Nth world commentaries: May 2005 Archives

« April 2005 | Main | June 2005 »

May 19, 2005

The IT Security market will never be "mature"

The security giants, such as Symantec and Cisco, are pushing for integrated suites of security solutions. They want us to believe that the best possible solution for the enterprise is one that includes all technologies from a single vendor. For example, Symantec has this to say:

... which combine firewall, intrusion detection, anti-virus and other technologies, Symantec set a new standard with protection that is more secure, less expensive and easier to manage than individual, non-integrated products.

Clearly, getting all your goods from one location would be easier, but there are several reasons why this is unlikely to ever work in security. The IT security industry is different from other IT industries, because the nature of the problem is always changing. A solution that is effective today is useless tommorow, because the attackers are always coming up with new ways of compromising security. This requires continual innovation on the part of the defenders, and unfortunately, the big players are very poor at innovation. This is nothing specific to the security industry: it is well known that big players are poor at embracing innovation, particularly disruptive innovation.

Consequently, in security (as in every other industry), most innovation comes from the little guy, and the big players either stomp out the innovators, or acquire them, resulting in consolidation of the industry. Typically we see that when a new market niche appears, there is a "Cambrian explosion" of diversity as a plethora of new players emerge to target the niche, followed by a subsequent mass extinction as companies fail or get acquired, until only a few large players are left to dominate the niche. At this point, the industry moves on and the niche is left as a well-established and understood market category, with little innovation and simply refinements of old ideas.

But IT security doesn't work this way. The difference is that the market niches never stabilize, because security is a moving target. The attackers are always changing the game. They tend to do so in cycles, so just as the security industry appears to be consolidated and stabilized, a new slew of threats emerges to destabilize it. A good example today is spyware, phishing and rootkits. All of these threats have required completely new approaches to security, which has lead to an explosion of new small companies addressing these threats, and increasing irrelevance of old-style anti-virus technologies. The security industry really fits with the punctuated equilibria model.

Of course, the giants don't address these new threats effectively and so there is a feeding frenzy as the big boys snap up the small companies that do. So in the near future, we can see ongoing consolidation and mass extinction, but it won't last long: the next new threat will emerge and the whole process will repeat. Along the way, those giants that aren't nimble enough or lack foresight, believing they can rely on outdated technology, will topple. But the important point is that they can never get ahead of the game, they can never have the complete solution: that is just a pipe-dream.

This picture is further complicated by another peculiarity about security: the best technology is often the only technology that is useful. It's a well recognized adage that the best technology doesn't always win, but that is less true in IT security than in most other industries. Why? Because failures in security are not random, they are targeted; we have intelligent adversaries finding all the weakest points in the system. Consequently, a mediocre product could be worse than useless, failing catastrophically, where only a superlative product will actually work. In other industries, the difference between mediocre and superlative may not be that important, but in security it is critical. Security continues to be a best-of-breed buy and probably always will be.

So we have two pressures that keep up a rapid cycle of Cambrian explosion and mass extinction, preventing true consolidation:

1. New threats are continual, requiring new responses and innovations from the defenders, and the big guys can't keep up.

2. Failures are targeted and costly and hence mediocre solutions don't cut it, which favors best-of-breed and new innovative players, not established brand, especially as the nature of threats changes.

The IT security industry is particularly fascinating to me because it is so dynamic, and it gives the little guys a chance. It will never be a stodgy, mature industry.

Posted by sana at 03:07 PM | Comments (2)

May 17, 2005

Microsoft OneCare: The Wrong Security Model

MS is to begin testing its new OneCare subscription model out on its employees. This is an automated update subscription service that includes security features such as anti-virus and anti-spyware updates.

OneCare has some in the security industry up in arms. They claim that it's wicked for MS to charge money to fix its own software; instead it should produce secure software to start with. Of course, this is absurd: no company or open source community on the planet produces secure software, and none ever will, just as no company will ever produce bug free software.

I think it's laudable that MS is trying to do something about security, but it is going about it the wrong way. The subscription model using signatures is flawed. It will not save MS from the problem of security failures, because signature-based systems are failure driven: an attack has to occur before the defenses can be developed, meaning there is a failure in security for every new attack. MS will still get hammered for failing to provide secure systems.

