IDS legacy is institutionalized failure
The news is rife with discussions about systemic failures in the intelligence community. It is a good thing we do not judge information security on the same scale of success. I know of not a SINGLE enterprise network that is not being repeatedly compromised with a deluge of malicious code. Can you imagine a world where we expected our anti-virus to actually protect us? Weren’t we all talking years ago about what would happen when people began writing custom code to attack YOU. Our most ubiquitous security problem today is certainly malicious code, and after recommending Malware Bytes” to my 10th family member or friend last month to undo a successful phishing or drive-by infection, this problem certainly does single out anti-virus products as “anti-success.” Why do I pick on Intrusion Detection as the winner for institutionalizing failure in our security organizations?
I believe IDS started several negative trends that are still affecting the psyche of security personnel today. For the first several years, all iterations of IDS were so prolific in their alerting that they have provided a decade long after-taste. Some would argue they still are. The very concept was flawed from the beginning, and only considered because we had lost control and understanding of our networks. Systems and disk were simply not fast enough, or large enough to analyze or understand our networks. We decided that we must look to technologies and solutions to determine what is bad on our network, ignoring the rest — and we turned to our first magic pill.
Whatever the case, they were the solutions that made “false positives” a mainstream security term. Think about that term for just a minute. To have “false positives,” intrinsically implies that there could be some perfect solution. That it is conceivable, much less possible, to actually determine what is bad on your network. The problem was certainly not fixed as the vendors began marketing prevention, and the vast majority of IPSs employ little to no prevention because of the likelihood of false positives.
Now consider how many magic pills followed in the IDS wake. Remember when DDOS was the threat? A crop of DDOS mitigation products were made available to fix that problem. Where are those products today? Worms, Code Red and Nimda – gave rise to a swath of behavioral analytics products. If I remember correctly – we were suppose to see Insider Threat as the next big thing a few years ago? Weren’t data leakage and content monitoring systems supposed to plug that gap? And all along this timeline, I need to manage this unmanageable amount of logs – so let me invest in SIM/SIEM. SIM/SIEM not enough – perhaps you should look at the “Big Fix.” The list could go on and on and on.
This is just a sampling of what you need to protect your networks, given the premise that you can automagically determine bad from good, based on some mythical perfect ruleset. And oh yes, don’t forget – if you need help you can outsource it. In the wake of “aurora”, and systemic compromises of some of the largest, most technology savvy companies in the United States, perhaps more will realize that compromise is INEVITABLE. If sponsored adversaries want to get into your network, they will LIKELY SUCCEED.
We are chasing our tails, still looking for that magic pill that will secure our networks, and have not once stopped to reconsider our approach. I single out IDS because it was the first, and loudest failure in the security space. I believe it showed the world that security products do not have to work often or at all, but can be marketed and sold successfully. I believe it began the cycle of point solutions that has created a generation that believes it is possible to secure our networks without understanding them.
It is time to realize, that you will not know what is bad today, until tomorrow. That you will not know the damage caused for hours, days, weeks or even months. No matter what you invest in, nothing can protect you from what you do not know. The threats we face tomorrow will not be the same as today. And most importantly – you are doomed to failure if you rely on some magic solution to determine what is bad.
Instead of building our defenses based on a hodgepodge of point solutions, designed to fix yesterdays problems, why don’t we invest a modicum of our resources into an architecture that can analyze, interpret and record what is happening on your network – yesterday, today and tomorrow. Can we for a moment, invest in regaining an understanding of what is traversing our network, and create a capability to adapt to tomorrows problems? That is the benefit in deploying NextGen.
A potential customer, after receiving a demo, commented recently on a single rule based alert that was added to a session during analysis called “suspicious file type” – saying the alert was a false positive because the executable downloaded was not malicious. I corrected him, and not just semantically, that there are no “false positives” here. There are simply flagged sessions based on intelligence, which add additional data elements. If you choose to write a rule that alerts when someone downloads an executable, it will do so. It does not make the assumption that that is a bad executable. Humans do that. Sure a single alert can be more valuable than others. Sure we can take a signature and incorporate it. However, it is the preponderance of the complete session analysis – perhaps various alerts, threat intelligence, and a deep detailed understanding of everything that happened in that session — all over time that provides your analysts the ability to ask very detailed and probing questions into your network — and get answers back immediately. Concerned about leakage? Ask those question of the system. Concerned about compliance, ask. Concerned about malware downloads – ask. Insiders? Targeted PDFs? Obfuscated javascript? Proprietary information? Law enforcement? By analyzing it all, we give you a platform for answers.
“Not good enough” he said…” It needs to tap my analyst on the shoulder and say Hey – look at this!”
“Ah – like an IDS” I responded. He wanted a magic pill. Institutionalized Failure.