Thursday, May 1, 2014

Defense in depth not good enough - states Bromium

Well, it is sales pitch combined with facts.

Defense in depth not good enough - states Bromium 


I agree on "The security chain is only as strong as its weakest link" statement (I am sure all do)

I disagree on "Adding additional layers to your existing “Layers on Layers” (LOL) of end point protection – just like any Defense in Depth (DID) strategy – is a game of diminishing returns:"

If  you  understand,  what you are trying to protect, your attack surface and choose the right layers of security then DID will be valuable. However I am afraid that the above statement might be true for many organizations.


According to the article:-

In his research, Wojtczuk used the public exploit for the so-called “EPATHOBJ” Windows kernel vulnerability it to bypass application sandboxes, AV, HIPS, rootkit detectors, Microsoft EMET and SMEP – even when all of these solutions are layered one upon the other. Modifications to the exploit allowed us to bypass all of these technologies.

This highlights the fact that “defense in depth” – based on simultaneous deployment of multiple solutions that share the same weakness – does not advance security posture. In this case the entire chain of protective measures shares a common vulnerability – the Windows kernel, which unfortunately is the component with the most rapidly growing set of vulnerabilities – over  80+ CVEs in the last year alone. 

Using hardware isolation – courtesy of the integrated hardware virtualization features on every CPU – to isolate each untrusted task that executes on the end point, solves the problem of the weakest link:  the security posture of the end point is no longer dependent on the Windows Kernel, but on the hardware isolation capabilities of the CPU.


The link below has more information:-

No comments:

Post a Comment