Threat Level: green Handler on Duty: Russ McRee

SANS ISC: Principle of Most Privilege and the Snort/ClamAV Purchase - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Principle of Most Privilege and the Snort/ClamAV Purchase

The purchase of ClamAV by Snort will likely be a boost for both Snort and ClamAV.  In the next few weeks I was planning on rolling out a network-based virus-scanner here in the hopes of catching recalcitrant users machines that aren't keeping up on antivirus updates.  The purchase will hopefully lead to some better integration.  That said, it also exposes the signature-based security methodology as one that is ultimately destined for failure. IDS/IPS and signature based AV isn't dead, but it is paraplegic. And for the record, Snort isn't the worst out there, I use it because its one of the best as far as IDS goes.

There have been a few studies showing the performance issues of IDS/IPS which limit their applicability to security in real-time.  The problem stems from the stance pervasive in information security that I call the "principle of most privilege".  Namely, unless something is known to be hostile it is presumed safe.  The problem is that the number of packets, executables or emails that are safe is finite and small.  The number of hostile packets, executables or emails is infinite and our signature system is only limited by the fact that exploits only get discovered so fast.

In order for IDS/IPS systems to keep up with an every increasing network, the signature base needs to remain low.  To be fair, this also applies for virus-scanning on the desktop.  The big difference is that most PCs tend to not be fully-utilized so a 10-20% performance hit only really bugs the power users (you know the type… they are the ones that turn off their anti-virus applications because it slows them down and then complain to you when their credit report shows up on the internet… they, of course, blame you).  However, a network can't take such a performance hit.  In an era of online social networking, which is basically technology's version of a flash mob, network performance hits become less than acceptable. 

The solution is to either slow down the IDS/IPS or slow down the network and neither are good solutions.  Adding virus-scanning to an NIDS might sound like a good idea, but do you think it could keep up with a 10G network?  Me neither.  If they were into it, they could produce some good network statistics and that would be really useful.

As long as the security industry continues to operate under "most privilege", there is no way IDS/IPS solutions will keep up.  Not if they want to maintain real-time alerting.  They'll still have uses for forensics and after-the-fact incident handling, but they'll be dropping off as a front-line defense because the technology is unsustainable under the current paradigm.  For that matter, the time is coming for anti-virus software companies too, but because the performance hit is less of an issue on the desktop, they'll have more time.

It's far past the time to move to a system where packets (for an IDS/IPS) and binaries are disallowed until otherwise allowed.  That would be proactive security.

We have a new poll question up "Will IDS/IPS devices remain relevant?".  Let us know your thoughts.

--
John Bambenek / bambenek {at} gmail {dot} com
University of Illinois at Urbana-Champaign

John

239 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!