June 09, 2005
CSI NetSec
If anyone reading this is going to be at CSI NetSec in Scottsdale Az next week, I'm giving a talk at 9:15 on Tuesday the 14th about ideas we can glean from biology to help secure computer systems. I'll talk a bit about immunology and how we can apply ideas from the study of immune systems to computer security. I'll talk about layers in the immune system and in security, about adaptivity in the immune system and how that is missing in our security systems. I'll also talk about the role of human intervention, both in immunity (for example, through vaccinations) and in security. I'll talk about response, how the immune system handles false positives, and how we need to redesign systems to be more secure, but not in the traditional way of having a secure or trusted codebase to build on, but a system in which no part is assumed to be secure or trusted.
So if you're there, come along!
Posted by sana at 04:15 PM | Comments (0)May 19, 2005
The IT Security market will never be "mature"
The security giants, such as Symantec and Cisco, are pushing for integrated suites of security solutions. They want us to believe that the best possible solution for the enterprise is one that includes all technologies from a single vendor. For example, Symantec has this to say:
... which combine firewall, intrusion detection, anti-virus and other technologies, Symantec set a new standard with protection that is more secure, less expensive and easier to manage than individual, non-integrated products.
Clearly, getting all your goods from one location would be easier, but there are several reasons why this is unlikely to ever work in security. The IT security industry is different from other IT industries, because the nature of the problem is always changing. A solution that is effective today is useless tommorow, because the attackers are always coming up with new ways of compromising security. This requires continual innovation on the part of the defenders, and unfortunately, the big players are very poor at innovation. This is nothing specific to the security industry: it is well known that big players are poor at embracing innovation, particularly disruptive innovation.
Consequently, in security (as in every other industry), most innovation comes from the little guy, and the big players either stomp out the innovators, or acquire them, resulting in consolidation of the industry. Typically we see that when a new market niche appears, there is a "Cambrian explosion" of diversity as a plethora of new players emerge to target the niche, followed by a subsequent mass extinction as companies fail or get acquired, until only a few large players are left to dominate the niche. At this point, the industry moves on and the niche is left as a well-established and understood market category, with little innovation and simply refinements of old ideas.
But IT security doesn't work this way. The difference is that the market niches never stabilize, because security is a moving target. The attackers are always changing the game. They tend to do so in cycles, so just as the security industry appears to be consolidated and stabilized, a new slew of threats emerges to destabilize it. A good example today is spyware, phishing and rootkits. All of these threats have required completely new approaches to security, which has lead to an explosion of new small companies addressing these threats, and increasing irrelevance of old-style anti-virus technologies. The security industry really fits with the punctuated equilibria model.
Of course, the giants don't address these new threats effectively and so there is a feeding frenzy as the big boys snap up the small companies that do. So in the near future, we can see ongoing consolidation and mass extinction, but it won't last long: the next new threat will emerge and the whole process will repeat. Along the way, those giants that aren't nimble enough or lack foresight, believing they can rely on outdated technology, will topple. But the important point is that they can never get ahead of the game, they can never have the complete solution: that is just a pipe-dream.
This picture is further complicated by another peculiarity about security: the best technology is often the only technology that is useful. It's a well recognized adage that the best technology doesn't always win, but that is less true in IT security than in most other industries. Why? Because failures in security are not random, they are targeted; we have intelligent adversaries finding all the weakest points in the system. Consequently, a mediocre product could be worse than useless, failing catastrophically, where only a superlative product will actually work. In other industries, the difference between mediocre and superlative may not be that important, but in security it is critical. Security continues to be a best-of-breed buy and probably always will be.
So we have two pressures that keep up a rapid cycle of Cambrian explosion and mass extinction, preventing true consolidation:
1. New threats are continual, requiring new responses and innovations from the defenders, and the big guys can't keep up.
2. Failures are targeted and costly and hence mediocre solutions don't cut it, which favors best-of-breed and new innovative players, not established brand, especially as the nature of threats changes.
The IT security industry is particularly fascinating to me because it is so dynamic, and it gives the little guys a chance. It will never be a stodgy, mature industry.
