<div dir="ltr"><div>Our problem may not be one of better AV/IDS/IPS, but rather an inherent inability to think of new defensive tactics and technologies. <br></div><div><br></div><div>It is very hard to think beyond the toolsets we currently have and develop new ideas.</div><div><br></div><div>It is even harder to sell it to investors. </div><div><br></div><div>john</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Sep 9, 2014 at 10:00 AM, Michal Zalewski <span dir="ltr"><<a href="mailto:lcamtuf@coredump.cx" target="_blank">lcamtuf@coredump.cx</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">The prehistory of anti-virus software is probably of note. In essence,<br>
they served as a pretty reasonable solution to a nuisance problem of<br>
slowly-evolving, long-lived viruses piggybacking on top of legitimate<br>
executables carried around on floppy disks. There was no pretense of<br>
providing any security boundaries, and the unique properties of this<br>
distribution channel meant that you could actually offer users fairly<br>
clear benefits when exchanging files with trusted parties.<br>
<br>
The progression from that to being a primary defense against security<br>
attacks on the Internet makes essentially no sense. I think it had to<br>
do with the entire generation of tech-savvy users and corporate execs<br>
growing up with this technology and incorrectly assuming that it would<br>
scale up on the Internet, or that AV companies would be uniquely<br>
qualified to tackle the problem.<br>
<br>
The more interesting question is why has this myth persisted for so<br>
long. It probably has to do with several things. For one, AV companies<br>
made a lot of money and gained a lot of prominence, so they largely<br>
control the narrative and overcrowd trade shows. There is also a<br>
strong appeal for startups to imitate their methods and embrace the<br>
same language.<br>
<br>
Another reason may be that many people just hope for a silver bullet.<br>
They don't want security to be hard - and they don't want to admit<br>
that AV software + compliance checklists weren't necessarily the right<br>
call back in the day (so it's the "threat landscape" that's changing,<br>
they say). But there are no simple solutions, and if you're hoping for<br>
some, you're likely to just part with your money and get relatively<br>
little in return. I mean, the valuation of FireEye peaked at $10B not<br>
long ago. Flashy threat intelligence (Crowdstrike, 0-day feeds) is<br>
another popular way to go.<br>
<br>
All in all, I don't think we can avoid repeating the same mistakes<br>
over and over again. It's a funny industry because you can't really<br>
measure success by any objective, transparent metric. I'm pretty sure<br>
that the key to survival is to just have a competent and balanced<br>
security team, and one that spends more time writing code than<br>
defining controls for ISO 27001. But that's a tough sell, and given<br>
the short supply of talent - and the difficulty in evaluating their<br>
true skill - it is not a viable option for many small businesses.<br>
<br>
So, what can we really give them, instead?<br>
<span class="HOEnZb"><font color="#888888"><br>
/mz<br>
</font></span><div class="HOEnZb"><div class="h5"><br>
On Mon, Sep 8, 2014 at 7:07 AM, dave aitel <<a href="mailto:dave@immunityinc.com">dave@immunityinc.com</a>> wrote:<br>
> So I'm heading to a conference shortly and I was going to promote them in<br>
> this email but they're apparently not a public conference. I'm on a panel<br>
> called "Identification of Emerging and Evolving Threats" with some non-US<br>
> Government people who seem pretty nice.<br>
><br>
> Anyways, now that I've guaranteed myself an exciting visit from security<br>
> services, I wanted to point out the one question everyone should be asking<br>
> when they go to any conference and a new technology of any kind is proposed<br>
> as any kind of forward movement for defense. And that is this: "How can we<br>
> avoid making the mistake of Anti-Virus" ever again?<br>
><br>
> Because much like the Internet has been hamstrung at birth by the parasitic<br>
> growth of the advertising industry, the information security community has<br>
> been devastated for almost its entire existence by the dominance of<br>
> anti-virus companies and products which demonstrably haven't worked for<br>
> almost their entire reign, and in theory never could have scaled. They are<br>
> broken by design. And because they sucked all the money and research and<br>
> people from the defensive community, no actual defenses were ever created<br>
> for IT that had a hope of working.<br>
><br>
> So the only question any team of government executives working on defense<br>
> needs to be thinking about is "How is this different from Anti-Virus in the<br>
> long term? How can we avoid making that mistake ever again?" Because until<br>
> you know how that mistake was made, and can avoid it for the next<br>
> generation, "Emerging and Evolving" threats will always be beyond your power<br>
> to stop.<br>
><br>
> -dave<br>
><br>
><br>
><br>
><br>
> _______________________________________________<br>
> Dailydave mailing list<br>
> <a href="mailto:Dailydave@lists.immunityinc.com">Dailydave@lists.immunityinc.com</a><br>
> <a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" target="_blank">https://lists.immunityinc.com/mailman/listinfo/dailydave</a><br>
_______________________________________________<br>
Dailydave mailing list<br>
<a href="mailto:Dailydave@lists.immunityinc.com">Dailydave@lists.immunityinc.com</a><br>
<a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" target="_blank">https://lists.immunityinc.com/mailman/listinfo/dailydave</a><br>
</div></div></blockquote></div><br></div>