Today, nobody is secure: Keep targets moving to move the fight forward

Application Security Research Update: The State of App Sec in 2018

The antivirus (AV) market is being hit hard from all directions: new-generation unicorns claiming they are the next best thing since the invention of the wheel; McAfee looking for a new home; Symantec looking for growth engines in the network space; years of criticism by analysts and users alike about the loss of efficacy. And now, with Symantec’s latest news, comes the reverberating stories that the safe is not safe—rather, it is a vector of attack.

Google Project Zero researcher Tavis Ormandywho previously found critical bugs in some AV products, has now found more than nine in-memory vulnerabilities that result in full remote code execution and one kernel that results in direct kernel exploitation directly from usermodeVulnerable Symantec- and Norton-branded security products that are vulnerable include the following:

  • Norton Antivirus (Mac, Windows)
  • Symantec Endpoint (Mac, Windows, Linux, UNIX)
  • Symantec Scan Engine (All Platforms)
  • Symantec Cloud/NAS Protection Engine (All Platforms)
  • Symantec Email Security (All Platforms)
  • Symantec Protection for SharePoint/Exchange/Notes/etc (All Platforms)
  • All other Symantec/Norton Carrier, Enterprise, SMB, Home, etc. AV products
  • And the list goes on

So what now? 

1. The new-generation candidates will have their day in the sun, enjoying the fallout. But their joy will be short-lived, as their approaches are just another form of the same old narrative. Application security software vendors will shine for a moment, claiming that software can be perfect and without vulnerabilities, as long as you use their products. 

2. The analysts will praise the value of endpoint detection and response and monitoring as the last-resort line of defense against malicious attacks. This ultimately builds so many levels and requires so many specialists that the end goal of security becomes more elusive and more expensive than most companies could ever afford.

3. And the AV guys? Well, they will frantically try to explain the vulnerabilities away and add some new functionality, but NIH syndrome prevents them from adopting truly innovative outside technologies. The believers in all-or-nothing will ask their incumbent vendors to buy and integrate even more capabilities into their already bloated and ineffective platformsAnd the rest of the world? It will just forget about it again. As with every breach, we make a lot of noise for a few days and then promptly move on.

Key characteristics driving this conundrum include:

  • Unpredictable attacks

  • Predictably vulnerable products, including security products

  • Vulnerabilities that are impossible for both security vendors and their customers to catch up with

Therefore, here are two novel ideas to address this issue head on:

  • Hide vulnerabilities: New products should focus on real prevention and offer fresh approaches to defense. Rather than trying to fix or predict all the vulnerabilities that may or may not be exploited, products should make sure the vulnerabilities are not available for exploitation and that memory injections cannot be successful. Such a capability would even protect vulnerability attacks on security products. In short, protect the protector.

  • Focus on an effective prevention stack: The larger view is we need to start thinking of new stacks. Let’s shuffle the cards. Let’s stop being predictable. Let’s focus on risk management as the strategic impetus, rather than compliance. Let’s identify lean, best-of-breed stacks that focus on effective prevention and catching the bulk of attacks for the lowest cost. As a safety net, organizations can add a software or service for monitoring to help limit and remediate any fallout.

The most secure approach may be the combination of new technologies such as Moving Target Defense combined with existing “good hygiene” products such as AV. With all its flaws, AV is still the most effective prevention for run-of-the-mill malwareWith such an inexpensive stack, companies could possibly do away with HIPS/IDS, personal firewalls, tedious repetitive patching prompted by new vulnerabilities, and other techniques that do little to improve security efficacy but a lot to increase the inefficacy of workstations and their users. 

Or maybe, if enterprises have a very strong network perimeter including several AV engines in it, they do not need AV on their endpoints if they have a solution such as Moving Target Defense. A good advanced threat–prevention strategy can handle all these unknown, unpredictable attacks. If combined with a simple whitelisting or application control software, it will do the job.

One thing is for sure, as long as we continue to remain predictable targets and protect ourselves in predictable ways, security measures will be easy to bypass. As long as we continue to operate using the same short-lived defenses rather than creating unpredictability to the attacker, nothing will change and no one is safe.

Image credit: Flickr

Topics: Security