So, I attended David Kennedy (Rel1k)'s and SA Ryan MacFarlane's co-presentation entitled The Long Tail of Security at the 8th annual Information Security Summit in Cleveland, OH the other week and was pleasantly blown away by it. I've never met Ryan prior to this, but I once tried to hire David after he got out of the service (not successfully) in the early 2000's. He has since gone on to surpass most front line security professionals I know, even in passing. Regardless, their collective presentation was incredibly eye opening and even gave one the opportunity for a full on <facepalm> moment that you yourself didn't connect the dots these two were laying out so very succinctly.
The 30,000 ft view is this : in 2006 Wired editor Chris Anderson put out a book called The Long Tail, in which he outlines the idea that a full on sales and marketing paradigm shift is occurring, in which those who are able to sell "less of more" will outshine traditional sales and marketing ideologies that focus on what is current and hot. Where WalMart does not carry our household favorite Bad Brains records, Amazon surely does. And the very volume of niche products like Bad Brains records, Harlan Ellison novels and Three wolves/One moon T-shirts that Amazon does carry, no matter how small the market, will enable Amazon to sell "less of more."
Follow the link to David's site, it fully illustrates the relation of that concept to information security and specifically malware. WalMart is your popular Anti-Virus application that concentrates on the hot and new, while completely neglecting anything niche, unpopular or previously unknown (e.g. Stuxnet). However, where Amazon fills the role of ample supplier of niche and unpopular items, there is no equivalent security product or solution on the market today that can successfully protect against that "long tail" of security niche attacks. One of David and Ryan's conclusions was that, as an organization who may require third party penetration testing, how can you be sure that your selected pen-testing organization is actually testing for the "long tail" vulnerabilities and exploits? Not surprisingly, there is not really a fool-proof way to determine that, and no semblance of an answer was therefore given. Just try to do your due diligence when selecting your pen-testers.
About halfway through their presentation, as they were scaring the living pants of most of those in attendance (David, if you are not aware, is also the author of the Social Engineering Toolkit, and was more than happy to perform live demonstrations of attacks that yielded command prompt level and/or keystroke capturing attacks that would have completely rendered all anti-virus applications useless), an attendee asked him point blank <paraphrasing> Well what CAN we do. Isn't there something on the market that can protect our networks from such niche attacks? </paraphrasing> David quickly responded that, no, there is nothing on the market currently that can prevent such low level, niche attack vectors. There was much whispered discussions all around me at that point, which David then chuckled and said that there was one product that could have prevented the majority of such attacks, but that it was no longer being sold. Said product was the Cisco Security Agent. Being an avid fan and rabid supporter of said product I chuckled back and soon raised my hand. I asked David, since you brought it up, how did CSA fair against your low level, niche attacks, in which he basically replied that they would not have worked.
For those unfamiliar with CSA, it is essentially a rootkit. A rootkit that intercepts every system, network, registry, and whatever call to the kernel and performs both policy and behavior assessments on the data going to the kernel to determine if that call should be allowed. This will serve as a great segue to what will probably be my next post, but it is my opinion that Cisco killed an amazing security product and control due to poor revenue and an idea that all computing will eventually reside in the cloud so why worry about host-based controls? Only that reality will play itself out when?
Regardless of that possibly unnecessary CSA tangent, Kennedy and MacFarlane's analogy appears on the surface to have some serious teeth and makes a lot of sense. So when can we expect the information security's version of Amazon?