There are also major business and perceptiion problems with the signature-based subscription model. First, it creates competitive issues with existing security companies, and might get MS caught up in more anti-trust suits. Why go there if you don't have to? Second, it creates the potential for a conflict of interest: if MS wants to ensure that everyone uses its subscription service, then it will have incentive to avoid fixing root causes (when such a thing is possible) because it will want its customers to absolutely need its service. For example, if MS could implement technology that (without sigantures) effectively deals with most malware, would it? If it did, that would make OneCare much less attractive and MS could lose subscribers, so it would have an incentive not to implement the non-signature technology.

I think it would be much better for MS and its customers if, instead of doing security the old signature-based way, through OneCare, it implemented new and effective protection mechanisms that didn't require updates (and these do exist!). Then they would sidestep all the legal issues, the trust issues, the problems of continual failure, and consequently, profoundly change the way security for MS systems is perceived.

Posted by sana at 02:06 PM | Comments (0)

May 11, 2005

Evolving viruses

The May edition of Virus Bulletin has an interesting analyses of a virus called Zellome ("It's zell(d)ome the one you expect"). Zellome is unique in that it uses a genetic algorithm (GA) to generate decryptor routines for its polymorphic engine. Essentially, it generates a population of possible decryptors (arithmetic expressions), and mutates and combines them to find one that successfully decrypts the encoded data - which has been generated using a random quadratic function.

As the analysts point out, there are much easier ways to do the decryption, and the GA is time consuming (it can take as much as half a day to find a decryptor) and computationally intensive. Furthermore, the virus still contains an unobfuscated decryption loop, so it is easy to generate a signature for Zellome, and the polymorphism does nothing to affect this.

Although Zellome may be a rather useless application of GAs, the idea of an evolving virus is an intriguing one. In fact, the analysts speculate that the author of Zellome may have had the intention of evolving more than just the decryptor, because a 10MB buffer is allocated for the decryptor, which is large enough to easily contain the complete code - around 1.5MB.

There is already an evolutionary process that happens with computer viruses, but humans are closely tied into the loop, at several levels. Humans generate the viruses initially, and other humans define the fitness functions by devising means of eliminating viruses. Mutation is also implemented by humans - a typical virus will have many variants, which are essentially mutations of the original virus.

The polymorphism that we see today is not quite full mutation, because it is only the superficial appearance of some parts of the virus code that change; the functionality of the code does not change, and there are always some non-changing sections for the decryptor. The key to a truly automated mutating virus is one that has the ability to mutate its functionality, just as virus writers often change the functionality when they write the next variant of a virus.

As virus writers develop ways of mutating functionality, so the evolutionary process is likely to become increasingly automated. It will no longer suffice for an Antivirus vendor to develop a signature for a particular instance of a virus, because from one copy to the next, that signature will change - there will be no constant decryptor section to latch onto. This will require more automated response mechanisms that don't rely on detailed human analysis of the virus, because there will be too many variants to cope with. The consequence is that the automated response systems will provide an implicit fitness function for powering the evolutionary process.

We can imagine this ecosystem growing ever more complex and lifelike over time. One possible extension is using crossover: when a virus infects a new host, it scans for other viruses, and if it finds them, it uses parts of the other virus code to generate offspring. Of course, this idea could be taken much further - the virus could use bits of code from any program on the system, sort of like gene swapping in bacteria.

True mutation, crossover and gene-swapping could result in viruses that are completely autonomous, in that they survive without human intervention - in fact, even in the face of humans attempting to get rid of them. Currently, if virus writers stopped producing viruses, it wouldn't take very long for all the viruses out there to die out, because true virus novelty comes from the virus authors, not from an automated evolutionary process.

Truly autonomous viruses will really be alive, and it is fascinating to explore the consequences of this. Viruses will have to exist in a hostile world, where both human users and defense software are trying to eliminate them. Viruses will no doubt evolve to be adaptable, spread rapidly, and evade defenses.

But another bizarre consequence is that some viruses may evolve to be useful: just as our bodies have incorporated bacteria that once may have been parasitic (such as mitochondria), so computer systems may incorporate code from viruses that once were destructive. The key is that the selective pressure in these systems favors co-operation, so any virus that has useful functionality, or modifies existing programs in useful ways, will survive and prosper. For example, imagine a virus that evolves a new way of compressing code in order to transmit itself more efficiently - that compression algorithm would soon become extremely widespread.

Mutating viruses may not be all bad.

