A new cyber espionage threat dubbed “Sandworm” was revealed today. It exploits a zero day flaw that exists in all supported versions of the Windows operating system, and has apparently been active since 2009. That was FIVE years ago. That’s five years that a malware threat has been circulating and actively compromising targets while remaining undetected. Maybe it’s time to just admit that firewalls and antimalware tools just don’t work, and stop wasting time and money on these traditional security tools.
The short answer is, “No”. Despite inherent inadequacies in addressing emerging threats, security best practices are still security best practices, and traditional security tools are still required “table stakes” that protect against the vast majority of common threats.
“The simple fact is that relying solely on perimeter defenses to keep attackers out has not been successful, and that has spawned a move towards more data- and identity-centric security models,” explains Geoff Webb, senior director of Solution Strategy for NetIQ. “But, we shouldn’t conclude from this that the traditional technologies are no longer relevant. The role of tools such as firewalls is as important as ever, because the simple fact is that the vast majority of attacks aren’t that sophisticated.”
Webb points out that most advanced persistent threats (APTs) tend more toward the persistent side than the advanced. The reality is that most attackers look for simple, well-known vulnerabilities to exploit. Firewalls keep out the majority of attacks and other disruptive noise of the Internet, and—while signature-based AV may have seen it’s day—there are still plenty of old worms and viruses out there that they can, and do, prevent.
Marc Maiffret, CTO of BeyondTrust, says, “There is often a lot of talk about whether traditional security technologies such as anti-virus or firewalls are required. I try to frame the discussion not so much about traditional vs. next-generation, but rather security technologies that work based on signatures of known bad vs. technologies that are generic and more able to prevent unknown malware/attacks/etc.”[inlinetweet prefix=”” tweeter=”” suffix=””]Both traditional and next-generation security tools are necessary[/inlinetweet].
Security incidents and data breaches are generally a result of shoddy security practices, poorly implemented security controls, and / or lax monitoring. Security best practices and traditional security tools still sift out most of the noise, freeing IT security personnel to focus attention on anomalous or suspicious activity that could be a red flag for a more insidious threat.
“The term best practices is a tricky one because in some cases it can work against you and actually weaken your defensive posture. The one thing an adversary is going to leverage in their attack campaign is any deterministic program whereby if they see pattern X, they can infer Y where Y would be another state or process that leads to deeper penetration or a successful execution of a multi-phased attack as APT’s behave,” warns Lancope CTO TK Keanini. “I’ll expand by using the movie Ocean’s 11. The casino had defense in depth—in fact there were layers upon layers in their protection but the attackers had an advantage because these defensive measures were predictable and thus could be defeated one by one. It is not defense in depth that is important—it is defense in diversity. If the best practice is to have a diverse set of defensive measure that are not highly deterministic, you have significantly raised the cost to your adversaries operations—right where you want them.”
Tal Klein, VP of strategy for Adallom, puts the value of security best practices into some real-world perspective. “Always wear a seatbelt—this is a no brainer. It significantly reduces your attack surface in the event of an accident. So, if you bought a car with air bags, should you still wear your seatbelt? Of course.
Klein continues, “We could go on forever with this reasoning, talking about anti-lock brakes, accident avoidance systems, and so on—and I think you’d agree with me that even if we reach the point of a self-driving car, it’s still important to wear your seatbelt. So in the context of protecting your digital self—updating your antivirus is wearing your seatbelt, a firewall is an airbag, and so on. No security solution is bullet proof, it’s important to remember the basics.”
Maiffret sums up, “So really both types of technologies are needed—but that does not mean you will be buying two different products to solve these problems. I think we will continue to see more of the next generation security technology companies check the box on signature detection as simply another feature of their products.
According to Maiffret, [inlinetweet prefix=”” tweeter=”” suffix=””]you can’t just forget security best practices, and toss out your traditional antimalware tools tomorrow[/inlinetweet]. But, as next-generation security platforms incorporate signature-based methods, and take on the role of detecting and blocking known threats, you might find that you no longer need both.