I was with a prospect the other day and was asked what, at least for me, was a very thought provoking question. We were discussing the two major areas of application for Triumfant – continuous enforcement of security configurations and real-time malware detection and remediation – and he asked why you would need the latter if the former was done properly. In other words, if all of my endpoint protections are in place and everything is properly configured, why am I still getting attacked?
Simple and logical question, right? But it led me to think long and hard why attacks happen at a very elemental level. We in security face this question from the powers that be because they cannot understand that attacks still come even though we have added multiple layers of defense.
After consideration I came up with three reasons. For perspective, my reasons are very much endpoint centric and presume the attacks have already made their way through protections on the network level, so this is not a cloud to ground holistic view. Each reason is based on the assumption that the preceding reason(s) have been fully addressed and the represented gap is closed – each reason stands on its own as a problem. And I will resist the urge to plug in how Triumfant addresses each gap, but I have noted blog entries that do if you care to read on.
Here are my three reasons:
- Attacks get through because the machines and the protection software deployed to protect them are not configured to be secure. The analogy is simple: the most well designed and secure deadbolt lock only secures a door when the deadbolt is engaged. Too frequently, endpoint protection tools are either improperly installed or improperly configured to perform the tasks for which they are intended, so attacks make it through. For how Triumfant addresses the configuration management gap see “A New Approach to Configuration Management”.
- Attacks get through because traditional endpoint protection tools miss known attacks even when there is a signature for that attack and the protection is properly configured. The failure rate depends on whose statistics you chose to use, but Gartner puts the detection failure rate at two to ten percent while other studies show failure rates exceeding fifty percent. Given there will be well over 5M signatures by the end of 2009, ten percent is non-trivial. See “Antivirus Detection Rates – It is Clear You Need a Plan B”.
- Attacks get through because they have been carefully designed and engineered to evade traditional endpoint protections. These include zero day attacks, rootkits, targeted attacks and the work of the maliciously intended insider. Zero day attacks are more generic in nature and broker on the fact that most tools require prior knowledge to detect an attack. Targeted attacks are designed to specifically infiltrate networks and applications to retrieve sensitive information or financial data. See “It is Raining and You Will Get Wet”.
I am not saying this is groundbreaking thinking here, but if you put things into this perspective, it clearly defines the gaps in protection and subsequently provides a roadmap of what must be done to protect your endpoints. Reducing the attack surface is clearly not enough. Antivirus is not getting it done – even the AV vendors say so. And the bad guys are relentless in their pursuit to exploit any crack in the defenses.
So what do you think? Too simple or simply brilliant?
Posted in Endpoint Security
