Matasano Is Right About Agents
I've been exceptionally busy teaching all week at USENIX LISA, so blogging has been pushed aside. However, I literally read the Matasano Blog first, of all the Bloglines feeds I watch. This evening I read their great post Matasano Security Recommendation #001: Avoid Agents. They really mean "Minimize Agents," as noted in their summary:
Enterprise security teams should seek to minimize their exposure to endpoint agent vulnerabilities, by:
1. Minimizing the number of machines that run agent software.
2. Minimizing the number of different agents supported in the enterprise as a whole.
I absolutely agree with these statements. One of the first signs that you are dealing with a clueless security manager is the requirement to run anti-virus on every system. I shared the pain of such a foolish idea yesterday with a student who is struggling to meet such a mandate. He must deploy anti-virus on his Unix-like servers (I forget what OS -- something not common, however), and he's not allowed to use any open source solution. He's ended up with the only vendor in the world who sells a so-called "AV" solution for his platform, and it's absolutely a waste of money.
Worse, as is the case any time you add code to a platform, you are adding vulnerabilities. Write the following on your security policy management clue-bat: Running AV is not cost-free. In other words, running AV on any system may introduce vulnerabilities that were not present before. Try perusing the results of querying Secunia or OSVDB to see lists of AV products with security problems -- some of them allowing privilege escalation and compromise.
The only problem I have with the Matasano approach is the slide I posted above. Agents or Enterprise Management Applications are never "threats." They may offer vulnerabilities which can be exploited by threats, but agents themselves are not a threat.
Copyright 2006 Richard Bejtlich
Enterprise security teams should seek to minimize their exposure to endpoint agent vulnerabilities, by:
1. Minimizing the number of machines that run agent software.
2. Minimizing the number of different agents supported in the enterprise as a whole.
I absolutely agree with these statements. One of the first signs that you are dealing with a clueless security manager is the requirement to run anti-virus on every system. I shared the pain of such a foolish idea yesterday with a student who is struggling to meet such a mandate. He must deploy anti-virus on his Unix-like servers (I forget what OS -- something not common, however), and he's not allowed to use any open source solution. He's ended up with the only vendor in the world who sells a so-called "AV" solution for his platform, and it's absolutely a waste of money.
Worse, as is the case any time you add code to a platform, you are adding vulnerabilities. Write the following on your security policy management clue-bat: Running AV is not cost-free. In other words, running AV on any system may introduce vulnerabilities that were not present before. Try perusing the results of querying Secunia or OSVDB to see lists of AV products with security problems -- some of them allowing privilege escalation and compromise.
The only problem I have with the Matasano approach is the slide I posted above. Agents or Enterprise Management Applications are never "threats." They may offer vulnerabilities which can be exploited by threats, but agents themselves are not a threat.
Copyright 2006 Richard Bejtlich
Comments
Your supposed to chuckle, not take it literally ;)
It doesn't help the situation to see threat used in that way.
I didn't post this originally, but the Matasano "Threats" section of their story is mostly about vulnerabilities, e.g., "Agent implementations are often substantially homogenous, even across operating systems, enabling uniformly effective attacks against desktops, Windows servers, and Unix servers." That's a vulnerability, not a threat.
I agree about the agent problem, but I can see where it is tough to get around this, such as the need for backup software agents (all platforms), patch management agents (windows), anti-virus (windows), and...well I guess that's all I can think of right now.
A policy mandating AV on EVERY system, without regard to peculiarities of the systems in question, is a bad idea. That is a sign of cluelessness.
Deciding to run AV on every system, after weighing the risks, is not clueless. I think we agree on that.
Many of us have to fight the FUD pretty hard in order to not waste money on AV for Unix/Linux boxes. Management is often under the impression that AV will fully mitigate the vulnerabilities that are exploited by the malware, or will protect the node from 'hackers'.
It might also be worth mentioning that the PCI Data Security Standard (1.1) for credit card transactions makes an exception for Linux/Unix systems in its AV standard.
Also, I saw the presentation given by Tom Ptacek and Dave Goldsmith from Matasano at BlackHat Vegas this year, entitled "Do Enterprise Management Agents Dream of Electric Sheep?"
http://www.blackhat.com/html/bh-usa-06/bh-usa-06-speakers.html#Ptacek
Their discussion of the lack of a security development process in many commercial agents was alarming. They also pointed out that the attack surface is huge because every component in many of these agent/server architectures has a long list of vulnerabilities. I can also confirm from my experience receiving support for certain enterprise agents that the first solution to most support issues is to disable authentication and encryption.
