I had already ping our account manager on these claims before I read you post.
Symantec need to either cut themselves out of Symantec and focus on security and not this compliance suites and buzz word bandwagon they are on.


Great post.

Jeff

By Jeffey Moore


i’m certainly not one to defend symantec in general, nor am i about to argue the point that AV doesn’t stop APT.

i will point out, however, that this post seems to confuse scanners and reputation systems. not all community technologies are based exclusively on the idea of getting intelligence about badness from a wider array of sources.
some reputation systems (and symantec’s may fall under this category) treat unknowns as suspicious.

that means a reference to their reputation system is more akin to claiming whitelisting can stop APT (much like bit9 claims here http://blog.bit9.com/bid/48173/Bit9-Stops-Advanced-Persistent-Threat-APT-Attack-at-Customer-Site)

of course your example pretty effectively demonstrates the error in that thinking - nobody is going to whitelist or monitor the reputation of DATA. it’s just not a feasible course of action.

By kurt wismer


Great post, Mike.

This underscores the importance of avoiding one dollar words and phrases if you don’t know what they mean. It demonstrates a special kind of arrogance to have experts tell you that you’re mistaken and to ignore them anyway.

Announcements like this dilute the meaning of industry terms until they become nothing more than meaningless buzzwords. I know Rich has been fighting this battle for a couple years and helped set me straight, so some us ARE actually listening!

By Clinton Karr


If you like to leave comments, and aren’t a spammer, register for the site and email us at info@securosis.com and we’ll turn off moderation for your account.