Sunday, May 27, 2007

Security Evolved or Security Ignored?

I was reading a piece by Rudolph Araujo and it struck me how his analysis of the evolution of security is both spot-on, and also ignores quite a number of factors that I think are important.

Rudolph's point is that security is reactive to security threats and we develop security practices and defensive techniques only in reaction to attacks and new threats. I'd argue that warfare isn't all that different. In fact, I'm not sure of too many areas where there are attackers and defenders where this isn't the case. At the same time I do take issue with a few of his pronouncements that we're always reacting.

I started doing network and system security in 1994 or so. I was administering a network of SGI Indy systems on a college network and had to secure them against both outsiders as well as insiders. Some of the techniques we used to secure the machines and know our systems were good:
  • Automated configuration management (homegrown tools)
  • File integrity checking (tripwire)
  • Restricted Shells
  • Known-good builds (done by hand)
  • Hardened defaults (services off, extensive logging enabled)
    • Wietse Venema was a god, is probably still a god. Logdaemon and tcpwrappers were some of the best tools ever for securing a network.
  • Network forensics via TAMU netlogger
  • Automated log monitoring tools (home grown)
  • Keeping up with patches
  • Remote port checking (strobe)
Looking at the list above its pretty amazing both how far we've progressed, and how little in 13+ years. The number of truly new and useful tools for managing and securing systems just hasn't gone up that much. We knew back in 1994 that we needed to have automated configuration management, file integrity monitoring, hardened builds, etc. We knew we wanted good logging, network forensics, etc.
  • How much different than tripwire in 1994 are file integrity monitors today?
  • How much better is system logging than is was then?
  • How much better are network forensics than they were then?
  • Has anything gotten any better?
Maybe one reason we don't evolve is that we keep trying to reinvent the wheel in the security product space rather than just tuning tools we already have. Pretty much every item I list above is a major component of a tool we use today, but now I can buy it from 10 different vendors with a lot of hype, configuration options, and pretty much the exact same functionality you'd have used 13+ years ago. Is that progress? I'm not so sure.

I think the problem that is actually being highlighted is that is computers, like in car design and fashion, what was old is new again over and over.

Most of the components above get added together and get called NAC or autonomous systems.
We take networking scanning and such and add in a bit of vulnerability data and we get vulnerability scanners. Sort of useful, but maybe if I just turned off ports I'm not using and didn't have such a complicated setup the problem would fix itself.

For the most part we know what we need to do, we know how the attackers are going to attack, we've just spread ourselves so thin that we can't actually defend against them anymore.

We've seen the enemy, and it is us. The fundamental thing that needs to evolve isn't the technology, its our use of it. As we're growing our use of technology, pushing the technology further and further, we're coming to understand the human limits of running it.

Now that I'm helping manage security for a much larger organization 13+ years later I'm not worried (all that much) about new and novel attacks, I'm worried about tracking and managing the assets I have, how they are configured, managed, monitored, etc. I'm worried about who is using what data when, whether they are copying it, sending it, releasing it, etc.

Where we need the evolution is in systems that work better from the beginning. We need to make sure that the same old security problems don't keep coming up again and again and again.
  • I need operating systems that ship without all services turned on.
  • I need operating systems that let me easily set a security policy, and alert me to deviations.
  • I need operating systems that monitor their integrity, tell me about deviations, and let me automate alerts.
  • I need common logging across all of my devices so that I don't need a super complicated SEM to manage and interpret everything.
  • I need a flying car
Ok, I threw the last one in because its always on everyone's wish list. What I'm getting at is that my wish list hasn't changed in more than a decade and I'm still waiting.

So, while in the end I don't necessarily disagree with Rudolph on the reactivity point - maybe things are even worse than he thinks. We've spent the last 15 years making pretty much zero progress on anything.

No comments: