i say tries because it goes horribly wrong when he calls signature based anti-virus systems outdated...
signature based anti-virus systems, or more generally known-malware scanners are capable of detecting (and often removing) the vast majority of malware in existence (despite what has been said recently about their performance on a very small subset of that malware) - only the malware that is too new to qualify as known is really outside it's reach... what's more it has the power to do so before control is ever turned over to that malware, thus preventing the malware from getting control/gaining an advantage... turning one's back on known malware scanning ammounts to turning one's back on knowing your enemy as known-malware scanners represent knowledge of the enemy (or at least one aspect of the enemy) codified into a programmatic form for ease of distribution and deployment...
my own preference for strategic military thinking is sun tzu, who is perhaps most famous precisely for his thoughts on knowing the enemy:
Hence the saying: If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.unlike the popularized misquote of "know your enemy" he's actually balancing knowledge of the enemy with knowledge of oneself - and by extension one's limitations and weaknesses (in order that one may know "when to fight and when not to fight")... not understanding the limitations of one's security measures prevents one from being able to effectively mix technologies and techniques so that the strengths of one can mitigate the weaknesses of another - basically preventing one from reaching any reasonable state of preparedness, which is a key to any effective strategy...
so what was johannes getting at, i wonder... well, for one thing he was quoting an entirely different military strategist - a one carl von clausewitz - but was clausewitz as cavalier about the importance of intelligence as johannes? it doesn't seem that way... as you can read here, although he talks at length about the innaccuracies of the intelligence one may have on hand, ultimately owing to the failings in those collecting and reporting it (intelligence itself has weaknesses and limitations and he tries to impress on the reader the importance of common sense and experience as a corrective measure), still maintains at the outset that the information we have about the enemy is "the foundation of all our ideas and actions"...
so then perhaps it's just johannes ullrich that underestimates the importance of intelligence in the formation of strategies - but how can that be since in the same post he's advocating information sharing which itself furthers the goal of gathering and using intelligence...
i think it must come down to the knowing oneself half of the intelligence equation... the notion that known malware scanning is a bad idea or outdated or the like has become quite popular and it seems to me that this often forgotten principle is to blame... knowing the strengths and weaknesses of the weapons in your arsenal (or that you could have in your arsenal), appreciating what they can and cannot do, and realizing what they represent strategically and how to deploy them tactically - these are the things people don't seem to understand, not even the CTO of the ISC...
known-malware scanners aren't outdated; they have obvious weaknesses that dictate one's strategy be supplemented with more generic techniques, but they also have considerable strength against a huge (and ever growing) body of malware... for every security defense you deploy there exists a counter-measure, but once the malware implementing that counter-measure becomes known (as all but the most narrowly targetted malware eventually does) it should no longer be able to sneak past known-malware-based defenses... known-malware scanning is weak against the counter-measure of novelty, but that's a counter-measure that expires...
in more simple terms: known-malware scanners are a form of information sharing between anti-malware experts and the rest of the world... throw that information away if you want, but at least realize what you're doing when you're doing that...
0 comments:
Post a Comment