My head hurts – I’ve been banging it against the wall for a decade. And at an accelerated pace over the past two years – and pretty much every day since the start of 2011. Why?
Like many of you, I’ve watched as we slip further behind our adversaries, as the gap widens between offense and defense, and as they infiltrate our networks while siphoning off the keys to our future competitiveness. This is not FUD, it’s real.
Another day, another story – NASDAQ, London Stock Exchange, Night Dragon, Morgan Stanley. These stories are becoming more commonplace and barely warrant a blink of an eye from anyone in the know. Although these events are big, it’s not quite salacious enough to compete with the likes of Charlie Sheen in mainstream media cycles, that is, unless it involves him.
As security professionals bemoan the state of the industry in the echo chamber, the bad guys march on with more infections, millions of new malicious spam messages, obtaining intellectual property surrounding future product designs, discovering and exploiting government secrets, causing unaccounted costs in downtime, and stealing data from infected users. It’s a sad state of affairs. This isn’t anything you don’t already know, but it shouldn’t be acceptable, nor should we succumb to a defeatist mentality that the future holds a much worse scenario.
One root of the problem is that as an industry, we’re stuck in a self-perpetuating cycle of wash-rinse-repeat security, what we call the ‘Security Insanity Cycle’. It usually starts with detecting a compromised machine. This kicks off a remediation-recovery procedure to restore the machine and network back to a clean state, followed by a compliance cycle where all machines are patched to the latest versions of the software. Wash, rinse, repeat…and did I forget to mention blame and train the users?
For the security industry, this cycle ensures repeat business. It has spawned entire industry segments in managed security services providers (MSSPs), penetration testing, intrusion detection services, recovery and remediation, and training for each of these activities. In turn, the people responsible for managing enterprise networks repeat the three main security activities at great cost and somehow expect a different result.
One effect of the Security Insanity Cycle is the economics that flow to these activities drive companies and talent in this direction, rather than toward addressing the underlying problems that enable these exploits. The money is funneled into servicing the problem rather than toward engineering solutions to solve it.
As an industry, we put people who break systems and identify flaws on a pedestal, rather than people who design systems to be secure from attacks. BlackHat and other conferences highlight the exciting new ways to break systems; maximum street cred goes to those who break systems as opposed to the people who build secure systems. Today, the best security talent is hired by government contractors to identify nifty ways to break systems or find flaws in software, with the gilded prize being zero-days.
Clarion call – it’s time to change the game.
So how do we break the Security Insanity Cycle? We need to get back to basic engineering. Commercial software, like those found on desktops and servers, require only a single error in allocating memory in a program to, for example, allow remote unauthorized access to fully control the system. Many browsers have upwards of one million lines of code, any of which could enable an adversary to take control of the machine with only 20 lines. In other words, today’s software systems are fragile and provide asymmetric advantage to attackers.
However, finding flaws in code isn’t necessary. With millions of corporate and government users on the internet every day, malware writers have shifted tactics to target the user. By appealing to natural curiosity, malware writers can get unsuspecting users to do their bidding for them, as scareware and phishing scams have effectively shown. Tigerblood and Adonis DNA today, some other train wreck tomorrow.
If we want to break the Security Insanity Cycle, we need to engineer systems to be resilient to attack. This requires stronger architectures, ones that separate untrusted from trusted code, that do not depend on flawless programming in a million lines of code, and do not depend on every user to make correct security decisions for the network to be secure.
We can’t count on segregating the internet into good and bad places because we cannot assume a site hasn’t been compromised or isn’t serving up malware through syndicated content. Perfect example: a trusted site like the London Stock Exchange unknowingly served up malicious content through advertising. The reality is any content that lives on or comes from the internet cannot be trusted.
Resilient architectures that separate untrusted content from the trusted at the network, operating system and application layers are necessary. Virtualization is one technology that can isolate untrusted content from trusted computing bases with little disruption and seamless integration with the user experience. Separating software that runs untrusted internet content in fully virtualized operating systems is wholly feasible now with commodity systems. Keeping exploits from ever reaching the user’s system while tracking them in real time to capture forensic detail to feed to the broader signature-based infrastructure extends its life and re-establishes its usefulness.
Is this the security panacea? Of course not, and there will never be one. We all need to invest and re-invest to keep ourselves ahead of the bad guys. But won’t the bad guys, then, turn their sights to breaking out of the virtualized environment? Sure, but by shifting the target of attack from browsers and operating system software to trying to find vulnerabilities in hypervisors, then we will have succeeded. We will have dramatically increased the cost to the attacker and significantly reduced the number of players on the exploit side.
Right now, our adversaries have us beat. The time has come to show them we are still in the fight and introduce real preventative measures to move them on to other pastures.
Anup Ghosh is the chief scientist and founder of Invincea. Dr. Ghosh is a recognized internet security expert, author of three books on e-commerce security, author of more than 40 peer-reviewed research papers in security, and a former DARPA program manager who created and managed a broad portfolio of information security programs. He was awarded NSA's Frank Rowlett Trophy for Individual Contributions in 2005 and the Secretary of Defense Medal for Exceptional Public Service for his contributions while at DARPA. He was named to the Naval Studies Board for a National Academies Study in 2008 on Information Assurance for Network-Centric Naval Forces. Ghosh received his bachelor’s of science in electrical engineering from the Worcester Polytechnic Institute and a PhD in electrical engineering from the University of Virginia.