Alex Stamos, formerly with Yahoo and now CSO at Facebook, gave a really interesting talk at AppSec California 2015 recently titled “AppSec is Eating Security.” Among the many insightful comments he made during the talk, one in particular caught my attention. The video of the talk is available on YouTube and around 9th minute into the presentation (video link: https://www.youtube.com/watch?v=-1kZMn1RueI&t=8m55s), Alex comments about how he had removed FireEye network security equipment out of Yahoo because he assumes that well-resourced nation-state adversaries like China had easily managed to acquire that technology, reverse-engineered it and figured out how to defeat.
His FireEye specific comment aside, the argument he makes is a very important one and actually applies any on-premise security technology that is easily available for an adversary to acquire. With the resources that an intelligence agency can devote to setting up cutout entities to do covert purchases or even interdict equipment during shipping, you simply have to assume that any openly available software or hardware-based security technology you’ve procured has already been acquired by a sophisticated adversary, deployed in their labs and significant resources have been expended on breaking it.
There are only two real options for responding to such a threat.
The first is to try to build your own security tools (and not share them with anyone) and hope that an adversary has not been able to acquire your custom-built solution from your network. This is the option that Alex advocates but, unfortunately, few organizations have the resources and capabilities of Yahoo or Facebook to have their own security technology engineering teams. It’s simply not a realistic option for the vast majority of companies out there due to expense and talent scarcity.
A second option is to leverage a cloud-based technology which can record every execution event in real-time and transmit it to the cloud where an adversary can’t easily destroy it without getting caught. This way even, as we now have to assume, they manage to procure a copy of the software, they cannot realistically test it offline in their lab without immediately revealing all of their tradecraft. If they disconnect it completely the cloud, they won’t know how their attack will truly perform in the real-world where you have to deal with the reality of a cloud connection. (Terminating the connection as a first step of your attack is also problematic as the effects of that are also observable in the cloud and can trigger immediate investigation).
This is why at CrowdStrike we decided from day 1 to build Falcon, our next-generation endpoint security technology, as a cloud-based platform. This was the only way we could ensure that we would instantly crowdsource adversary tradecraft intelligence in the cloud and, thus, learn and adapt from every attack an adversary attempts against our technology – whether in their secret lab tests or in the wild against our customers.