Blog post

The Future Is Here … And It Is … Network? Endpoint?

By Anton Chuvakin | April 09, 2015 | 7 Comments

securityphilosophyanalytics

We lost the network – MUST focus on the endpoints! We lost the endpoint – MUST focus on the network! We lost the network – MUST focus on the endpoints! We lost the endpoint – MUST focus on the network! We lost the network – MUST focus on the endpoints! We lost the endpoint – MUST focus on the network!

Got a headache yet? As my security analytics research project is nearing its end, these conflicting messages have finally exploded my brain. Vendors (and, occasionally, security managers) pronounce either of the above two lines as “god-given truth” – without any awareness that the opposite message is just as powerful…

So, think about this:

We lost the network – MUST focus on the endpoints! We lost the endpoint – MUST focus on the network!
Anybody can connect to our network Malware everywhere – antivirus effectiveness low
Business partners connect entire other networks to our network Users click things, phishing just works, etc
Many connections to the internet, some with no controls Drive-by and browser exploits dime a dozen
BYOD wifi, 3G/4G, etc BYOD – no control over the endpoint at all
Our network spans 100 countries, managed by different people, etc Laptops are hard to manage remotely, patch, etc

The existence of this paradox is explained (IMHO) by one sad reason: silos!

People who “live” on the right side (let’s call them “the network guys”) know that their side is badly broken and they hope that the grass is greener on the other side – maybe the endpoint guys would block the attack. Naturally, people who “live” on the left (let’s call them “the system guys”) know that the endpoint is infected, the user incorrigible and that the malware is pervasive, but they hope that the network guys “got it.”

Surprise! The other side is just as fucked up as yours!!!

Hey, Anton, what is the point of all this?

  • Silos kill!
  • Generally speaking, we lost both sides 🙁
  • Security must transcend IT silos (for example, incident response cannot be constrained to a silo)
  • Security analytics should also go across and incorporate logs, traffic (packets, session metadata) and endpoint data (EDR / ETDR style) – and also application monitoring data
  • Those who ignore today’s realities and insist on sticking to “just better netsec” or “just next-gen AV” (or whatever other false hope on the endpoint), risk losing their only advantage – see “Defender’s Advantage”
  • If you think that at your particular organization, security can never bridge this gap than either change the organization or change organizations.

Blog posts tagged “philosophical”:

Comments are closed

7 Comments

  • Ronald says:

    So is focus on the application/service the solution?? (like OWASP appsencor)https://www.owasp.org/index.php/OWASP_AppSensor_Project

  • Phil McCrackin says:

    @anton_chuvakin: Local grocery installed new PoS. I tried pay w phone. Failed! Fuck that shit – credit card so much easier! And it works!

    I agree, fuck that shit!

  • Pete Vas Deferens says:

    Dr. C:

    Which side is fucked up as yours?

    PVD

  • Matthew Gardiner says:

    Couldn’t agree more….to get out living in their security data silos first folks have to get out of their mental silos….

    “Security analytics should also go across and incorporate logs, traffic (packets, session metadata) and endpoint data (EDR / ETDR style) – and also application monitoring data”