There is a deep and amusing irony when products that are supposed to make you more secure are themselves subject to serious vulnerabilities. This isn’t particularly surprising considering that writing complex and secure software continues to be something humanity struggles with. Avastium’s ill-conceived and poorly executed browser is a good example, as Tavis Ormandy recently pointed out. Another recent example courtesy of Tavis was the trivial remote command execution and read-all-your-passwords feature from a Trend Micro browser plugin.
The popular opinion is that anti-virus is broken, and while this is true, it isn’t the entire story. In addition to AV not catching all threats, it is also creating them. Anti-virus attempts to safely parse countless file types in a non memory-safe language. This is one of the challenges that has bedeviled developers since someone’s initial fever dream told them it would be a good idea. It is the idea that AV companies have run with since the 1990s and we in our foolishness have bought into and made a regulatory necessity like when we all bought JNCO jeans.
The thing many are now realizing is that “defense in depth” is a double edged pantaloon, since it also expands the attack surface. With anti-virus vendors struggling to stay relevant, they’re forced to differentiate themselves by getting into areas they should stay away from. Why would Trend Micro or Avast want to meddle with a browser? Writing a browser is exceptionally difficult to do securely. Your AV company shouldn’t be making software security decisions based on quarterly revenue projections, but it is. Someone at those companies probably said it was a bad idea, but they got overruled.
Another hard truth: your AV solution is a rootkit belonging to the country where development occurred. Contrary to recent events, having your enterprise compromised by the Russians is not part of anyone’s strategic plan. Good rootkits follow the “nobody but us” rule of backdoors but AV tends to be a different kind of rootkit where most continuing development tries to violate that rule.
But AV isn’t the only problem. Any security tool, the ubiquitous Wireshark for example, has been prone to vulnerabilities. These will be harder to identify and mitigate because teams inherently trust these tools as the foundation of how they do their jobs. These vulnerabilities are a common blind spot in defense in depth strategy that need to be accounted for.
So what is the solution?
The overall lesson from the last 12 months of security product vulnerabilities is that whenever a new piece of software or device enters your network you must ask “what are the consequences of someone using this against me?” Once you’ve listed those consequences the next step is to eliminate, mitigate, monitor and contain as many of them as possible.
To start with, focus on the security tools you actually need. Instead of heaping mountains of security related software onto end user PCs, engineer a solution where a user can click on anything (because they will) and the impact will be something you can live with. From a security perspective, Windows users should have three pieces of software installed: some type of (domestic) AV that only does AV, Microsoft’s EMET and a monitoring daemon that will export logs and watches for new unrecognized binaries/DLLs.
Focus on segmentation/compartmentalization too. Deploying Qubes OS enterprise wide would be an engineering Mt. Everest, but their compartmentalization through virtualization idea is the way of the future. One of Qubes OS’s basic theses is that every desktop application gets its own dedicated VM through Xen. In such an environment, effective exploits need to function in a very limited time window and include a hypervisor escape.
Put more emphasis on faster incident response rather than prevention, but remember, monitoring tools can have flaws too. Our brothers and sisters on the defense side of the security spectrum have shifted their liturgy to embrace the idea that being compromised is no longer an “if” but a “when.” And those of us on the side of darkness have been insufferably chortling ever since, as though this is a declaration of defeat. Moving away from the antiquated signature-based model to one focused on meta analysis to detect suspicious behavior is a better overall strategy. We’ve seen this work in our own consulting practice at Immunity. A well engineered and analyzed monitoring infrastructure is a formidable opponent.
The battle doesn’t end when the first host is compromised and defenders have some distinct advantages they can capitalize on. Minimizing the attack surface on hosts and networks and making those attacks more costly is a big step. Effective monitoring can only come from deep knowledge of the environment and its patterns, which attackers won’t typically have.
Remember that there is no foundation of trust on any piece of software; think of each of them as a potential vector. Plan your incident response around this idea, maximize your advantages as a defender and become a hard target.
Dave is CEO of Immunity Inc., an offensive security firm that serves many Fortune 500s, major financials and federal agencies. The company provides penetration tests and develops pen-test tools like Canvas, Silica, Innuendo and Swarm. Immunity is a past contractor with ... View Full Bio