Get Over Windows Defender Already, AV Vendors!

​From That’s It. I’ve Had Enough!:

Users of Windows 10 have been complaining that the system is changing settings, uninstalling user-installed apps, and replacing them with standard Microsoft ones.

A similar thing’s been happening with security products.

When you upgrade to Windows 10, Microsoft automatically and without any warning deactivates all ‘incompatible’ security software and in its place installs… you guessed it – its own Defender antivirus. But what did it expect when independent developers were given all of one week before the release of the new version of the OS to make their software compatible? Even if software did manage to be compatible according to the initial check before the upgrade, weird things tended to happen and Defender would still take over.

And then the piece goes on to talk about how Microsoft is being anti-competitive and Kaspersky is going to take this up with official government bodies in the EU and Russia.

If we’re simply talking about Anti-Virus here, I don’t know that Kaspersky, or anyone else for that matter, is doing anything that much better than anyone else. The technology has inherent limits and, generally speaking, efficacy comes down to how quickly signatures are generated and deployed.

We know how effective AV is in general. It’s why Check Point and numerous other vendors, including Kaspersky, offer different solutions that address threats AV cannot by itself. This is where security software vendors should be focusing their efforts. Stop fighting with Microsoft over Windows Defender.

Disclaimer: My blog, my personal opinions. I’m sure you knew that.

​A Word About Competition in the Information Security Industry

​The devices, networks, and social institutions we use today are only useful because, on the whole, most people largely trust them. If this trust gets eroded, people will not make use of them. It took me many years of working at Nokia to realize that regardless of what I do in life, I am always going to be looking for ways to improve the security with the ultimate goal of maintaining that trust.

As a company, Check Point firmly believes customers deserve the best security for their digital information. That, plus my long-time history with Check Point was why I ultimately decided to go work for Check Point when they acquired Nokia’s Security Appliance Business back in 2009. The talented, smart people I work with day-in and day-out working toward the same goal is why I’m still here even as a few of my friends recently left, for example Kellman.

That said, you may have noticed in my social media feeds that I’ve spent a little bit of time talking about Check Point’s competition. This is no accident as I see a lot of nonsense out there. I will admit to using my small platform to bring facts, understanding, and details to light, much as I did with my FireWall-1 FAQ back in the day.

To be clear, I think healthy competition is a good thing. It raises all boats, regardless of who you ultimately use. Despite our differences in approach, all infosec competition has a common enemy: the malicious actors who attempt to penetrate and disrupt our customers networks. We would do better as an industry to remember that and work better together toward defeating that common enemy.

Despite that common goal, everyone who works for a security vendor wants to succeed over the competition. As part of that competition, every vendor also puts out information that puts their offering in the best light, such as Check Point’s recent Facts vs. Hype campaign. Sometimes, that has the impact of throwing a bit of shade, perhaps 50 shades or so. This is all part of normal, healthy competition that happens in any industry.

With Palo Alto Networks, however, it’s clearly different. Nir Zuk, the co-founder of Palo Alto Networks, drives a car with the license plate CHKPKLR. This was widely known since at least 2005 and a picture of said license plate was featured prominently at their recent Sales Kick Off:

CHKPKLR

The guy up on stage? Their CEO Mark McLaughlin, propagating the “Check Point Killer” message to the assembled masses.

Over the years, I’ve heard countless stories of how Nir Zuk would come in to talk to a customer and spend a significant amount of time talking about Check Point, to the point where he was thrown out of at least one customer meeting! Given how some customers feel about Check Point, I’m sure that tactic did help to drive some sales.

Gil Shwed is not my friend

The guy on stage here? Palo Alto Networks CMO Rene Bonvanie.

It’s clear hatred of Check Point is institutionalized at Palo Alto Networks, and it comes straight from the top. It makes me question what business they are truly in. If paloaltonetworks.security doesn’t even resolve to their own website, it must not be the security business.

Disclaimer: My blog, my personal opinions. I’m sure you knew that.

Is Past (Security) Performance Indicative of Future Results?

It’s a phrase you will see in the fine print of any document related to past performance of a money manager, mutual fund, or managed financial account: “Past performance is not necessarily indicative of future results.” The same disclaimer could easily be applied to information security products and their ability to stop threats.

The most obvious technology this statement applies to: anti-virus. While it does a great job at doing what it was designed to do–block known, malicious files–it has limitations in the kinds of malicious files it can identify. It also can be a source of additional vulnerabilities, such as what recently was discovered in Symantec’s Endpoint products by Google. I suspect any widely security technology will suffer a similar fate: either the technology itself is attacked or the technology is rendered ineffective through innovation by the bad guys.

