Working for a security product company, Patch Tuesday is supposed to be something that we look forward to – at least according to the Marketing and PR teams and Tech Media writ large. Patch Tuesday is not just the day that IT managers find out what they are supposed to patch in their infrastructure. No it’s much more than that. Patch Tuesday is the day that security companies and security gurus line up to present their commentary and brilliant insight on the meaning of the plethora of vulnerabilities Microsoft and other software vendors will announce. The day we get to talk to the dozens of reporters writing the myriad and sundry articles highlighting the latest gaps in software security.
Security gurus will speak to the implications of the latest wave of potentially fatal flaws left in the millions of lines of code for the world’s most ubiquitously deployed software. While for network managers, it becomes a race to close the window of exposure in their networks before cyber foes exploit these holes.
For Invincea, Patch Tuesday takes on different meaning. To us, Patch Tuesday and all the hullabulloo that surrounds it is symptomatic of the penetrate-and-patch broken security model that has been in place for over 15 years. It’s also an opportunity for us to get the word out on why we created this company, point out how we can negate the impact of these flaws by preventing malware writers from exploiting them, and pound the desk as to why this whole penetrate-and-patch model is broken. In other words, we believe that every Patch Tuesday should be the clarion call to IT Managers, CISOs, CIOs, and CFOs that it is time to fix the problem through better security architectures rather than servicing the problem as so many have come to do.
We don’t fault the reporters that report the news as the word has to get out and these critical patches have to be applied. We don’t fault the security practioners that have no choice but to include patching in their normal workflows. And perhaps surprisingly, we don’t even fault the software vendors themselves that are patching their flawed software. To err is human. However, the reality is, any model of security that counts on the correctness of millions of lines of code that form the attack surface area of Internet-connected software is a fundamentally flawed model and untenable for security.
A Fragile System and Broken Model of Security
As you review the vulnerabilities disclosed on Patch Tuesday, and as the expert commentary is reported, you’ll realize that these flaws were already present on your system for quite awhile and quite possibly, if not certainly, exploited. While you’ll patch these flaws today (or as soon as IT can determine they can patch them without breaking network and desktop software and services), you’ll realize that there are lots of yet unannounced flaws in the same software either yet to be discovered, or discovered, but not yet disclosed. Finally, you’ll realize that all the advantages go to the cyber adversaries. They need to find only a single flaw in the millions of lines of code, or get a single user in the thousands of employees in your organization to make an incorrect security decision, in order to run exploits that only take 20 lines of code or less to own your machine. We know that building perfect software and perfect users is unattainable. So the question is – why do we persist with this model of security? We should expect better from the security and computer industries. And we should provide better for our nation’s commercial and government enterprises and critical infrastructures that continue to perpetuate the wash-rinse-repeat model of security.
The Security Insanity Cycle
You see, what Patch Tuesday represents is evidence that we are hopelessly chasing our tails… that in place of strategic thinking we are consumed by tactical firefighting… and the security industry perpetuates this by continuing to service it rather than engineer solutions to the problem. We are in fact caught in a self-perpetuating Security Insanity Cycle – where we keep repeating the same processes – patch/update, detect, remediate – with the same results, but somehow expecting a different outcome. The security industry today has largely accepted that the standard in network defense is a wash-rinse-repeat cycle in a never-ending game of whack-a-mole where all industry interests are aligned in perpetuating the cycle and servicing the problem, rather than breaking it.
We should not be fine with being told on Tuesday that we were screwed on Monday and everyone accepting that as a norm. We should not accept the contention that there is no such thing as secure – that prevention is a failed strategy – that the best we can hope for is to detect our adversaries once they are in our networks. We should not cede our networks to our adversaries “as long as they can’t exfiltrate the data.” We are capable of better but we’ve lost our way – we’ve fallen down the rabbit hole and seem to be fine with not knowing where the bottle is that makes us big again. Call us shameless purists but we were trained as engineers to solve problems not service them. We got into the security business to make a difference and we created Invincea to try and change the game fundamentally – to change the playing field so traditional attacks no longer work and to break the security insanity cycle.
Changing the Game
This blog isn’t meant to be an indictment of the entire security industry – there are several examples of innovative technology beginning to emerge – but this is meant to be a wake-up call both to the industry and to the buyers of its products. It’s time to signal to the security industry that you won’t stand for the wash-rinse-repeat security model anymore and to vote with your wallets. Instead of perpetuating the security insanity cycle, it’s time to start deploying secure network, operating system and application architectures.
We don’t pretend to have all of the solutions and by no means are we suggesting that we are the only solution to the problem. But we do suggest that it’s time to re-think patching/updating, detection, and remediation as a security strategy. Fire protection engineers don’t just put in smoke alarms and fire extinguishers – they engineer buildings with real firewalls and flame retardant materials. It’s time to renew our focus on preventing exploits in the first place by engineering secure architectures. A dollar spent on prevention is worth $10,000 spent on remediation. Contrary to popular opinion, preventing security exploits is not a dead art or science. Focusing resources on designing systems to be resilient to exploits is an important step to breaking the insanity cycle.
Our adversaries have been innovating while we have lost ground in security for the last 10 years, all the while creating tremendous economic value for the security industry and high incomes for security professionals. It is time to innovate in security again to change the game to return the advantages to the defender rather than the attacker.