Defense in Depth – There is No Perfect Shield
April 20, 2010 Leave a comment
Everyone wants the perfect shield for their endpoint population. All malware should be detected and blocked before it has a chance to do anything bad to any given machine. Nothing less is acceptable.
Defense is always playing catch up. Always has been, always will be. Today’s stellar defense is one offensive innovation from being compromised. It is the nature of the game and examples abound.
My family spent spring break in London and Paris and saw all manner of personal armor that was quite effective – until the crossbow was perfected. In the 19th century, the best and brightest were trained as military engineers because the construction of earth works was critical to defending fortified positions against cannon fire – until the airplane arrived and munitions could be delivered from directly above a position.
The gap does not always come from leaps of technology or sophistication. When the U.S. forces entered Iraq it was the improvised explosive device (IED) – crude, homemade weapons – that forced the need to retrofit our advanced vehicles with additional armor. Statistics abound how major threats (Conficker) were based on simple vulnerabilities that had been identified six months or more before their use.
Today we in IT security chase the same elusive goal and ignore the obvious: there will always be gaps and stuff will always get through. It is time that government agencies and businesses come to terms with the inevitable and think about technologies that can help them detect what does make it through their defenses instead of continuously chasing the promise of the perfect shield.
The adversary is tirelessly creating new attacks that evade existing defenses. Sometimes those attacks evade detection for weeks and even months. And when they are detected, there is lag between when the attack is analyzed, a protection built, and the protection deployed. During that gap organizations are at risk. And given that so much of the detection tools still rely on previous knowledge of an attack to see the attack, organizations are often left unaware that they were breached, much less empowered to fight back.
Stuff will get through. Any vendor or expert that tells you otherwise is not being honest. There is nothing wrong with seeking protection from attacks, but you are putting your organization at risk if you do not have something in place when the inevitable happens. It also makes sense that a new approach is needed, because if the attack got through it follows that the normal protection techniques have been evaded.
Change detection has long been viewed as the right approach for detecting attacks that make it to a machine. The logic is simple – unless the attack can enter the machine, start itself and perform its malicious activity without changing the machine, change detection is an effective triggering mechanism for analysis and ultimately identifying the attack.
Triumfant can not only detect and analyze these attacks, it will correlate changes so you can see the full extent – primary and secondary artifacts – of the attack and will even build a remediation that is contextual to that attack on that specific machine. It can take what it learns and recognize subsequent attacks, or if the attack morphs it will still see it based on the changes.
One of the most downloaded blog entries was called “Antivirus Detection Rates – It Is Clear You Need a Plan B”. The more I think about the title, the more I realize I was wrong: having a tool in place that will detect what passes through your shields is a Plan A item and must be part of any defense in depth strategy. Stuff will get through, and you need some form of detection capability when all of the shields fail.