Only two things hampered their presentation:
- having to follow Dan Kaminsky's Black Ops 2006 (not to mention his herd of fanboys);
- not being able to disclose specific information on any of the 30+ vulnerabilities that they had exploit code and advisories prepared for because of their policy of no public disclosure without a vendor fix.
http://www.matasano.com/log/mtso/ethics
They said that some of the vulnerabilities they found in enterprise management agents were disclosed to the vendor more than one year ago with little more than a grunt in response.
While I agree that Linux / Unix systems don't really need AV to protect the OS. If they are providing file sharing services to Windows systems than it is a good idea to AV scan the files in those shares. This can be done by having the Unix / Linux OS run AV and scan the local file system that is shared or have a Windows server that already has AV installed scan the shares. The latter causes more traffic on the network as every file on the share must go across the network from the Unix / Linux system to the Windows system that is performing the scan.
i intersted in your TCP/IP Weapons School course but i live outside the usa and i cann't take it can
you help me which books and labs
(materials) i can purshase to complement a big part of your course?
AV is a good example. Why does AV live outside of the company mailservers and web filter/proxies? Probably because the company allows users unrestricted access to webmail, pop, imap, etc. and does not take advantage of content filters that can be placed at ingress/egress points.
People, take control of your network and the assets that operate on them. And stop implementing technology before you develop the policies and processes needed to control them!
Bammkkkk
I believe cfengine and puppet both follow this approach, but I haven't used either.
Of course, the element of authoritarian direct control is part of the appeal of these systems. So push will probably win over pull due to its superficial appeal.
I am considering writing a book using the same ideas as those in the class. I have nothing definite yet though.
The argument at that point is "so do what you have to, ethically, to get buy-in", I suppose.
But I'm hearing so many horror stories from my colleages...upper-level management who are more willing to trust the SOX auditors from the consulting firm who forgot to "paste Nessus scan data here" in their final report than their own in-house security staff...desktop support techs doubling as the company janitor, working 12 hour days on salary, six days per week, being expected to keep up on the lastest security stuff because the enterprise is too cheap to hire the correct number of staff...the untrained attempting to secure things they don't undertand, creating more vulnerabilities on networks and individual systems...a CIO who believed you could fix a server that had been compromised and was running an IRC channel devoted to trading illegal software by scanning it with a free copy of AVG...
How do you take control of the situtation when even blocking users from being able to access, say, haXX0rt00lznstuph.com is seen as a fireable offense? How do you take control of your traffic when you're not even allowed to monitor it because you're "just the janitor who also that overpaid PC guy"? How do you get buy-in when the managers you are presenting your data to aren't seeing the potential costs due to loss of business and potential fines/jail time as listed on your PowerPoint slide but they are seeing instead "nothing seems to have gone wrong so far" because they don't WANT to envision that their resources will be compromised, if they haven't been already?
Agents are not evil in themselves, you sometimes need them, and other times they're simply the best product around to do what you want.
The problem comes with using 12 agents on every server or workstation. That's a lot of cost in resources, plus it means 12 possible openings for attackers. Yes, you do want to limit the number of agents you use.
The problem with this approach is that very, very few networks have the luxury to be built up from scratch fully. Five years ago an AV agent may have been deployed. Three years ago a backup agent. Two years ago log correlation agents. This year, people are thumping about HIDS and WAFS. These slowly pile up as the landscape changes. And while it might be nice to remove old agents and replace them with a more unified agent system, that is still a daunting dollar figure usually. It would take a matured TCO/ROI presence in an organization to make that recommendation fly.
To compound the problem with policies, many of those policies are made by managers who are rather looking at workstations and normal users. In that case, yes, every system should have AV protection in this day and age. (And yes, network-based as well, as I agree that security will move to the switch/network with the exception of mobile devices.) Many policies are written that way so that you don't have non-geek people reading, "most systems should have AV" and then asking that theirs be one of them. D'oh!
(Holy crap, some of these blogger captchs even *I* can't decipher!)