Security today is flawed. It’s all based upon “negative” signatures. In other words, signatures of things that are known bad. This has many flaws, not the least of which are:
Zero day. How do you know it’s bad until it has already done damage somewhere?
Can we really create signatures in a world of large botnets and polymorphic threats?
Just because it isn’t recognized as bad, does it mean it’s good?
It usually only works for threats from the outside trying to come in. After it’s in already, the approach is meaningless for the most part.
Can you really tell “intentions” without observing actions?
We ought to really only allow things we want (positive or white list model) and then make sure the allowed applications aren’t misused.
The above is a short list, but lets take a look at a different security stack model. Lets imagine a security stack with solutions that:
Allow a company to whitelist appropriate behavior and applications
Determines a threat by sandboxing attachments and checking what the behavior is
Determines a web application threat by observing the actions of attackers and assessing their skill and tenacity and counteracting accordingly
Use profiling techniques to log individual attackers and threats
Log events from above for legal or compliance concerns
This is a very different way, far simpler as it turns out. Negative based models fall short, create numerous false positives (barking dogs) and don’t protect against sophisticated cybercrime and corporate espionage. We have to start looking at what threats are actually attempting to do or their actions. It’s the only way to assess their damage potential. Sandboxing is a way to take files, run them through multiple virtual machines and see without question what the file is attempting to do or not do. For instance, is it attempting to alter a Windows registry? Is it attempting to access files? If it is altering the system, it’s a threat. Honeypots are ways to detect activity, basically they are like motion detectors. If you detect motion inside a closet that houses your valuables and nobody should be there, there’s a problem. Furthermore, if you give that threat greater and greater challenges and they continue to break through the various more challenging honeypots, you now have a capable and determined threat, action is required and it’s just a matter of time.
At Altaware, we offer all the standard existing infrastructure based solutions, but we also offer solutions for the more discerning and demanding customers that want to go beyond compliance and into the world of true security.
Data security is an interesting field. It seems like we have all these solutions and yet breaches seem to be occurring at more rampant levels. Simple things like Web 2.0 actually manage to defeat almost all security measures and kids can defeat most corporate systems, so, how secure are we?
Lets look at the typical security stack in a company:
Perimeter firewall
Some kind of virus/malware solution (desktop or server or Email)
IDS / IDP (Intrusion Detection or Prevention Systems)
URL filtering or other UTM (Unified Threat Management)
Perhaps some logging
Perhaps a proxy
Perhaps a web application firewall (good possibility it isn’t actively enabled)
It’s really pitiful in some regards. In general, the whole stack seems to work on making us secure by looking for and denying bad stuff. This leads us into a very dangerous analogy! That which is not bad, must be good. It seems like a border checkpoint that relies on some manual do not enter (think no fly) list and some self-answered security questions.
The firewall is the worst of them all. It seems to be a fancy bridge/router to connect two Ethernet wires. The security model is essentialy self declaration of the packets. For instance, are you web traffic? Yes, I’m port 80. Okay then, come on through. No need to be stopped or inspected. Really, port 80 is just web browsing? Not anymore, it’s file transfers, it’s bandwidth robbing, it’s data leakage, it’s phone home, it’s everything now. Firewalls are useless, about all they do now is slow down legitimate traffic. Firewalls don’t address the intent, actions or characteristics of the data. Is the data being used to evade security, transfer data, used for excessive bandwidth, used to tunnel other applications, used by malware, prone to vulnerabilities, etc. We also can’t tell who is using it. We just see IP addresses in ever larger generally dynamic (DHCP) networks where we might eventually figure out what device if we look soon enough while an address lease is still active. However, depending on the device, we still don’t know who the actual user is. So, the firewalls tend to not know anything about the actual applications, data, users, characteristics, threats borne in the content and they slow traffic down, wonderful.
OK, but we can layer on IDS/IDP, proxies, URL filtering, A/V scanning, DLP and lots of other magic boxes. We create a sprawl of technology and devices to learn and try to correlate. I won’t even get into the management or problematic performance and context awareness. I hate the underlying principle: “It must be good if it isn’t bad.” Wow, that’s messed up! We should be judging good and bad based upon characteristics and actions. It’s not who the user is and their previous reputation, rather, what are they doing now? The problem isn’t just using bad applications or bad sites, it’s also making sure threats don’t exist on approved sites and applications. It’s a mentality from mail servers. We have the approved corporate mail servers, but of course we still have to inspect content for threats. So, what makes much more sense is disallowing applications and sites that are inappropriate and then making sure approved sites, URLs and applications (e.g. Facebook) are not used in inappropriate manners or to propagate threats (e.g. Koobface).
On a personal note, Debbie and I have moved into another phase in our lives. We have two boys, age 22 and 18. Our youngest has joined the Marines and is in boot camp right now. He’s very patriotic, very appreciative of the sacrifices of those before us that have kept this great nation safe.
Boot camp is a 13 week process. The first week is all about processing, which is a fancy word for forms, shots and quite simply even clothes. We weren’t quite ready for our youngest to leave, let alone for 13 weeks. We’re very proud of him and we know he’ll do fine. He was already physically preparing well in advance and was out running around with a backpack full of rocks. Needless to say he’s taking this seriously. I guess seriousness, intensity and passion run in the family.
As for us, we’re dealing with the big wait. We’ve gotten letters in the postal mail, the only form of communication at this phase in the process. Who would have thought we’d ever see a handwritten letter from one of our kids! Seems so old school and yet so priceless. The written word still has a different feel to it.
We also got to meet various friends of his going into the military. All I can say is that it’s a fine bunch of young men (we didn’t get to meet any women that had enlisted) that we got to meet and we ought to all be proud and thankful.
He signed on almost a year ago via a mechanism called DEP (Delayed Enlistment Program). As a result of that, a couple of great things happened:
He got his pick of what area to specialize in (also supported by his test scores)
He gets service credit for the time leading up to actual entry
He got his parents mentally prepared
DEP did require parental approval as he was a minor at the time. The military is really quite selective these days. Contrary to what you might be hearing, there is not a shortage of applicants and the military branches are selective. In the Marines, infrantry is really hard to get into these days.
Knowing his interests in our country and that we have never been there, we went to Washington DC this summer. It was a truly unique and overwhelming experience. We started with a DC based Segway tour to get a feel for the surroundings and did a whole lot of sightseeing. One of the special unexpected surprises that we’d highly recommend is the National Museum of the Marine Corps. It’s an amazing tribute to the U.S. Marines and it surpassed any expectations we had prior to seeing it. It’s near Quantico, VA and it’s a must see 120,000 square foot structure. More on that trip in a future article.