Security industry faces attacks it cannot stop

At the RSA Conference in San Francisco last week, security vendors pitched their next-generation of security products, promising to protect customers from security threats in the cloud and on mobile devices. But what went largely unsaid was that the industry has failed to protect paying customers from some of today's most pernicious threats.

The big news at the show had to do with the takedown of the Mairposa botnet -- a massive network of hacked computers that has infected half of the Fortune 100 companies. So-called advanced persistent threat (APT) attacks, such as the one that compromised Google systems in early December, were another hot topic.

Both Mariposa and the Google attacks illustrate the same thing, however. Despite billions of dollars in security spending, it's still surprisingly hard to keep corporate networks safe.

That's because for these advanced attacks to work, the bad guys need to find only one vulnerability in order to sneak their malicious software onto the target network. Once they get a foothold, they can break into other computers, steal data, and then move it offshore. The good guys have to be perfect -- or at least very quick about spotting intrusions -- to keep APT threats at bay.

Traditional security products are simply not much help against APT attacks, said Alex Stamos, a partner with Isec Partners, one of the companies investigating the APT attacks. "All of the victims we've worked with had perfectly installed antivirus," he said. "They all had intrusion detection systems and several had Web proxies scan content."

The problem is that the bad guys can buy this technology too, and test and re-test their attacks until they slip through. "Anybody can download and try every single antivirus engine against their malware before they ship it," Stamos said.

Emphasizing this point, antivirus testing company NSS Labs created a variation on the known Internet Explorer 6 attack, used in the Google incident, and tested it against seven popular antivirus products (PDF). NSS also tested the original attack code against the same antivirus products. The tests, conducted two weeks after the bug was made public, found that only McAfee's antivirus product stopped the new variant of the attack.

One company, AVG, didn't even stop the original attack, according to NSS. Eset, Kaspersky, Symantec, Sophos, AVG and Trend Micro all failed to block a variant of the Aurora exploit.

But AVG said in response that its products detect the Aurora attack. A spokesman said the results were due to flaws in NSS's testing methodology. However, the company does not dispute the claim that its product failed to detect variants of Aurora.

That's because it hasn't been able to verify the NSS tests, an AVG spokeswoman said Thursday. "We don't know what variant they created because they won't show us any of their data," she said.

Antivirus companies could "definitely be doing a better job," said NSS President Rick Moy. "They should be implementing more vulnerability-based detection. There's a little too much focus on the malware payload."

Paul Roberts, an analyst with industry research firm the 451 Group, put it more strongly: "Enterprises are very dissatisfied with the level of protection they're getting from their end-point antimalware suites," he said. While antivirus companies are experimenting with ways to block programs based on an analysis of different factors, such as the file's behavior, its age, origin and how widely it is being used, these features are often turned off because they end up blocking legitimate programs, Roberts said.

Many security experts now agree that patches, up-to-date antivirus, plus intrusion detection systems are not enough to protect companies from the worst of today's cyberthreats.

"The security industry's going to have to think about selling solutions that actually work with this type of environment," Isec's Stamos said. "Basically nothing that people have bought over the last 16 years is going to help them stop a single guy sitting at a computer who is a Windows shellcode person targeting one person, and spending months to break into that computer." Shellcode is the initial payload program hackers use to install further programs, once they have hacked into a system.

But that message hasn't quite sunk in everywhere in the corporate world, said Paul Melson, information security manager with Priority Health, in Grand Rapids, Michigan. "A lot of companies have either turned their security teams into compliance teams or are still fighting the same fight they were fighting six or seven years ago."

The antivirus vendors argue that their products still serve a purpose, and indeed, nobody in the corporate world is turning them off.

Antivirus blocks "the vast majority" of all attacks that McAfee tracks every day, said Dave Marcus a McAfee director of security research. Antivirus vendors are developing new systems -- white-listing products and cloud-based security offerings such as McAfee's Artemis -- to keep pace with rapidly changing threats. But ultimately, enterprises must also develop ways of responding to new threats and intrusions. "When you've got the determined attacker who can profile their victim, they have a high level of succeeding," he said.

Advanced attacks such as APT scare Jason Stead the most. Stead is the Phoenix-based manager of information security with Choice Hotels. His industry has come under targeted attacks over the past few years as hackers have broken into point-of-sale systems in many different hotels. They often succeed by discovering one vulnerability and replaying the attack on hotel after hotel. In the hotel business, one data breach at a franchisee can cause serious damage to a company's brand.

That means that the integrity of a company's brand can depend on people who simply don't have the resources to stop determined attackers. "Your franchisees are traditionally mom-and-pop shops," Stead said. "They don't have the technology experience to protect themselves."

Technology vendors want to sell a complete product, but it's really not possible to buy your way into a secure environment. That takes a bigger commitment. "It's all about user awareness and procedures," Stead said. That means teaching employees about risky online behavior; and building a security team that can get the most out of the security tools it has.

According to Priority Health's Melson, the problem extends beyond the security companies. "If you're going to hold the security industry responsible, you have to also hold the operating system and client software vendors at least as responsible," he said. "You've got platforms that still make it possible for someone to make software that's not part of the design, and not known to the end user."

"I think that at the end of the day the lesson you get from something like the Aurora incident is that you have to have incident responders," Melson said. "If you're not prepped for incident response and incident containment, if you're not using actual people to do security analysis in your environment, the advanced persistent threat is going to walk right through."