Saturday, November 10, 2007

using multiple scanners is not defense in depth

i often come across nuggets of information that i want to respond to (often because they represent fundamental assumptions that i think are wrong) that don't really have anything to do with the main point of the article, so i'll leave it as an exercise for the reader to guess who mentioned using 2 different scanners as being a part of defense in depth...

that post didn't have anything to do with av and this post doesn't really have anything to do with that post but the idea that using one vendor's scanner at the gateway and a different vendor's scanner on the desktops qualifies as defense in depth is actually fairly old and oft-repeated so this really goes out to a fairly broad audience...

using multiple scanners is NOT defense in depth... at best it's defense in breadth... known malware scanners all have essentially the same strengths and weaknesses, they all look for and block essentially the same sorts of things, there's going to be very little caught by one that isn't also caught by the other so they don't really complement each other...

the premise of defense in depth is that any given defensive technique has both strengths and weaknesses and overall defense can be stronger if that technique is combined with one or more other defensive techniques that are strong where the first one is weak... no layer in the defense is impenetrable but in combination the layers together approach much closer to impenetrability...

so defense in depth requires complementary techniques/technologies and in so far as av companies are increasingly providing that in their suites, using similar products from multiple vendors doesn't get you any more defense in depth than you could have gotten with a single product because similar products are not complementary... what it can get you, however, is best of breed - some scanners may have features that make them better suited to gateway usage than others...

of course one could argue that they regard defense in depth as having defenses at multiple perimeters (the gateway and the host machines) but again, if those defenses are mostly the same then the inner layers of defense won't really be adding that much more to the overall defense... so using multiple similar products at different perimeters doesn't really add to the depth of your defenses, instead it adds redundancy which is the primary ingredient of fault tolerance...

2 comments:

pb said...

Excellent point kurt. This type of false sense of security is also exemplified by the various movements to integrate multiple scanners within a single desktop or email server/gateway. There's an interesting tool by CastleCops MIRT that does combinatorial analysis using up to 4 different scanners and is a nice way to proof your point: http://winnow.oitc.com/avcentral.html

kurt wismer said...

hmmm, that's an interesting site, thanks for the url...