What is NOT Working in Security 2004 Anton Chuvakin, Ph.D., GCIA, GCIH Security Strategist October 6, 2004

Outline Threat Landscape Overview Current Emerging Underappreciated Non-threats Current countermeasures Working NOT working Underappreciated Emerging countermeasures Promising Questionable

Threat Landscape Overview

Current

Emerging

Underappreciated

Non-threats

Current countermeasures

Working

NOT working

Underappreciated

Emerging countermeasures

Promising

Questionable

Current Threats What is still out there ? Old classics  Malware Worms Viruses Trojans Backdoors Rootkits Hybrid/Blended malware Spam Malicious humans  Script kiddies Blackhats

What is still out there ? Old classics 

Malware

Worms

Viruses

Trojans

Backdoors

Rootkits

Hybrid/Blended malware

Spam

Malicious humans 

Script kiddies

Blackhats

Emerging Threats Coming strong  More malware Spyware (all kinds ) Phishing A wave of it! Network client attacks Web browsers and others Mobile (cell, PDA) attacks Just wait a bit more Wireless attacks IM attacks Source code attacks

Coming strong 

More malware

Spyware (all kinds )

Phishing

A wave of it!

Network client attacks

Web browsers and others

Mobile (cell, PDA) attacks

Just wait a bit more

Wireless attacks

IM attacks

Source code attacks

Less hyped threats Its there, but few care  Internal attacks and IP theft Web application security SCADA security Content/lexical attacks Zero day and custom attacks

Its there, but few care 

Internal attacks and IP theft

Web application security

SCADA security

Content/lexical attacks

Zero day and custom attacks

Non-threats Some think they are, but they aren’t Linux viruses Not going to happen (*). Period. Crypto attacks Crypto is never the weakest link (*) except in the lab or (in rare cases) custom written

Some think they are, but they aren’t

Linux viruses

Not going to happen (*). Period.

Crypto attacks

Crypto is never the weakest link

(*) except in the lab or (in rare cases) custom written

Remote Future Threats I am most certainly wrong here…but let’s use the “Feynman method” – whatever goes now will continue So, let's gaze into our extra-murky crystal ball User-driven malware will continue – users will not improve Script kiddies and blackhats will not vanish Hacking for money will increase – why do it for free Classic automated worms will decline (did I really say that?  ) Client attacks will increase as vendors harden servers Wireless attacks will become more frequent and impactful

I am most certainly wrong here…but let’s use the “Feynman method” – whatever goes now will continue

So, let's gaze into our extra-murky crystal ball

User-driven malware will continue – users will not improve

Script kiddies and blackhats will not vanish

Hacking for money will increase – why do it for free

Classic automated worms will decline (did I really say that?  )

Client attacks will increase as vendors harden servers

Wireless attacks will become more frequent and impactful

Countermeasures Working mean… Solve the problem AND Widespread AND Value for the money Not working is… Not solve the problem OR Niche OR Not get than you paid for Not appreciated: Can work if people use them more Fit the two of the above, but not widespread

Working mean…

Solve the problem AND

Widespread AND

Value for the money

Not working is…

Not solve the problem OR

Niche OR

Not get than you paid for

Not appreciated:

Can work if people use them more

Fit the two of the above, but not widespread

Gartner Take on It! OMG, did I just utter the “G word”?  What you definitely need: HIPS, quarantine, vulnerability management, IdM, audit logs, AES, SSL, anti-spam/AV, BCP What you probably don’t need: Quantum encryption, NIDS, biometrics, DRM, security awareness posters, 500 page policies, TEMPEST shielding, personal digital signatures, default passwords Source: Gartner, “Management Update: The Future of Enterprise Security”, Sep 15, 2004

OMG, did I just utter the “G word”? 

What you definitely need:

HIPS, quarantine, vulnerability management, IdM, audit logs, AES, SSL, anti-spam/AV, BCP

What you probably don’t need:

Quantum encryption, NIDS, biometrics, DRM, security awareness posters, 500 page policies, TEMPEST shielding, personal digital signatures, default passwords

Source: Gartner, “Management Update: The Future of Enterprise Security”, Sep 15, 2004

What works! Soft: End-to-end security process and defense in-depth Incident response process Hard: Firewalls VPN Vulnerability scanning NIDS - with correlation and context data NIPS - for a narrow range of known attacks

Soft:

End-to-end security process and defense in-depth

Incident response process

Hard:

Firewalls

VPN

Vulnerability scanning

NIDS - with correlation and context data

NIPS - for a narrow range of known attacks

As we prepare… What does the typical company deploy today ? Anti-virus Firewall Router ACLs Password management NIDS Anti-spam Are they happy with it? What else do they need?

What does the typical company deploy today ?

Anti-virus

Firewall

Router ACLs

Password management

NIDS

Anti-spam

Are they happy with it?

What else do they need?

What is NOT working? Anti-virus “ What  ? It’s the best we have” Well, not good enough. Patching People just don’t do it (tools work, processes don’t) NIDS – yes, it is in both categories! With no correlation and context data – it fails Anti-spam Well, it kills 99% of it and the remaining 1% kills you  Code reviews Application security is not getting better Security awareness Users are hopelessly broken…and will remain so

Anti-virus

“ What  ? It’s the best we have” Well, not good enough.

Patching

People just don’t do it (tools work, processes don’t)

NIDS – yes, it is in both categories!

With no correlation and context data – it fails

Anti-spam

Well, it kills 99% of it and the remaining 1% kills you 

Code reviews

Application security is not getting better

Security awareness

Users are hopelessly broken…and will remain so

Not appreciated Log analysis and log management Effective, but needs to be used more Hardening Even less popular than patching, works. HIPS It works. Do YOU run it? Probably not. Honeypots Honeyfarm or “honeytokens” deployment Security standards Standard is simple! Simple is secure!

Log analysis and log management

Effective, but needs to be used more

Hardening

Even less popular than patching, works.

HIPS

It works. Do YOU run it? Probably not.

Honeypots

Honeyfarm or “honeytokens” deployment

Security standards

Standard is simple! Simple is secure!

Future Countermeasures Promising Better firewalls Better correlation for IDS and logs Better client security NAC/NAP quarantine Worm defenses Questionable Pureplay anomaly detection

Promising

Better firewalls

Better correlation for IDS and logs

Better client security

NAC/NAP quarantine

Worm defenses

Questionable

Pureplay anomaly detection

Conclusion Security will remain fun!  It will be funded too as threats will persist Prevention will never supplant detection , detection will never supplant response – thus all technologies will remain Underappreciated today will move into mainstream tomorrow!

Security will remain fun!  It will be funded too as threats will persist

Prevention will never supplant detection , detection will never supplant response – thus all technologies will remain

Underappreciated today will move into mainstream tomorrow!

Thanks for Viewing the Presentation Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA http://www.chuvakin.org Author of “Security Warrior” (O’Reilly) – http://www.securitywarrior.org Book on logs is coming soon! See http://www.info-secure.org for my papers, books, reviews and other security resources related to logs

Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA

http://www.chuvakin.org

Author of “Security Warrior” (O’Reilly) – http://www.securitywarrior.org

Book on logs is coming soon!

See http://www.info-secure.org for my papers, books, reviews and other security resources related to logs