Posted by sana at 02:28 PM | Comments (2)

May 06, 2005

What can homeland security teach us about IT security?

There was an interesting article, puportedly written by an anonymous CSO in CSO online recently (thanks to Bruce Schneier for pointing that one out).

What intrigued me most about the article was what the comparison between IT security and homeland security said about IT security, rather than the other way around. Has the government really got it wrong, as the author would like us to believe? Are they really putting their money in the wrong place? Are they neglecting to do fundamental risk/cost trade-off analyses? Personally, I don't think you can really tell.

What is immediately apparent from this article is the difficulty of estimating the cost of failure. The author proposes measuring it in terms of lives lost, in which case, 911 pales in comparison to lives lost from many other causes, such as traffic accidents. However, if we were to measure it in terms of money loss, the damage and destruction around 911 was enormous, and the monetary loss huge ($83 billion in 2001 dollars, according to the GAO).

What this illustrates to me is not that the government got the measure wrong, but that it is extremely difficult to measure the cost of failure when you are targeted by determined, unpredictable enemies. The same applies to IT security - it is extremely difficult to measure the cost of IT security breaches, because there are so many hidden consequences, and so many deferred and related consequences, many of which may not come to light for months or even years.

And if we are evaluating the cost of one incident, how much does that say about future incidents? Perhaps not as much as we'd like. How probable is it that we will see another attack exactly like 911? It seems more likely that the next attack will be something else, such as a dirty bomb, or even worse, a full nuclear bomb, smuggled into New York or some other major population center. How much does 911 tell us about the cost of that sort of incident? Next to nothing, unfortunately.

The same limitations often apply to IT security. One day the failure could be the theft of the CEO's laptop, with confidential company finances and strategic documents on it; another time it could be the loss of customer data, with an impact on customer retention, perhaps lawsuits, and even a drop in stock price. One failure doesn't necessarily help you predict the impact of the next failure.

That article illustrates only too well how hard the job is for both CSOs and for homeland security. Failures are unpredictable and the cost of a failure is unpredictable. Given that, it is very hard to hedge your bets, and put your money where it makes the most difference, get the gamble right. I don't envy those CSOs, or the people trying to get homeland security right.

Posted by sana at 05:32 PM | Comments (0)

May 02, 2005

Oh those spelling errors

Last week F-Secure reported on a nasty web site - gookle.com - that exploits a typing error to infest unsuspecting visitors with at least a dozen pieces of malware.

I would recommend you don't go anywhere near gookle.com, but of course, I didn't take my own advice and had to visit the site to see how well Sana's latest Active Malware Defense Technology (MDT) would work. I was extremely excited to see that it detected and stopped everything! By contrast, when I used several other popular commercial offerings of AV and anti-spyware software, with fully up-to-date signatures (at the time of testing), the best any of those signature-based systems could do was detect half of the malware.

In general, the purpose of this blog is certainly not to push my company's products, since this blog is totally independent from Sana, and intended to be a way of getting my random thoughts and comments out. However, this time around I felt this deserved a mention, because it illustrates something very important about the changing nature of malware and the security arms race.

Sana's Active MDT uses heuristics to look at program behavior to determine whether or not a running program is malicious. As such, it uses no signatures and doesn't need to know anything particular about the malware, as long as the malware does nasty things. Hence it was straightforward to detect all of the malware at gookle with Active MDT. By contrast, signatures aren't good at getting new varieties of malware, a fact that is clearly illustrated by the poor detection rates of traditional technolologies on the gookle malware.

And these limitations in signature-based defenses are only going to become more extreme. In a previous posting I talked about how mutating and changing malware was avoiding signature-based defenses. The gookle attack is a good example of how new malware can avoid signatures. If attackers are going to go to the trouble of putting up such a website, there is no reason why they wouldn't use a tool such as Morphine to ensure that none of the malware on their site is detectable by signatures. Clearly they didn't do that for all the malware on gookle, but I suspect that in future attackers like them will.

Another point about the gookle site: we became aware of it when it was discovered by F-Secure, but gookle.com was first registered on the 30th December, 2000. So the site could have been up for a long time before it was discovered by F-Secure, and could have been infecting people all that time, and their signature-based AV defenses would have been largely useless. Signature-based technologies are playing catch-up, but I'm afraid they're falling further and further behind in the race. It's time for a change.

Posted by sana at 01:50 PM | Comments (0)