When Did We Lose the Endpoint Security Fight?
First let me be specific when I mention “malware.”? When I’m talking about malware I am lumping together any type of malicious piece of software that can harm an end-user or system.? This means viruses, worms, trojans, keyloggers, rootkits, backdoors, etc. With that out of the way, I have to say that recent experiences in dealing with both security professionals and IT professionals has left me wondering, when did we concede defeat to malware? I have found myself explaining on multiple occasions to end users that “viruses happen.”? Which is as if to say, “Sorry nothing we can do about it, it’s just a side effect of using a computer.”
WHAT?!
When did we did we give up in the fight for protecting our networks from malware?? Furthermore, why, with advancing technology aren’t we better addressing the issues relating to malware? The search for the answers to these questions has sent me down a virtual memory lane of the incidents and virus outbreaks that have truly shaped the modern day IT security world. In the end though, I found that the answer was simple, we conceded defeat when we became unwilling to move off of broken and backwards endpoint security models.
Consider the History
From Cloner to Conficker (1982-2009) security has always been a step behind malicious attacks. The introduction of malware to the world at large came in the form of somewhat damaging and annoying but simple pieces of software that we termed viruses. The simplicity of these pieces of software yielded a relatively simple solution that we termed antivirus software. These early ancestors of modern day “Internet Security Suites” worked in a relatively simple fashion. Early antivirus would search files for a particular signature and if that signature matched a known bad signature, the antivirus would mitigate the issue.? Unfortunately, because Internet was nowhere near as large or as useful as it is today, most antivirus signature engines were not updated regularly. This means that as infected floppy disks were being passed from machine to machine, most systems were left vulnerable to the new or avant-garde attacks of the day.
However, because the number of viruses in the wild was relatively small (by today’s standards), antivirus companies were able to produce a reasonably high level of assurance that their software would protect their customer’s systems.? Furthermore, because antivirus software quite clearly did not enjoy the industry adoption that modern day relatives do, it made sense that the solutions were reactive in nature. Most organizations were looking to purchase antivirus software because they had experienced an incident or were experiencing an incident. Thus, it made sense that antivirus technology could be installed to alleviate a problem that already existed as opposed to try and prevent a problem from arising. In fact this model for solving known security issues worked so well for many organizations that antivirus software became a de facto security solution.
Then something interesting happenned, computers became interconnected through various networking technologies and viruses became self-propogating over various mechanisms.? Eventually we would call many of these self-propogating viruses worms because they were capable of traveling from computer to computer on their own (through wire tunnels). Early worms such as the “Morris Worm” wreaked havoc on networks all across the world. These worms exploited software vulnerabilities in ways that the IT community had never considered before. Instead of modernizing the endpoint antivirus solutions already adopted by many organizations, most sought network technologies to try and prevent worms from accessing propogation vectors. For example many integrated firewalls and gateway appliances that often scanned E-mails for viruses. However, most of the antivirus technologies available went unchanged, they were still using the exact same signature based scanning techniques in an attempt to address the changing threat landscape.
It was not until the massive flood of malware such as Code Red, Nimda, Klez, Blaster, Netsky, Sasser,Slammer and a myriad of others that we really started to see changes. More sophisticated antivirus solutions became anti-malware solutions or Internet Security Suites that integrated endpoint security technology such as host-based firewalls, host-based IPS, host-based spam filters, privacy protection, and even vulnerability management solutions. These technologies however were purposed to prevent malware from exploiting vulnerable vectors on an endpoint and wouldn’t prevent malware that was legitimately delivered to the system or was delivered over a vulnerability that the other technologies were not as of yet aware of.? Therefore antivirus engine models also began to evolve to be inclusive of technologies such as heuristic based malware detection, behavior detection, file analysis, and file emulation.
However, even with these innovations endpoint anti-malware alone does not offer a high-level of security assurance. Thus, most organizations have also integrated multiple network technologies in an attempt to try and complement the capabilities of endpoint ant-imalware. Technologies such as NAC which prevents users who may be infected from accessing the network segements of supposedly malware free machines, Intrusion Prevention Systems (IPS) which stop a multitude of network based attacks from exploiting endpoints, firewalls which also prevent a multitude of attacks, and Network Behavioral Analysis Detection Systems (NBADS) which detects covert channels used by malware.
While all of these technologies working together properly does offer a much higher-level of security assurance, unfortunately there are still a great deal of malware related issues. Unfortunately malware has evolved to take advantage of the logical cracks between the seperate security technologies used in these models.
How Does This Outline the Defeat?
The security community has been doomed to fail in the fight against malware from the very beginning. We built our models based on a last line of defense that is totally reactive. Anti-malware technology has made giant leaps in effectiveness with enhanced technologies such as heuristic or behavioral based detection. Unfortunately, that technology will always be reactive to the constantly evolving threat environment. Furthermore, the security community has been doomed to fail because instead of addressing that simple base issue, we have decided to attempt to tack-on new technology. This has done little more than grow network complexity and blur the lines of what technology is really responsible for preventing malware related issues. Of course don’t get me wrong I am a MAJOR advocate of network-based security technology such as content filters, IPS, firewalls, NBADS, and others. There are a multitude of reasons why these technologies are necessary. However, the underlying issue of malware still remains, we are doomed to concede defeat until we relieve ourselves of the blacklist endpoint anti-malware strategy.
Is There Light at the End of the Tunnel?
Quite possibly.? The continued proliferation and maturity of whitelist anti-malware models offers a great deal of hope. Whitelist anti-malware breaks the trend of endpoint security solutions predicated primarily on a reactive approach to security. Whitelist anti-malware simply focuses on what is allowed on a system as opposed to what is not. Of course this could cause a great deal of management overhead for organizations who have dynamic environments. However, as whitelist anti-malware has continued to mature most leaders in the space have made this a key focus area for the development that has gone into their products. And at this point, Whitelist anti-malware technology is a HOT topic in the market.
Many leaders are now capable of assisting security focused organizations in making the transition from ineffective blacklist models towards more effective, easy to manage, whitelist models. In fact, whitelist technology already has one of the best penetration rates in organizations focused on building the best security model possible from the ground up. Organizations such as those conforming to NERC/CIP standards have been especially keen on adopting endpoint whitelist technology. Besides the benefits of compliance and security, there are also major benefits in configuration change and control for adopters.
The rapid adoption of This has interesting future implications as the solidification of endpoints will allow organizations to focus on other areas outside of malware related incident response and endpoint security. As a result one would expect security postures to begin becoming more solid from the ground up. This could cause a far more sensible evolution in the methodolgy with which security models are built. Of course, at this point, one can only hope.