We all use signatures. Signatures here, signatures there. They grant authenticity and trust, among other things, or at least they’re supposed to.
In the Infosec world, trusting in signature-based products has been hard since the cornerstone of the signature-based industry, AV vendors, declared themselves officially dead. As a result, about half a year ago, I spoke to one of the lead developers of Suricata and told him he was working on a project without any future. We agreed on that, but we also agreed that there is dead and there is dead. Because the signature-based products are still “alive” and “kicking”, since very few of us dare to live without them. They do still have a place in defense-in-depth. They do catch stuff, and they do placate auditors and management.
Writing a signature is hard. I know that. I just didn’t know how hard. That is, until recently. (Thanks OISF team). Yesterday I was reading the April 28th post from Erratasec: http://blog.erratasec.com/2014/04/fun-with-ids-funtime-3-heartbleed.html#.U2CrvPmKW-0 written by Robert Graham / @erratarob. This post in particular is very enlightening; it made me acutely aware of the fact that there are good signatures and bad signatures. Obviously we all know about this difference, but sometimes reading a well-written article about a subject like this resonates within you. Signatures have power. I imagine, and I fear, that some of us out there have decided against patching for Heartbleed vulnerabilities because they are protected by a signature-based tool. Some of us are defending infrastructure that is unpatchable and may be forced to rely upon some kind of protection for this. Call it UTM/IPS/ATD/AMP/WAF—whatever you want to put in place to mitigate this threat. This scares me. If you trust in signatures enough to feel safe under their watch, that’s up to you. I don’t. Even the best of signatures, as the best of SSL libraries, are written by humans. Humans that can be tired, drunk or simply just not know enough. No matter what you do, you should build a defense-in-depth around and inside your most important elements/data. Do not “sign off” on using signatures alone.
Now, for building that defense-in-depth, if you’re looking for a good place to start, let me recommend the blog of @nigesecurityguy – http://nigesecurityguy.wordpress.com/2014/03/17/apt-strategy-guide/
Signing out @claushoumann
Claus Cramon Houmann | IT Security Consultant