Posted by sana at 03:07 PM | Comments (2)May 17, 2005
Microsoft OneCare: The Wrong Security Model
MS is to begin testing its new OneCare subscription model out on its employees. This is an automated update subscription service that includes security features such as anti-virus and anti-spyware updates.
OneCare has some in the security industry up in arms. They claim that it's wicked for MS to charge money to fix its own software; instead it should produce secure software to start with. Of course, this is absurd: no company or open source community on the planet produces secure software, and none ever will, just as no company will ever produce bug free software.
I think it's laudable that MS is trying to do something about security, but it is going about it the wrong way. The subscription model using signatures is flawed. It will not save MS from the problem of security failures, because signature-based systems are failure driven: an attack has to occur before the defenses can be developed, meaning there is a failure in security for every new attack. MS will still get hammered for failing to provide secure systems.
There are also major business and perceptiion problems with the signature-based subscription model. First, it creates competitive issues with existing security companies, and might get MS caught up in more anti-trust suits. Why go there if you don't have to? Second, it creates the potential for a conflict of interest: if MS wants to ensure that everyone uses its subscription service, then it will have incentive to avoid fixing root causes (when such a thing is possible) because it will want its customers to absolutely need its service. For example, if MS could implement technology that (without sigantures) effectively deals with most malware, would it? If it did, that would make OneCare much less attractive and MS could lose subscribers, so it would have an incentive not to implement the non-signature technology.
I think it would be much better for MS and its customers if, instead of doing security the old signature-based way, through OneCare, it implemented new and effective protection mechanisms that didn't require updates (and these do exist!). Then they would sidestep all the legal issues, the trust issues, the problems of continual failure, and consequently, profoundly change the way security for MS systems is perceived.
Posted by sana at 02:06 PM | Comments (0)May 06, 2005
What can homeland security teach us about IT security?
There was an interesting article, puportedly written by an anonymous CSO in CSO online recently (thanks to Bruce Schneier for pointing that one out).
What intrigued me most about the article was what the comparison between IT security and homeland security said about IT security, rather than the other way around. Has the government really got it wrong, as the author would like us to believe? Are they really putting their money in the wrong place? Are they neglecting to do fundamental risk/cost trade-off analyses? Personally, I don't think you can really tell.
What is immediately apparent from this article is the difficulty of estimating the cost of failure. The author proposes measuring it in terms of lives lost, in which case, 911 pales in comparison to lives lost from many other causes, such as traffic accidents. However, if we were to measure it in terms of money loss, the damage and destruction around 911 was enormous, and the monetary loss huge ($83 billion in 2001 dollars, according to the GAO).
What this illustrates to me is not that the government got the measure wrong, but that it is extremely difficult to measure the cost of failure when you are targeted by determined, unpredictable enemies. The same applies to IT security - it is extremely difficult to measure the cost of IT security breaches, because there are so many hidden consequences, and so many deferred and related consequences, many of which may not come to light for months or even years.
And if we are evaluating the cost of one incident, how much does that say about future incidents? Perhaps not as much as we'd like. How probable is it that we will see another attack exactly like 911? It seems more likely that the next attack will be something else, such as a dirty bomb, or even worse, a full nuclear bomb, smuggled into New York or some other major population center. How much does 911 tell us about the cost of that sort of incident? Next to nothing, unfortunately.
The same limitations often apply to IT security. One day the failure could be the theft of the CEO's laptop, with confidential company finances and strategic documents on it; another time it could be the loss of customer data, with an impact on customer retention, perhaps lawsuits, and even a drop in stock price. One failure doesn't necessarily help you predict the impact of the next failure.
That article illustrates only too well how hard the job is for both CSOs and for homeland security. Failures are unpredictable and the cost of a failure is unpredictable. Given that, it is very hard to hedge your bets, and put your money where it makes the most difference, get the gamble right. I don't envy those CSOs, or the people trying to get homeland security right.
Posted by sana at 05:32 PM | Comments (0)April 22, 2005
Built-in not bolt-on
I just gave a talk at the Systems and Software Technology Conference, the major IT conference for the Department of Defense. I had an interesting conversation with someone from a branch of the military, who told me about their need to have security "built-in" and not "bolt-on."
The reason? Laptops that are used on the battlefield can be in storage for prolonged periods of time in between usage. If they are reliant on security systems that need updating, such as Antivirus signature-based systems, they could be out-of-date each time they are deployed.
