Joanna Rutkowska at Black Hat Federal 2006 when she spoke about rootkits. Today I saw she was interviewed by Dark Reading and said the following:
Still, she worries that security technology and research is too prevention-oriented and doesn't emphasize detection enough. "The whole industry is focusing on prevention, and we have all those anti-exploitation technologies, which are very helpful indeed. But I'm so surprised that no one cares about detection," she says. "Every time there's prevention, there is some bypass method" created.
Without detection, there's no way to know if an attacker has grabbed administrative access to a machine, she says. And if you can't see that an attacker has infiltrated the system, nothing in that system will be "reliable" anymore. "The scary part is that once an attacker [gets] into the system, we can't reliably read system memory, neither using software-based, nor hardware-based, methods. That means we can't answer the question of whether the system is clean or not," she says. (emphasis added)
Wow. I am so pleased to read someone of Johanna's caliber stressing the need for detection. I have been working on slides for ShmooCon and I plan to talk about this very subject, and you probably know I've been saying for years that prevention eventually fails. Her comment about reliability of evidence relates to my TaoSecurity Pyramid of Trust, where I mentioned Johanna with respect to her techniques to defeat memory capture.