On June 11, 2010, after a lengthy period of rumor and speculation, Cisco Systems officially pulled the plug on the Cisco Security Agent, their host intrusion detection system (HIDS) and host intrusion prevention system (HIPS) solution. There were no official reasons given, or at least officially documented, making the situation ripe for hypothesis, backlash, conspiracy and general discussion on the direction Cisco was heading in the security industry as well as the direction of security in general. So what are the reasons they canned it? And what is the direction of security in general? I'll address both soon (look at that foreshadowing in an attempt to keep the reader, well, reading ;) I should be in media). But first a brief history ...
Cisco acquired the technology from Okena on January 24th, 2003 after a failed partnership with HIPS application provider Entercept in 2001. Entercept eventually got bought by McAfee the same year. Both were considered "behavior-based" intrusion prevention systems that relied not on typical string-based identification (a la your typical Anti-Virus application which needs to be updated frequently in order to be armed against recent malwares), but rather behaviors and configurable policies that were deemed "acceptable" to the system. For example, unknown applications are not allowed to capture keystrokes, or be allowed to write into the memory space of another application, or be allowed to perform a buffer overflow. Due to the nature of this behavior, both CSA and Entercept had the default ability to prevent "zero-day" attacks, or attacks on systems exploiting vulnerabilities previously unknown to the white and grey hat security industry.
Static attack signatures, such as anti-virus/malware and intrusion detection/prevention signatures are always a day late and a dollar short. They typically rely on the white hat discovery of an attack which exploits a known vulnerability. In the anti-virus world, that discovery leads to the processes of disassembly and reverse-engineering in an effort to determine what the code is attempting to do how it is attempting to accomplish its goal, including such stealth tactics as polymorphic code and encryption. I started my career disassembling virus code in the early 90s, and while the tactics have significantly improved, they have not actually changed very much. And the delta between the discovery of a new piece of malware and the global introduction of a signature or set of signatures that will detect said new malware typically averages in the timeframe of "weeks." That delta inherently leaves a very large, open door for malware to continue to infect vulnerable systems. And the business model behind AV and IDS/IPS subscription recurring revenue has not surprisingly trumped actual security and applications that can actually prevent both the known unknown as well as the unknown unknown attacks. Case in point, while some of the Entercept technology still exists in McAfee's HIPS offering, they clearly are not trumpeting their potential to prevent zero-day attacks as much as they rely on the continuing revenue generation that floats their stock value. In other words, ACTUAL security is not profitable, and until revenue from piss poor AV signature subscriptions quells they will continue to sell those subscriptions. Thank you Dell, etc.
Fine, what about Cisco and CSA? Cisco effectively torpedoed one of the most effective host based security solutions available, although that security came at a high price with its well known overhead installation and administrative costs (especially when implemented by clients themselves and/or non-specialized CSA vendors gunning for a sale). CSA is essentially a rootkit on par with some of the best malicious Windows and Unix rootkits known to man. A shim sitting just above the kernel, it has the ability to see all ingress and egress kernel communication, which, on any and all computers, is virtually EVERYTHING. An unknown application attempting to modify the Window registry? Denied. An untrusted application recently downloaded and residing in a browser cache attempting to capture keystrokes and communicate as a client to a remote IP address? Denied. From a policy perspective, a user in marketing attempting to copy a file containing a social security or credit card number to removable media? Denied. A member of HR or the CFO? Allowed provided the user supplies a justification. A watermarked document containing Intellectual Property attempting to be transfered via Instant Messaging? Denied. Regardless of the scenario, they are all logged and auditable, and able to be pushed to a centralized Security Event and Incident Management (SEIM) solutions, such as Cisco's MARS (next on Cisco's ax list), RSA's enVision or the highly flexible and agile Splunk.
Cisco is a hardware company that historically buys software when it envisions and defines a logical business model around it. They certainly were not following the AV vendor business model with CSA. Hell, in an effort to get CSA labelled as an "anti-virus" application so organizations could place that audit check mark next to that "anti-Virus" requirement they integrated the open source Clam-AV into CSA. This feature addition thereby mitigated the one major shortcoming of the product - it could clearly prevent malware from doing its evil duties (thereby essentially eliminating the NEED for AV from a security perspective) but it couldn't quarantine and remove potentially infected files. So by the release of CSA 6.x Cisco was touting a statistic that has resonated with every PCI-DSS Qualified Security Assessors (QSA) that I have personally dealt with; CSA "satisfied" 9 out of the 12 PCI-DSS compliance requirements. Now, from a 30,000 foot view, it sure did. From an infosec professional's perspective, no it didn't (details, details). But compliance is not security. I have personally seen many a QSA interview a client of mine that, once they were shown that my client's PCI assets were not only properly segmented from the rest of their non-PCI assets but also that they were also running CSA, essentially told my clients that they were doing a great job and that CSA was the primary reason they were getting such high marks. Clearly a misdirected slap on the back of a fantastic HIPS solution in an effort to show compliance high scores. CSA deserved better as an actual security (vs. compliance) solution.
This post is getting longer than anticipated (i.e. a glass of wine and a large fire in the fireplace is in my immediate future) so I am going to break this up into multiple posts. Summary so far: CSA (now officially dead) and other behavioral based HIPS solutions perform spectacularly well against known and unknown attack vectors when implemented properly despite static-signature vendor apprehension to present said technology as primary security solutions (due to revenue business models) and compliance auditor overzealousness. But Cisco doesn't fall into either of those categories. So why did Cisco kill CSA? And how did that decision effectively summarize the death of HIPS in general? What are our current alternatives? Which direction is Cisco heading in their vision for security? How realistic is that vision and how does it hold up against the rest of the industry's vision for security.
