The news is rife with discussions about systemic failures in the intelligence community. It is a good thing we do not judge information security on the same scale of success. I know of not a SINGLE enterprise network that is not being repeatedly compromised with a deluge of malicious code. Can you imagine a world where we expected our anti-virus to actually protect us? Weren’t we all talking years ago about what would happen when people began writing custom code to attack YOU. Our most ubiquitous security problem today is certainly malicious code, and after recommending “Malware Bytes” to my 10th family member or friend last month to undo a successful phishing or drive-by infection, this problem certainly does single out anti-virus products as “anti-success.” So why do I pick on Intrusion Detection as the winner for institutionalizing failure in our security organizations?
I believe IDS started several negative trends that are still affecting the psyche of security personnel today. For the first several years, all iterations of IDS were so prolific in their alerting that they have provided a decade long after-taste. Some would argue they still are. The very concept was flawed from the beginning, and only considered because we had lost control and understanding of our networks. Systems and disk were simply not fast enough, or large enough to analyze or understand our networks. We decided that we must look to technologies and solutions to determine what is bad on our network, ignoring the rest — and we turned to our first magic pill.
Whatever the case, they were the solutions that made “false positives” a mainstream security term. Think about that term for just a minute. To have “false positives,” intrinsically implies that there could be some perfect solution. That it is conceivable, much less possible, to actually determine what is bad on your network. The problem was certainly not fixed as the vendors began marketing prevention, and the vast majority of IPSs employ little to no prevention because of the likelihood of false positives.
Now consider how many magic pills followed in the IDS wake. Remember when DDOS was the threat? A crop of DDOS mitigation products were made available to fix that problem. Where are those products today? Worms, Code Red and Nimda – gave rise to a swath of behavioral analytics products. If I remember correctly – we were suppose to see Insider Threat as the next big thing a few years ago? Weren’t data leakage and content monitoring systems supposed to plug that gap? And all along this timeline, I need to manage this unmanageable amount of logs – so let me invest in SIM/SIEM. SIM/SIEM not enough – perhaps you should look at the “Big Fix.” The list could go on and on and on.
This is just a sampling of what you need to protect your networks, given the premise that you can automagically determine bad from good, based on some mythical perfect ruleset. And oh yes, don’t forget – if you need help you can outsource it. In the wake of “aurora”, and systemic compromises of some of the largest, most technology savvy companies in the United States, perhaps more will realize that compromise is INEVITABLE. If sponsored adversaries want to get into your network, they will LIKELY SUCCEED.
We are chasing our tails, still looking for that magic pill that will secure our networks, and have not once stopped to reconsider our approach. I single out IDS because it was the first, and loudest failure in the security space. I believe it showed the world that security products do not have to work often or at all, but can be marketed and sold successfully. I believe it began the cycle of point solutions that has created a generation that believes it is possible to secure our networks without understanding them.
It is time to realize, that you will not know what is bad today, until tomorrow. That you will not know the damage caused for hours, days, weeks or even months. No matter what you invest in, nothing can protect you from what you do not know. The threats we face tomorrow will not be the same as today. And most importantly – you are doomed to failure if you rely on some magic solution to determine what is bad.
Instead of building our defenses based on a hodgepodge of point solutions, designed to fix yesterdays problems, why don’t we invest a modicum of our resources into an architecture that can analyze, interpret and record what is happening on your network – yesterday, today and tomorrow. Can we for a moment, invest in regaining an understanding of what is traversing our network, and create a capability to adapt to tomorrows problems? That is the benefit in deploying NextGen.
“Not good enough” he said… “It needs to tap my analyst on the shoulder and say Hey – look at this!”
“Ah – like an IDS” I responded. He wanted a magic pill. Institutionalized Failure.