Our weekly research meeting started with an optimistic plea from yours truly. Will 2010 finally be the year the signature dies? I mean, come on now, we all know endpoint AV using only signatures is an accident waiting to happen. And everywhere else signatures are used (predominantly IPS & anti-spam) those technologies are heavily supplemented with additional behavioral and heuristic techniques to improve detection.
But the team thought that idea was too restrictive, and largely irrelevant because regardless of the technology used, the vendors adapt their products to keep up with the attacks. Yes, that was my idea of biting sarcasm.
We broadened our thinking significantly, to think about why we haven’t been able to really kill off any security technology, ever. How many of you still use token authenticators? Or line encryptors? It seems once we implement something, we get to live with it for 20 years.
Have you ever tried to actually kill a technology? Someone always finds an edge case where you’d be dead if it happens, so you can’t pull the trigger. Who cares that you have a higher likelihood of getting hit by a meteor in the cranium? Not sure about you, but that annoys the crap out of me.
With all the time and money we spend maintaining and paying for these tools, we aren’t doing more strategic things for the business. Our world is complex enough. We need to make it a point this year to get rid of some of these long-in-the-tooth technologies.
So for this week’s thought generator, let’s put together a security “endangered species list” of things we want to kill. I’ll start:
Signature-based AV Engines – Come on, man! We keep these fat and dumb AV engines around because we are worried that the Melissa virus will make a comeback. Now the vendors need a frackin’ cloud to keep track of all the signatures, which don’t work anyway – given that most of the bad guys use AV*Test.org to make sure the major engines are blind to their stuff.
As an alternative, we can (and should) be moving towards a whitelist based approach on servers, where you can lock down the applications, since your servers don’t get pissed when they can’t run Tiger Woods golf or watch March Madness online. These tools are ready for prime time now, and it’s time we killed off the old and busted way of doing things.
And you shouldn’t need to keep paying your desktop AV vendor to maintain that signature database, especially since most of them already offer white-list technology as a different product.
On the endpoints, do we think these AV engines are actually doing any good? Aren’t we better off focusing on patching and ensuring some of the anti-exploitation technologies (like DEP and ASLR) are used within the applications you let users run on their devices? Then we also have to make sure we are watching more closely for compromised endpoints, so bust out that network monitor and ensure you have egress filtering in use. I described these techniques in Low Hanging Fruit: Network Security last week.
With the increasing consumerization of IT, assuming you have control of the endpoint is probably naive at best. Imagine what good all the AV researchers could do if they weren’t spending all day auto-generating signatures?
OK, that one was a bit easy and predictable. As Rich would say, what’s different about that? Nothing, I just wanted to get rolling.
HIPS – As I continue my attack on everything signature, why does HIPS (Host Intrusion Prevention) still exist? I get that folks don’t really do HIPS on the endpoint, but far too many still kill the performance of their servers by comparing activity to known attack code. I’m sure there are some use cases where HIPS is useful, but is it worth the performance penalty and the cost of management and maintenance? Yeah, probably not.
Repeat after me: Black lists are for the birds. Black lists are for the birds. So why do we care about HIPS anymore? Should this also be on the list of security technologies to die?
What say you? Tell me why I’m wrong. What’s on your list? Put it in the comments, and be sure to mention:
- The technology
- Why it needs to go
- What compensating controls can be used for at least equal protection
Remember the best comment of the week can feel good about making a donation to a worthy charity.
Let’s all sing now: The Roof, the roof, the roof is on fire… Now discuss!