tag:blogger.com,1999:blog-1152299631250525001.post3321345734730874066..comments2023-02-08T03:03:05.693-08:00Comments on Cosine Security: Return postage for Mr Zalewskithelightcosinehttp://www.blogger.com/profile/03060233785644761709noreply@blogger.comBlogger2125tag:blogger.com,1999:blog-1152299631250525001.post-53798147829848184762010-05-20T07:19:25.356-07:002010-05-20T07:19:25.356-07:00Ah. Well I guess I missed some of the point of you...Ah. Well I guess I missed some of the point of your article while turning around and trying to make it myself. I would have to agree that AV is a failure as a 'security mechanism'. There is no silver bullet for security unfortunately, but if I had to lay money down on the most effective use of resources it would be outside of the technical arena anyways. <br /><br />I would say the most important use of the security industry's time would be to continue working on building and fostering more mature processes. Development processes need to be moved along the lines of an SDL for all developers. It also needs to mean more than a buzz-word. The SDL concept itself needs to continue to grow and mature. Operational processes need to be grown and matured in the same way. all of IT needs to feel security is an integral part of their job. Whether it's network config, server builds, software installs etc. Everything needs to be done with an eye on the security implications of each decision. <br /><br />Finally, security processes need to be grown and matured. We need to step back and evaluate the way we approach security. As you said, we often place too much trust in AV. I'd say that we rely too heavily on products in general though. Many times we set up our firewalls, our NIPS, maybe some HIPS, some AV, and some WEB proxies. Then we step back, dust our hands and say "okay, now we're secure". This bare minimum is laughable now. There is so much more that has to happen, from the obvious vulnerability and permissions auditing, to correlation of events from all of our various tools, to training our people to make the right decisions and beyond. It isn't the technology that will save us. It will be people making the right decisions.<br /><br />Well, sorry that rant went on a lot longer than I expected. Thank you, Mr Zalewski, for taking the time to respond to my post and clarifying your position.thelightcosinehttps://www.blogger.com/profile/03060233785644761709noreply@blogger.comtag:blogger.com,1999:blog-1152299631250525001.post-82201844484056185922010-05-19T15:32:52.824-07:002010-05-19T15:32:52.824-07:00My post actually wasn't meant to be a defense ...My post actually wasn't meant to be a defense of the antivirus industry; in fact, I see many problems with how the model currently operates, and the parts you highlight were specifically an attempt to highlight this. It just seemed pointless to turn it into a fully-fledged rant.<br /><br />That said, specifically because I do not consider AV to be a proper security mechanism, I find it disappointing that we get worked up about antivirus bypass "vulnerabilities" - as if these products offered any strong security assurances to begin with, and weren't essentially inherently designed to be bypassable. This probably leads to people making misinformed decisions on the extent of trust they should put with AV software. This is the arguably more important point I hoped to make.Michal Zalewskihttps://www.blogger.com/profile/07964553034419471588noreply@blogger.com