Detection is Dead
It has been said before, by me and by others, but apparently not loud enough and not clear enough. It is time somebody comes up and say it —
Detection is Dead.
If you rely solely on detection mechanisms, hoping that one of them detect malicious content before allowing it to enter your network — your network is compromised, and someone that is not supposed to is currently going through your corporate secrets.
It’s time you move on to a new way of thinking about cyber security — isolation.
And now, for the less rowdy, yet much longer, version of things…
The job of most cyber security professionals in charge of protecting a certain corporate network is simple to explain and insanely difficult to achieve. Cyber security has long stopped being a business inhibitor, but has now become a business enabler. The goal of modern corporate cyber security professionals is to balance employee productivity with the robustness of the network. They need to understand how much they can “tighten the screws”, as my old boss liked to say, without it hampering users’ ability to actually do their job. Factor in concepts like BYOD and the erosion of clear borders between the internal and external networks (i.e. social media, cloud services, partner networks, etc…), and this job just keeps getting harder and harder.
The strategy for almost all current security solutions is the same — stop incoming/outgoing data, inspect for known and/or suspicious behavior, and allow it through if nothing malicious popped up. And so we come to the hard truth — if all of your security mechanisms are basically trying to detect malicious content, I can almost guarantee you that something, somehow, somewhen, made it through. This is not to say that there aren’t any good detection solutions out there; this is saying that no detection solution is perfect. In a recent study made by AV Comparative, they showed that no single solution caught all malware they threw at it. Even a 0.1% margin is not a 0% margin, and that means in the end, something was able to get through.
Moreover, as a corporate cyber security specialist, you have to consider three things:
- Corporate security is about compromises between technical superiority of solutions on the one side, scalability on the other, and manageability on the third. There’s a reason why Avira or Kaspersky are not the leading solutions for the Enterprise environment (and that’s an understatement…)
- Be honest — there are some production assets in your network you consider “too sensitive” to risk installing an anti-malware solution on. Or maybe you still believe that there are no malware aimed at Linux servers. Or maybe, just maybe, you still maintain that Windows 2008 Server no one dares to get rid of, and no anti-malware solution is able to run on it. You have holes in your security grid, where nothing is scanning nor detecting.
- These results are from a well controlled lab environment. In a real world environment, having to deal with thousands of files every day, most solutions will get worse positive and false positive results, and as the administrator you will likely lower their detection settings.
It’s even worse when discussing web filtering solutions. Traditional solutions like W̶e̶b̶s̶e̶n̶s̶e̶ Forcepoint, Iron Port, Bluecoat and the such are great products, each with its own pros and cons, but they all offer basically the same solution — every incoming piece of web data is scanned in hope to detect malicious content. Once again, as an administrator, you can either choose to enforce a strict and powerful security policy, or you can have happy users and free time to do anything other than to handle exceptions — you can’t have both.
At one point or another, something will get through.
So the question now is — is all lost? And the answer is, of course not.
If you’re willing to admit that the current way of working is not, in fact, working, it is time to consider an alternative. I personally believe that the next generation of security solutions will leave behind mechanisms like detection, and focus instead on isolation. Instead of scanning incoming content and hoping for the best, why not get rid the risk altogether?
Instead of scanning incoming files with an anti-malware or a sandbox solution, and then pass it on, as is, to the end-point, put it in an isolated space and let the user run it there. Or better yet, strip it, reconstruct it, and send a clean version to the user.
Instead of scanning incoming web traffic, utilize streaming technologies that give users the same look and feel of web browsing, without actual content ever reaching their workstation.
Instead of relying on any single end-point scanning mechanism to detect suspicious behavior, isolate and starve zero-day malware by simulating every possible end-point security mechanism in the market, making the malware think twice before acting.
All of these solutions are not in the future. They exist right now, and the longer you keep clinging on the past, attackers of today will go right in your network.
Have questions? Remarks? Want to know more about any of the technologies I mentioned? Contact me at firstname.lastname@example.org