Caveat Emptor: Beware Promises of Silver Bullets & Other Silicon Snake Oil

Home/Leadership Corner/Caveat Emptor: Beware Promises of Silver Bullets & Other Silicon Snake Oil
Blackhat-2013-Blog

Blackhat 2013

With BlackHat 2013 now upon us, the security vendor hype with FUD marketing will hit deafening levels. In the run up to BlackHat we recently saw one vendor in the virtual container space (name withheld to protect the guilty) launch a publicity gimmick that attacked other security solution providers in the same space, including a product being deployed on a very large scale with Invincea technology embedded within. We always knew once we gained significant market share in the endpoint space we would experience attacks, though we thought it would come from adversaries attempting to break into customer networks, not from a company trying to grab a foothold in market. Regardless, we view this as a good opportunity to have an open discussion about what works in designing a product for the endpoint that addresses the needs of users and buyers.

First, let’s examine the tactic taken by the vendor trying to compete in this space. The tactic is actually a fairly old one that is now long in the tooth in the security space: try to sell fear, uncertainty and doubt about whether competitive solutions can stop all attacks, while pretending your own product can. This vendor is relatively new to the security space and doesn’t quite understand that this tactic and these claims are old hat, transparent and widely disparaged by security buyers, analysts, and the security community at large.

Every security professional worth his or her salt understands that every security product has a residual  surface of attacks that aren’t covered– it’s why defense-in-depth ranging from network solutions to end point to big data analysis strategies are core to today’s enterprise security architects. Given that this vendor has publicly lambasted the defense-in-depth approach and claims to be the end-all, be-all in security, it should come as no surprise that they claim to stop 100% of all malware attacks guaranteed (yes they actually make that claim in press releases). Their approach shows newcomer naiveté about the threat, this space, and frankly their product. Furthermore it belies an arrogance that the security community is gullible to these tactics and will fall for silver bullet promises and other silicon snake oil claims.

The reality is all endpoint security products have at least three surfaces to attack: (1) vectors that work around the particular security control, (2) residual attack surfaces that are not detected or blocked by the security control, and (3) exploitable vulnerabilities in the implementation itself. As a security product vendor on the end point, if you don’t realize this, you don’t understand security. Given this, the important questions when it comes to assessing the strength of a particular endpoint security product are: what are the residual attack surfaces and what is the risk of them being exploited by the actual threats you face on the actual systems you have? We all know — well maybe this vendor doesn’t — that there is no such thing as 100% security. When evaluating a security solution for its strength of security, it is important to know what the residual attack surfaces are and to evaluate the technology against the risk of its attack surfaces being exploited given the threat, the product, and the system it runs on. In fact the market does this when it evaluates security solutions and it is one reason why Invincea technology is award winning in security (see end for more information).

The Real Discussion: Security and Usability

A good question to ask is what makes for a good security product that solves real business and security problems? Is it 100% security as they claim? I don’t think it is. The old security adage is the most secure computer is the one you never turn on (and one with no network interface, buried under 6 feet of concrete), which is not a very useful machine. In the case of a vendor’s security solution that you can never actually deploy, it might actually be 100% secure if it never runs on real networks. If a security solution can’t overcome real business, performance, and user productivity issues, is it really a solution?

In fact, what buyers and users are looking for in an endpoint security product is one that doesn’t hinder productivity, providing freedom of movement, while stopping the real attacks they actually face – in other words, usable security. In the video here, we present a montage of real user activities – going to YouTube, watching NetFlix, opening Office productivity suites, Adobe Reader, and being tricked into running a malicious executable. These activities are indeed normal, risky, and sometimes downright dangerous. However, the video shows we can run these concurrently within Invincea’s secure virtual container allowing the user complete Internet freedom without degrading performance and still protecting the machine from compromise. We highlight the applications running in Invincea’s secure virtual container with a green border for visual reference. We believe that whatever security solution you deploy it must be usable – meaning users will embrace the freedom that Invincea provides them to get back the Internet that is often taken away, without detracting from the performance of their apps and online experience.

Here’s the beauty – check out the curve of memory usage in the performance monitor while running these applications concurrently in Invincea’s virtual container on a commodity laptop – no special chipset required. Note there is no severe spike in performance hit due to running Invincea’s solution when you open new applications, tabs, and streaming content. You will have natural variations in CPU, Disk, and network utilization due to the application and content being run, however, memory utilization is the key performance benchmark for user experience with virtual containerization approaches. Virtual container approaches that consume all available memory as users run apps make for a terrible user experience – one they will revolt against. The fact is as users open more apps and more content, there isn’t degradation in the user experience with Invincea. It is as you expect it should be and what your users expect.  Oh and by the way, it protects against user-initiated accidental infections as shown in the video as well as zero-day exploits. Check out our KIA series on actual exploits in the wild we neuter and have broken headlines on such as the Department of Labor watering hole attack exploiting an IE8 0-day exploit, the Drudge report malicious link, and SpeedTest.net malvertising.

