The end of multi layered approach?

Discussion in 'other anti-malware software' started by Kees1958, Oct 23, 2008.

Thread Status:
Not open for further replies.
  1. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Just to spice up discussion

    With security applications using different angles of protection, the need for a layered security apporach is decreasing. Also the operating systems themselves are providing more build in protection like Vista's FW, LUA (regsitry and file virtualisation and IE running in protected mode).

    Online Armor: Anti Executable + FireWall + Policy restriction (run safer) + web protection (paid) + HIPS + white/blacklists on executables

    A2 Malware: Behavioral IDS + Community voting + AS/AT/AV engine + webprotection

    ThreatFire: Behavioral IDS + Quarantaine Rollback filter + AV intrusion check + Outbound + custom rules

    EQSecurity: Classical HIPS + sandbox + outbound (new version)

    Comodo: HIPS + FW + black/white list executables + AV (Beta)

    DefenseWall: Policy HIPS + Outbound (next release) + resource protection + Total untrusted file control

    Prevx: as a pioneer on combining different angles has the lot

    And the traditional suites like Kappersky, Outpost Pro, Norton 360 etc.

    There are more examples for sure, so why bother in putting together a multi layered apporach when most security aps will provide you simular results with knowledge of experts build in and out of the box knowledge available?

    Cheers Kees
     
    Last edited: Oct 23, 2008
  2. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    you forgot Geswall. If I were to pick a single app instead of a layered approach, Geswall would get the nod.
     
  3. QBgreen

    QBgreen Registered Member

    Joined:
    Jan 1, 2005
    Posts:
    627
    Location:
    Queens County, NY
    Why put together a multilayer approach still? For the same reason as before, as not to place all of your security 'eggs' into one basket.
     
  4. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    I think you can now, most actually do and never have a issue. The reality is most products are good enough to keep you safe by themselves, and do. I sometimes think we really blow the whole concept of a trojan destroying the world, way out of proportion. Most of us just turn the lock on our door knobs at night to lock and secure our homes and families. No layered approach to security there. But which has more importance.
     
  5. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    I have a lisence of GeSWall Pro and like it very much (because it is faster than most sandboxes), but doubted to mention them because GW does not have total untrusted file control (which can be a danger for non expert users, for instance when you download a infected file, unpack it with a trusted application to another partition, then you are naked), so okay

    GW Pro: policy HIPS + outbound protection (with special trick) + Virtualisation
     
  6. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    No problem and thank you. But wouldnt that hold true to most you listed if they failed to detect the infected file in the first place.
     
  7. thathagat

    thathagat Guest

    layered approach or not...? well at the end of the day the biggest security hole is always the one in front of the PC and that trigger...nay mouse happy finger shooting from the hip is a fickle master letting the strongest suite or the layered setup down with a simple ignore/skip command....
     
  8. Hugger

    Hugger Registered Member

    Joined:
    Oct 27, 2007
    Posts:
    1,003
    Location:
    Hackensack, USA
    So what would be an easy to use add on to GW to handle untrusted file control?
    And what special trick for outbound protection?
    Hugger
     
  9. Ilya Rabinovich

    Ilya Rabinovich Developer

    Joined:
    Sep 13, 2005
    Posts:
    1,543
    Well, the trend is clear that multi-vendor approaches are getting lower and lower at the market. Suites are more reliable for end-users and, also, its cost is higher. :)
     
  10. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    The easiest add-on would be common sense of the user, I do not know of a software based add on

    Change the network device in GW console from threatgate to confidential (confidential means you get simular control as with DefenseWall resource protection)
     
  11. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Not with policy based protection like DW and GW and Virtualisation sandboxes or partition virtuaisation, because they do not ask the user.

    With OA for instance it is possible to run unknown programs with limited rights, this feature does not throw a pop-up, just restrict the damage an execytable can do. A2/PrevX/DriveSentry have community voting with auto accept when for instance 90% of the community makes a certain choice(trusting that only the minority of PC users are fools)

    With ThreatFire I have configured to create a restore point before quarantaine and simply quarantaine know PUA's and Malware without asking the user.

    It will be possible to deal at large with the monkey in front of the screen.
     
    Last edited: Oct 23, 2008
  12. kwismer

    kwismer Registered Member

    Joined:
    Jan 4, 2008
    Posts:
    240
    nothing about your post suggests the need for multiple layers is decreasing... it only suggests the need for multiple products is decreasing because vendors are putting multiple layers into one product...
     
  13. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    but at least by doing that you wont get conflicts between two or more security softwares.plus saves some money too.
     
  14. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,828
    Location:
    Last Breath Farm
    Mr. Home Invader & Mr. Burglar, say hello to my layered friends, Mr.12-Gauge & Mr. Canine Unit. ;)
     
  15. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Tada :thumb: Exactly: I have often seen overlapping products because multiple layer was interpreted: I do not trust one application so let's add an overlapping application.

    Although this cross stapling/overlapping principle is used in construction, in software it does not nesseceraly mean that 1 + 1 = 1,5 (certainly not two). Overlap also has the disadvantages Jmonge mentiones :thumb:

    Regards Kees
     
  16. kwismer

    kwismer Registered Member

    Joined:
    Jan 4, 2008
    Posts:
    240
    i suspect you might be verging on best of breed territory here (ie. i like A's scanner best, but B's firewall plays better with my system while C's rootkit detection looks really really good)...

    well, i agree there really isn't that much point in using 2 of the same technology, but just because you use 2 products that have overlapping parts doesn't mean you have to use those overlapping parts... often you can discard parts you don't want at install time or disable them after the install...
     
  17. Hugger

    Hugger Registered Member

    Joined:
    Oct 27, 2007
    Posts:
    1,003
    Location:
    Hackensack, USA
    Kees,
    Thanks. That would make a nice setup for my daughter.
    Hugger
     
  18. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    I think this is true.... more often than not, the suites today are pretty good and cover a lot of ground, with overall good results. For most, that's "good enough". And to get all the components working together in your multi-layered approach is no small feat nowadays. OS's are including more yes. I think we're seeing the way it's all going and the way it'll end up.
     
Thread Status:
Not open for further replies.