Dailydave mailing list archives

Re: The monetization of information insecurity

From: John Strand <john () blackhillsinfosec com>
Date: Tue, 9 Sep 2014 12:27:07 -0600

Our problem may not be one of better AV/IDS/IPS, but rather an inherent
inability to think of new defensive tactics and technologies.

It is very hard to think beyond the toolsets we currently have and develop
new ideas.

It is even harder to sell it to investors.

john

On Tue, Sep 9, 2014 at 10:00 AM, Michal Zalewski <lcamtuf () coredump cx>
wrote:

The prehistory of anti-virus software is probably of note. In essence,
they served as a pretty reasonable solution to a nuisance problem of
slowly-evolving, long-lived viruses piggybacking on top of legitimate
executables carried around on floppy disks. There was no pretense of
providing any security boundaries, and the unique properties of this
distribution channel meant that you could actually offer users fairly
clear benefits when exchanging files with trusted parties.

The progression from that to being a primary defense against security
attacks on the Internet makes essentially no sense. I think it had to
do with the entire generation of tech-savvy users and corporate execs
growing up with this technology and incorrectly assuming that it would
scale up on the Internet, or that AV companies would be uniquely
qualified to tackle the problem.

The more interesting question is why has this myth persisted for so
long. It probably has to do with several things. For one, AV companies
made a lot of money and gained a lot of prominence, so they largely
control the narrative and overcrowd trade shows. There is also a
strong appeal for startups to imitate their methods and embrace the
same language.

Another reason may be that many people just hope for a silver bullet.
They don't want security to be hard - and they don't want to admit
that AV software + compliance checklists weren't necessarily the right
call back in the day (so it's the "threat landscape" that's changing,
they say). But there are no simple solutions, and if you're hoping for
some, you're likely to just part with your money and get relatively
little in return. I mean, the valuation of FireEye peaked at $10B not
long ago. Flashy threat intelligence (Crowdstrike, 0-day feeds) is
another popular way to go.

All in all, I don't think we can avoid repeating the same mistakes
over and over again. It's a funny industry because you can't really
measure success by any objective, transparent metric. I'm pretty sure
that the key to survival is to just have a competent and balanced
security team, and one that spends more time writing code than
defining controls for ISO 27001. But that's a tough sell, and given
the short supply of talent - and the difficulty in evaluating their
true skill - it is not a viable option for many small businesses.

So, what can we really give them, instead?

/mz

On Mon, Sep 8, 2014 at 7:07 AM, dave aitel <dave () immunityinc com> wrote:

So I'm heading to a conference shortly and I was going to promote them in
this email but they're apparently not a public conference. I'm on a panel
called "Identification of Emerging and Evolving Threats" with some non-US
Government people who seem pretty nice.

Anyways, now that I've guaranteed myself an exciting visit from security
services, I wanted to point out the one question everyone should be

asking

when they go to any conference and a new technology of any kind is

proposed

as any kind of forward movement for defense. And that is this: "How can

we

avoid making the mistake of Anti-Virus" ever again?

Because much like the Internet has been hamstrung at birth by the

parasitic

growth of the advertising industry, the information security community

has

been devastated for almost its entire existence by the dominance of
anti-virus companies and products which demonstrably haven't worked for
almost their entire reign, and in theory never could have scaled. They

are

broken by design. And because they sucked all the money and research and
people from the defensive community, no actual defenses were ever created
for IT that had a hope of working.

So the only question any team of government executives working on defense
needs to be thinking about is "How is this different from Anti-Virus in

the

long term? How can we avoid making that mistake ever again?" Because

until

you know how that mistake was made, and can avoid it for the next
generation, "Emerging and Evolving" threats will always be beyond your

power

to stop.

-dave




_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave

_______________________________________________
Dailydave mailing list
Dailydave () lists immunityinc com
https://lists.immunityinc.com/mailman/listinfo/dailydave

Current thread:

The monetization of information insecurity dave aitel (Sep 08)
- Re: The monetization of information insecurity Brad Spengler (Sep 09)
  - Re: The monetization of information insecurity J. Oquendo (Sep 09)
  - Re: The monetization of information insecurity Dennis Groves (Sep 10)
    - Re: The monetization of information insecurity Michal Zalewski (Sep 10)
    - Re: The monetization of information insecurity Dominique Brezinski (Sep 11)
    - Re: The monetization of information insecurity Parity (Sep 12)
- Re: The monetization of information insecurity Andreas Lindh (Sep 09)
- Re: The monetization of information insecurity Michal Zalewski (Sep 09)
  - Re: The monetization of information insecurity John Strand (Sep 10)
- Re: The monetization of information insecurity Dan Guido (Sep 11)