Where I think “past performance” is indicative with security products is: how quickly are security issues discovered with the product remediated. Because let’s face it: every security product will be vulnerable to some discovered issue at some point. What ultimately matters is: how quickly do you remediate these issues.

For a company that uses “Prevention is Non-Negotiable” as their marketing message, Palo Alto Networks is not so good at fixing security issues discovered in their products. Here’s the latest example from the PAN-OS 7.1.4 release notes:

PAN OS 7.1.4 Fixed CVE

The National Vulnerability Database lists this as a high-severity issue. The time to issue a public patch? Nearly 6 months from date of discovery. Based on the response times Check Point has seen when security vulnerabilities were responsibly disclosed to them, this timeframe doesn’t seem all that surprising.

To be fair, it’s possible that Palo Alto Networks did a risk assessment on these issues and determined the likelihood of exploit is low enough that they didn’t need to fix these issues urgently. They may be right, but when you preach “Prevention is Non-Negotiable,” taking 6 months to fix a known security vulnerability in your product just looks bad. Actions, ultimately, speak louder than marketing.

Disclaimer: My employer, Check Point, believes in addressing issues like this quickly. These views, however, are my own.

Do You Really Need Threat Intelligence?

​From Beyond Whack-A-Mole “Intel”:

In all of this, after the hours spent finding it, ripping it apart, and figuring out which IP or domain it came from so you can write a signature, blacklist and block it, what have you learned about your enemy? Better yet, what have you converted from an observation into codified knowledge that can be used later – that is not an IOC? What do you know about their objectives, short and long term? What do you know about their resource needs, infrastructure, motivations (are they political or financial)?

To put it another way: you spend a lot of time figuring out what happened, but not why it happened. Not the technical reasons–those are easy–but who was behind the attack, what was their motivation, what are they really after, and so on.

The author of this piece suggests a need to actually perform this research–after whacking the mole, of course. I see a couple of problems with this suggestion:

  1. Most organizations are not actively targeted. They are merely collateral damage suffered from larger efforts to spread malware. These organizations lack the resources to do this sort of research anyway and, even if they did, barely have the resources to act on that information.
  2. The largest organizations that are actively targeted have the staff to do this (and they largely already are). Could they be better at it? Sure.

I’m not saying threat intelligence is a bad thing, I’m just saying in the hierarchy of information security needs, there are several base needs that must be satisfied first. Many organizations will never get to the point of needing this.

What I think would be useful to a larger percentage of organization are tools that leverage threat research others are already doing and actually act on that research automatically. And no, I’m not talking about just IOCs (which will undoubtedly be part of this)

I know what you’re thinking: it sounds like an easy button for security. It doesn’t exist today, but I have no doubt someone will create it. We’re going to need it to stay one step ahead.

Disclaimer: My employer, Check Point, may or may not be working on such a thing, I don’t know. These views, however, are my own.

Resisting Comparison

​From Sophos Blog: Thoughts on Comparative Testing

Cylance itself has acquired access to many other vendors’ products, including Sophos, and has been using them in its own competitive testing in public demos, in violation of end user licenses. In fact, Cylance just renewed its licenses for Sophos products through one of our partners. When Cylance acquires our software we don’t threaten the reseller. Note that despite our efforts, to date, Cylance has been unwilling to allow us to license its products.

As long as there has been a marketplace for products, vendors of products have always sought to acquire the competition’s products to understand if they are better and how. Likewise, third party analyst firms acquire products from a number of vendors in a space to compare and contrast them. No matter what vendors might try to do, including End User License Agreements to restrict product uses, these activities will continue unabated.

It seems silly to me that organizations deploy products to protect their critical assets without doing due diligence to make sure the products do what their marketing claims it does. That said, information security departments in companies of all sizes are understaffed and barely have the time to operate the tools they have, much less evaluate the efficacy of new tools.

A quality information security product should stand up to reputable third party scrutiny. Even if you don’t do a direct comparison yourself, there are plenty of analyst firms who do these sorts of comparative evaluations and publish their results (usually for a fee). While it’s impossible for vendors to participate in all third party testing and not all third party evaluations are created equal, a dearth of third party evaluations for a particular vendor’s products should be a huge red flag.

The one sort of scrutiny that no vendor can ignore is the scrutiny of the bad guys. They are guaranteed to find the product flaws you didn’t find in testing or didn’t find documented in the third party evaluation reports that you didn’t read.

Disclaimer: My employer, Check Point, also recently called out a competitor on their marketing claims. These views, however, are my own.