Dailydave mailing list archives
Re: So, the security industry has given up on the principles of least privilege and separation?
From: dan () geer org
Date: Mon, 16 Feb 2009 09:45:14 -0500
Secunia is talking about reality, not hopes and dreams. In reality, the industry came up with three specific options: ...snip...
Disclaimer: I worked full time at Verdasys for five years and I am talking about their products, in which I do have an interest. The issue of data loss, or for that matter proving to this or that authority that data loss did not happen, is a pure "reality, not hopes and dreams" laboratory. In the case of Verdasys' "Digital Guardian" product, once installed it makes admin privileges orthogonal to data protection. The product appeals to big firms who tend to deploy it on an enterprise basis, and there are now seven digits of seats so installed with many more in progress. Hosts which do not run DG are the ones who will be dealing with the bear, if you recall that joke. The precis' is: ============ Digital Guardian is a recording reference monitor: an agent on every surveilled host communicating periodically with a no-wait-state collection depot arbitrarily located. The agent is small, tight, invisible, tamper-resistant, and low-load. Any touch whatsoever of local data is captured at the innermost operating system levels. Agents do 20,000-to-1 continuous log reduction, compress and encrypt bundles of these results, and push them to the collection system with end-to-end assurance, adapting to intermittent connectivity without intervention. Consequent to its complete real-time capture, questions requiring full enumeration of past actions (prove no one outside the CFO's staff read this document) and goals requiring zero-prep reaction (application whitelists and zero-day defense) become trivially feasible. Less dramatically, forensics becomes possible at near-zero reconstruction cost, communities of trust become enforceable irrespective of conventional perimeters, data redaction at any level of granularity becomes auditably trivial and trivially auditable, silent alarms can signal enforcement authorities for anticipated events or for unanticipated exceptions, and honest people can be coached to remain honest without the risk of inadvertently preventing anyone from getting their job done. An enemy able to strike location independently and without self revelation commands the defender to focus on pre-emptive strategies, pre-emption requires intelligence, and intelligence requires surveillance. For the electronic sphere, that surveillance has as its primary unit of observation either a data object or a person; only the former is at once versatile, no-load, inescapable, and an enabler of economic benefits that justify its existence at times of lessened danger and for prosaic purposes. Day-to-day use is a pre-requisite for that tool familiarity essential to its confident use in times of heightened need, as it is with any platform. ============ The second Verdasys product is SiteTrust, and it, too, is in seven figure rollout. It is a run-time installable protection that *depends* on the user/client having admin privilege, which is to say that if a user has admin privilege then you must assume they are 0wned already. If they are 0wned already and you need to transact with them, such as to permit their stock trading from their desktop via your datacenter, then you must 0wn their desktop for the duration of the transaction. If you make such temporary remote control a condition for the client to receive trade guarantees, then they will so agree, as has been shown. The point, if you like irony, is that the opposition has proven that the operating system is so complex as to be porous and they have demonstrated abundant mechanism to accomplish remote 0wnership. This being an asymmetric war, we have no choice but to adapt their mechanisms to our ends, viz., we cannot hope to provide protections to electronic commerce clients unless we 0wn them, if only for the duration of the transaction and only after asking nicely. I leave it to the list to debate whether such therapies violate "Primum non nocere." --dan _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- So, the security industry has given up on the principles of least privilege and separation? Dave Korn (Feb 14)
- Re: So, the security industry has given up on the principles of least privilege and separation? Michal Zalewski (Feb 16)
- Re: So, the security industry has given up on the principles of least privilege and separation? dan (Feb 17)
- Re: So, the security industry has given up on the principles of least privilege and separation? Joanna Rutkowska (Feb 16)
- Re: So, the security industry has given up on the principles of least privilege and separation? Andre Gironda (Feb 16)
- Re: So, the security industry has given up on the principles of least privilege and separation? Michal Zalewski (Feb 17)
- Re: So, the security industry has given up on the principles of least privilege and separation? Michal Zalewski (Feb 16)