The Future of Internet Security – Part I
Tuesday, May 5th, 2009 by Shlomo TouboulSince early 2008, we witnessed a major increase in Malware. If you check your Anti Virus signature database, you will find that it grew in hundreds of percents, and keeps growing. It’s not a surprise at all. When I founded my previous company – Finjan Software in 1996, our “elevator pitch” was that due to the explosive nature of the internet, signature based Anti Virus, will not be able to catch up with new released Malware. The Internet offers super-connected, unique platform of widely “open” operating systems with published APIs (such as Windows), many tools to build Malware with minimal technical knowledge and ability to send CODE not just data from one computer to another.
It was only a question of time to reach the point of half a million Malware signatures in the DB. That requires too much RAM on the PC and will demand too much of its CPU cycles to operate. Today, most of the industry experts will agree with the vision of Finjan 96: we need more security, we need it differently and we cannot pay the current toll to implement.
So, where do we go from here? Back to basics. The following 3 principles are the 3 laws/pillars of any security system. It can be a military line of defense, it can be vault security and it can definitely be Internet Security:
Law #1: Use multiple lines of defense
Law #2: Use different security technology/strategy in every line of defense
Law #3: Seek maximum “depth” between each security line
Law #1 and #2 refer to the fact that every security line is like a net with certain holes. Using multiple nets, each with different holes, assure that they cover for each other making the combined meshed net, with far less security holes, or in other words, shrinking the security holes. This is true, only if one is using different security technology on every line of defense, assuring that each will have different security holes, otherwise, the effort is useless and the additional defense line are redundant.
Law #3 requires “security depth” in between each security line. It represents the attempt to keep the attack far from its target. This is easy to understand when guarding a country border and less clear to understand in Internet Security or Computing Security. So, as an example let’s refer to securing a corporation from internet Malware. Nowadays, most employees enjoy access to the Internet from their corporate computers. It is the IT’s role to assure maximum security for these PCs reducing to minimum the risk presented by the Internet. A close look at a typical corporation shows that IT deploys at least two security lines. One at the Gateway level, where Firewall, Intrusion Detection and Prevention Systems (IDS/IPS) are deployed, continue with Web and Mail Proxies equipped with Anti Virus, Anti Spyware, Anti SPAM and Anti Phising systems. This line of defense, screens the traffic arriving from the Internet before it is transferred to the PC connected to the Corporate network. This is Defense Line #1. The technology used is “content inspection” from the packet level up to and above the application level. IT also deploys a second line of defense. It is a host based security running an Internet Security suite on every PC. It can be Norton Internet Security, McAfee Internet Security or any other Security Suite from manufacturers such as Trend Micro, Kaspersky, etc. This is Defense Line #2. It is used during runtime on the PC and intercepts execution of every application or code arriving from the internet checking it against Malware Signature DB to detect a known attack. It is easy to see that Line #2 uses different technology than Line #1 and therefore obeys to Laws #1 and #2 mentioned above. The fact that the traffic from the internet first faces the IT Line #1 and only after being screened continues inside and lands on the PC and Line #2 provides a “security depth”. It also means that the threat and the attacks that are stopped by Line #1 never reach Line #2 or the PC, again constituting a “security depth” or “security zone” that stops the attacks far from its target.
So, what I am suggesting in this blog post, is that in order to successfully defend a PC and its resources/information from Malware on the internet, a security system is required; one that implements effectively the above 3 basic laws of security. This means that we need to use different security technologies, deployed over different security lines with “security depth” in between them, which makes the entire solution effective, while minimizing the performance toll on the PC CPU. Does it sound like asking too much? Well, if you do not seek something, you will never get it.
I strongly believe that the days of adding thousands of Malware signatures to an already huge DB, hoping that this will be the best technology to fight Malware – is an old, overstretched strategy that is facing the wall. Also, alternative solutions that do not follow the 3 basic Laws of security, will fail, by definition, to meet the challenge of exploding Malware on the Internet.
Stay tuned, Part II will come soon.
Meanwhile, please feel free to comment and post suggestions, questions, etc.
Cheers, Shlomo.
Tags: Gatekeeper, Malware, Phishing, Security, Spyware, Virus, Yoggie