This could be a serious risk, since such machines may become internet exposed, depending on their location in the network. And of course, it only takes a worm in one of the laptops to infect all the others. Furthermore, they may also be vulnerable via wireless.
Consequently, they would prefer it if they could have systems that are immediately protected when they are deployed. An interesting application of the Innate Defense concept indeed - the idea that you have inbuilt protections for common classes of security threats, such as buffer overflows. Innate defenses are generally not comprehensive, but solve one problem effectively, without requiring updates or tuning.
Posted by sana at 08:31 AM | Comments (1)March 04, 2005
Network access control: a folorn attempt to rebuild the perimeter
Let's face it, the perimeter is moribund, and no amount of desperate longing is going to bring it back. Certain segments of the industry recognize this and embrace the power and flexibility it gives business. For example, the Jericho Forum talks enthusiastically about "de-perimeterisation". They discuss the enormous savings they foresee in both cost and manpower, and the increased flexibility achieved by moving away from the definite perimeter.
But not all are happy with the loss of the perimeter. In particular, some industry giants seem to regard the perimeter as the only way to truly secure systems. For instance, Cisco is touting Network Admission Control (CNAC) as a way of protecting the computing devices on the network by only allowing those mobile devices that are "sufficiently secure" to connect to the network, for some definition of "sufficiently secure". This is clearly an attempt to return to the perimeter, because NAC is intended to once again create a notion of a secure "inside" versus an insecure "outside": everything verified by NAC is safely on the "inside".
Unfortunately, NAC is based on the assumption that you only really care what happens to devices on the "inside" - it offers no protection for those many mobile computing devices on the "outside". But the problem is that as workforces become more mobile, what happens "outside" matters just as much as what happens "inside", if not more. If the CEO's laptop is compromised "outside" the network, it could be an absolute disaster. It seems to me that as the workforce becomes increasingly mobile, any NAC system will end up protecting a diminishing core of computing resources, with increasing numbers of computing devices existing permanently outside of the protection scheme.
Even assuming that you only care about what happens "inside", there are other problems with proposed NAC protocols. Industry expert Richard Stiennon has grave doubts about NAC. In his blog he discusses why he believes NAC will "never work". Most striking is his notion that network administators will never tolerate the addition of extra overhead when trying to connect to the network.
Another problem was pointed out by Vlad Gorelik, CTO of Sana Security. All NAC protocols are designed to quarantine a computing device if its signatures and/or patches are not current. Quarantined computing devices require remediation in the form of downloading patches and signatures to update the device, and only allow full access once the device is in compliance. But there is a conceptual flaw that revolves around bringing the computing device into compliance. It may be a simple and rapid matter to update the patches and signatures on the device, but that is no guarantee that the device has not already been compromised, and doesn't harbor a nasty trojan. The only way to ensure that the system is not compromised is to do a comprehensive system scan, and that could take hours - if you've ever done a full system scan looking for spyware, you'll know what I mean. And considering the high likelihood of not keeping a mobile system up to date, many devices will require such scanning, which will cripple business operations. But the alternative of just doing a superficial scan is pointless because it negates the whole idea behind the NAC - that of only allowing "clean" devices to connect. A condundrum indeed!
Even if we step away from enforcing signatures and updates using NAC, there are still problems. NAC could be used to ensure that mobile devices are running other security systems that don't rely on signatures and updates, such as behavioral antivirus. Although apparently a good idea, NAC really is superfluous in this situation: if every device "inside" is already protected, then those devices are not under threat from infected machines, so why worry? And if the local security system on those devices is not proof against unprotected "Typhoid Marys", then having an operative security system as a price of admission is not sufficient to protect devices on the "inside".
I believe that the danger of NAC is that it could make people feel safe: it could lull them into a false sense of security and encourage them to live in the past and believe that once "inside", you can be open and relaxed; behind the fortress walls, you can let down your guard. That is a highly dangerous notion indeed: I'm worried that NAC is the placebo that encourages enterprises to ignore the very real danger that modern attack techniques pose in today's dynamic and distributed business environment.
Posted by sana at 12:15 AM | Comments (0)