Users want productivity, freedom, and security from threats they face – not claims of 100% security at the cost of productivity, performance, and inability to run their apps. When you evaluate a security vendor’s products and claims, try these applications, content types, sites, and tests we show above with their product, other vendor’s products, and Invincea. Or construct your own tests to monitor performance, usability, and security. Your users will thank you. What they really want is a product that won’t get in the way of their work while stopping the threats they actually face. That’s the reason why Invincea is winning in market – we give your users back the Internet while stopping advanced threats and getting out of the user’s way — productivity, security, and freedom without compromise.

Evaluating a Virtual Container Solution

To cut through all the marketing FUD, below are important questions you should ask of every vendor in the virtual container space: (even those who claim they aren’t in it but actually are – ask Gartner):

  1. How much memory does it consume? How does the performance scale with the number of applications, browser tabs, and windows you open?
  2. Does the solution run on the computers you have now or just ones you may have in the future? Does it run on older machines or just the latest ones?
  3. Does it stop security threats your enterprise is actually experiencing?
  4. Does it co-exist with other security solutions?
  5. Does it interfere with enterprise software apps like Single Sign On, VPN clients, DLP, Oracle, ADP, SAP?
  6. Does it require special Microsoft Office enterprise licensing and keying? How much more will this cost?
  7. Does it support the browsers your users actually use in your enterprise?
  8. Does it integrate with the rest of your security stack in the SOC?
  9. Does it run natively in your Virtual Desktop Image?
  10. Is it chip agnostic or require special hardware? Does it require certain BIOS settings?
  11. Will it conflict with other software using Intel VT Pro extensions including your anti-virus solution?
  12. Does it install easily and quickly, does it update easily? How complex is policy management — per application, per web page, per task?
  13. Does it disrupt normal user workflow in productivity suites?
  14. Does it run on 32-bit and 64-bit architectures? Windows XP, Vista, and Windows7? Does it run on less than 4GB of memory?
  15. Does the company leadership have credible security credentials, security industry awards, and synergistic partnerships in the security industry?
  16. What is the size of the deployed footprint in market, how many machines, how many customers are running the solution?

When considering the latest Silicon snake oil being peddled to you, think about these questions that matter as far as making the case for being enterprise and threat ready. Consider the performance implications of the product on the rest of your apps and your users. Then give your users back the Internet they want providing them productivity, security, and freedom without compromise.

For more information:

See how Invincea Enterprise actually kills what turned out to be a 0-day exploit (and now CVE-2013-1347) we reported in early May 2013 as a watering hole attack utilizing the US Dept of Labor web site here: http://www.invincea.com/2013/05/part-2-us-dept-labor-watering-hole-pushing-poison-ivy-via-ie8-zero-day/

Read the white paper on deriving adversarial attribution from Invincea forensics: http://www.invincea.com/white-paper/

Try Invincea out for yourself. You can run Invincea on the machines you have, no special hardware required: http://www.invincea.com/request-a-demo/

Anup Ghosh, Ph.D., is Founder and CEO at Invincea. Prior to founding Invincea, he was a Program Manager at the Defense Advanced Research Projects Agency (DARPA) where he created and managed an extensive portfolio of cyber security programs. He has previously held roles as Chief Scientist in the Center for Secure Information Systems at George Mason University and as Vice President of Research at Cigital, Inc. Anup has published more than 40 peer-reviewed articles in cyber security publications. He is a recipient of medals for distinguished service from the Office of the Secretary of Defense and the IEEE. He is a frequent on-air contributor to CNN, CNBC, NPR, Fox Business, and Bloomberg TV. A number of major media outlets carry his commentaries on cyber security issues including the Wall Street Journal, New York Times, Forbes, Associated Press, FoxNews and USA Today. He is currently a member of the Naval Studies Board and the Air Force Scientific Advisory Board, informing the future of American cyber-defenses.

About Invincea, Inc.

Invincea is the market leader in the development of secure virtual containers for advanced malware threat detection, zero-day exploit prevention, and pre-breach forensic intelligence. Invincea was named Most Innovative Company by RSA Conference 2011, Government Security News’s Best Anti-Malware Solution 2012, and Government Technology Research Alliance’s Best Security Solution 2013. Dell announced a strategic OEM relationship with Invincea in June 2013 that pre-loads Invincea technology on over 20M Dell devices per year. Invincea is the largest deployed advanced threat protection solution in market that provides enterprise networks with coverage against the major attack surfaces for cyber-breach attacks aimed at end-users in the form of spear-phishing, watering hole attacks, drive-by download exploits, poisoned search results, scareware/crimeware, social networking worms and user-initiated infections.

The company’s solutions include an endpoint security software suite and threat intelligence appliance. The solutions offer a unique ability to protect networks against all types of threats directed at end-users, including zero-days, by seamlessly rendering untrusted content from Internet Explorer, Firefox, Chrome, Outlook, Java, Microsoft Word, PowerPoint, Excel, and Adobe Reader into secure virtual containers that automatically detect and terminate threats in real time. The company is venture capital-backed and based in Fairfax, VA. For more information, visit www.invincea.com. Trademarks of named products above belong to their respective owners.

Leave a Comment