Tuesday, December 16, 2014

no malware defeats 90% of defenses

yesterday, 'security expert' robert graham penned a blog post claiming that all malware defeats 90% of defenses - a claim made in answer to the FBI's claim that the attack on sony would have been just as successful against 90% of other companies. as you might well imagine, however, robert graham was in error.

the error isn't a straight-forward one, but it is one that most of the security industry makes. it's an error in framing.

the security industry likes to frame the problem as automaton vs. automaton because that facilitates the comforting lie they tell their customers. businesses see security (not incorrectly) as something that costs them time and money and so they search for ways to cut those costs. the security industry, flush with skillful sales people, tells businesses what they want to hear: that they can cut costs and automate much of security, leaving only a handful of personnel left to operate a little like janitorial staff - cleaning up messes and keeping the automaton running smoothly. likewise, the security industry tells consumers what they want to hear as well: that they just need to install a product and that product will take care of security for them automatically.

in security, however, your adversary isn't a thing, it's a person. malware doesn't defeat defenses anymore than a pick and tension wrench defeats the tumblers in a lock. malware is an object, not a subject. it may have some small measure of autonomy (some more so than others), but it doesn't defeat anything - it's not the agent in that kind of scenario, it's simply a proxy for an intelligent adversary.

intelligent adversaries are notoriously good at outsmarting automatons. robert graham provided a wonderful example of that in his own post when he described creating brand new malware that went undetected by the anti-malware software being run by his targets. what he failed to do was take appropriate credit. it wasn't the malware the defeated those defenses, it was a person or persons with APT level skill (even if it didn't require quite that much skill to pull it off - he described it as easy, but easy is a relative term). the targets were compromised, not because they were using substandard defensive technology per se, but because they were relying on automatons to protect them against people.

in a battle of wits between an automaton and an intelligent adversary, the intelligent adversary has the advantage by definition.

so long as the security industry continues to tell their customers what they want to hear instead of what they need to know, those customers are going to continue relying on a stupid box to fend off smart people. that is a recipe for failure no matter what technology is involved.