Layered defenses largely fail to block exploits, says NSS

My paranoia just spiked 10 fold.

 

Take a pill...

 

It seems that the article title is quite sensational.

Spoiler:

On later part it says it's fine to use layered defense, as long as it's not from the same vendor and not on the same type. I want to hear opinions from security suite users about this.

What the article didn't mention is that cherry-picking can be dangerous if you consider about compatibilities. This is where security suites shine, built from the same technology means conflicts are less likely to occur. Not saying that cherry-picking should be avoided, just make sure you do it right.

End of spoiler.......

I personally think it's still pretty effective. Not a holy grail but supposed to be adequate enough for most situations. Just as long as you know where to put those layers and their limits.

 

Don't paranoid. It's just saying that layering is the way to go but you have to do it properly. Using 2 AV's or 2 Blacklisting isn't going to help. It's pretty much what most of us already know. Having an AV, firewall and HIPS covers most of what suites have today. So instead of using NIS, you could use Outpost firewall, Eset AV and Appguard. You have your Firewall/HIPS, AV and Anti-exe. You just have to look at what you have and determine if it's more than two of the same things.

 

I am interested in hearing what suite users have to say as well.

 

Nothing we didn't know already really.. If malware can take down NIS for example, then both the firewall and the AV are both taken down, leaving you pretty exposed. Like the article says, the art to combining products from different vendors is really finding the ones that play well together. As we all have seen, conflicts are commonplace. But with some experimentation, one can come up with a pretty good strategy that covers the bases well, without conflicts or issues. The possible combinations from different vendors is, well, not unlimited, but vast...

 

Exactly. There are plenty of choices. You just have to mix and match till you find something to your liking. Took me a while to find the combo that works for me. I'm still tweaking stuff here and there but not so much lately.

 

In the link they say:

Now how do we find out what were the 3%?

That is about 18 or 19 unique combos. I want to know if my combo happens to be one of them.

 

Actually, the last paragraph sums it up:

There is a significant correlation of failures to detect exploits between security products. "This is because most vendors use the same sources of threat intelligence and the same vulnerability research feeds as each other, and this means that they will, more often than not, have the same deficiencies in their coverage," NSS reported.

Translated, everyone is using the same source so your in essence wasting your money and system resources using more than one. Hum ........ wonder what MBAM thinks of that?

However this article is talking about exploits.I have EMET for that.

 

IMO relevant:

http://0xdabbad00.com/wp-content/uploads/2013/04/exploit_mitigation_kill_chain-139x300.png

As you can see from the above chart, the problem isn't overlap in the security setup; the problem is that it's full of holes. Client-side memory corruption exploits will blow right past most products; the operating system itself has to handle them.

So yeah, if you're a company and you run Windows, please upgrade already!

 

GJ, that image is so small I can't read it...

 

Bigger version: hxxp://0xdabbad00.com/wp-content/uploads/2013/04/exploit_mitigation_kill_chain.png

 

Yeah, much better. Thanks...

 

Sorry, my mistake there. Also my post about should have said "Windows XP." Point was that Vista and later have better protection against memory exploits.

 

In other words, use a true layered approach with software from multiple vendors?

 

Doesn't EMET prevent all these exploits?

 

Agree ! In last years I have tried and successfully experienced good combos for a multi layered security; sometimes I found a bad combo which created conflict, and simply I reject it. A disk image software helps to test and try.

 

Do you mean that you use HIPS and anti-exe together ? I always thought that such a combo could decrease their effectiveness.

 

"One pitfall to avoid with layered security is using products from the same vendor. That's because all of a single vendor's products are based on the same technology and security intelligence."

That is just common sense. I've just seen few at Wilders using a layered approach with the same vendor.

 

There are vendor security suites using technologies from different sources. Ideal choice for avoiding conflicts but keeping the layered approach philosophy (e.g. Bullgard, G-Data, ZoneAlarm, etc..)

 

They perform similar jobs but work differently. The AE does just that blocks exe that aren't whitelisted. It doesn't block scripts or other exploits. HIPS has a granular control over your system. Depending on the HIPS, it will prompt you for just about everything that a program is attempting to perform. Little more interactive and sometimes annoying. I have used both before but I don't believe it will decrease effectiveness of either.

 

The windows os will emerge to a three level trust zone: elevated - normal - sandboxed. Next generation security should focus on exploit protection keeping untrusted in sandbox and preventing shoot in the foot errors by virtualising/sandboxing binaries with poor reputation. The latter helps safeguarding the normal - elevated frontiere and possibly also jailing known blacklisted binaries.

So multi level will be os plus exploit mitigation plug-ins/add ons and an AV with reputation scoring and auto sandboxing

 

Yes, my doubt is if they are installed both at lower level in the system.

 

Yes,if not all then the vast majority.