Advice Request What will cybersecurity software look like in the future, say 10-30 years from now?

[danb]

Might work in a 12-person medical practice, but not in an enterprise.


Provide evidence for your claim - evidence from Microsoft. We'll all wait.

You seem awfully fixated and stuck in the past with SRP from decades ago. SRP has moved on. On Windows 11 SRP is running and it is called WDAC. Or did you not know that WDAC is the latest iteration of Microsoft SRP?

There is no argument happening here. I am politely responding to your posts and calling you out on your false claims about SRP.



OK strawman.


You don't know who I am or a thing about me.

WDAC is functional under the latest version of Windows 11, legacy SRP is not. What part of that do you not understand?

 

[danb]

It takes two to tango and two to argue. I do not see any argument here -- just an interesting discussion.

How many does it take to cyberstalk for 5 years?

 

[ForgottenSeer 95367]

WDAC is functional under the latest version of Windows 11, legacy SRP is not. What part of that do you not understand?

WDAC is Microsoft's latest implementation of SRP.

Everything that can be done in classic SRP can be done in WDAC along with new features. I'm running a 2019 server serving 30K endpoints with WDAC, all LOLBins blocked on both server and clients, all humming right along for months without a single issue.

 

[ForgottenSeer 95367]

How many does it take to cyberstalk for 5 years?

Nobody is cyberstalking you. You are talking nonsense. Stop making false claims.

 

[danb]

It takes two to tango and two to argue. I do not see any argument here -- just an interesting discussion.

It would be an interesting discussion if JT understood how VS works, or how vital context is to cybersecurity.

But he does not understand these things so it is a useless discussion.

 

[ForgottenSeer 95367]

It would be an interesting discussion if JT understood how VS works, or how vital context is to cybersecurity.

This isn't about Voodooshield, how it works, or my understanding of it. It is about your false claims regarding SRP. It's about you and your spreading of falsehoods.

Provide the evidence to substantiate your claims.

But he does not understand these things so it is a useless discussion.

So all you have is ad hominem?

It's not a useless discussion. The discussion proves you have no evidence to back up your claims about SRP.

 

[danb]

WDAC is Microsoft's latest implementation of SRP.

Everything that can be done in classic SRP can be done in WDAC along with new features. I'm running a 2019 server serving 30K endpoints with WDAC, all LOLBins blocked on both server and clients, all humming right along for months without a single issue.

Again, WDAC is functional under the latest version of Windows 11, legacy SRP is not. What part of that do you not understand?

WDAC has slightly more context than legacy SRP, but it has nowhere NEAR the context of VS. That, and you are blocking 100-200 LOLBins, not all of them (1,000's of potential), like VS.

 

[ForgottenSeer 95367]

Again, WDAC is functional under the latest version of Windows 11, legacy SRP is not. What part of that do you not understand?

You stated that SRP is not running on W11. It is running - but it is and it is called WDAC. WDAC is built upon and extends the classic SRP.

WDAC has slightly more context than legacy SRP

Legacy SRP has the same context as WDAC if the proper plugins and logs are employed. It is not anywhere near as limited as you claim it to be.

That, and you are blocking 100-200 LOLBins, not all of them (1,000's of potential), like VS.

1000s of processes can be added to SRP policy within minutes - all pulled from threat research and analytics.

But that is not always required. Dependent upon the use case, if there is not an explicit allow policy, then it shall be denied.

There are also versions of SRP out there where parent-child blocking can be configured. So you can whitelist a bunch of command lines, or whitelist a single child process, and then disallow all others (*).

 

[danb]

You stated that SRP is not running on W11. It is running - but it is and it is called WDAC. WDAC is built upon and extends the classic SRP.


Legacy SRP has the same context as WDAC if the proper plugins and logs are employed. It is not anywhere near as limited as you claim it to be.


1000s of processes can be added to SRP policy within minutes - all pulled from threat research and analytics.

But that is not always required. Dependent upon the use case, if there is not an explicit allow policy, then it shall be denied.

There are also versions of SRP out there where parent-child blocking can be configured. So you can whitelist a bunch of command lines, or whitelist a single child process, and then disallow all others (*).

Even Microsoft clearly differentiates SRP from AppLocker, which was the "next gen of SRP".

Use AppLocker and Software Restriction Policies in the same domain (Windows) - Windows security

This topic for IT professionals describes concepts and procedures to help you manage your application control strategy using Software Restriction Policies and AppLocker.

learn.microsoft.com

"AppLocker is supported on systems running Windows 7 and above. Software Restriction Policies (SRP) is supported on systems running Windows Vista or earlier. You can continue to use SRP for application control on your pre-Windows 7 computers, but use AppLocker for computers running Windows Server 2008 R2, Windows 7 and later. It's recommended that you author AppLocker and SRP rules in separate GPOs and target the GPO with SRP policies to systems running Windows Vista or earlier. When both SRP and AppLocker policies are applied to computers running Windows Server 2008 R2, Windows 7 and later, the SRP policies are ignored."

 

[ForgottenSeer 95367]

Ummmmmm, yeah, they still rely heavily on sigs, and ML/AI did not happen until 2015 or so. Just answer the question.

The above statement "ML/AI did not happen until 2015 or so" is not factual.

ESET started development of ML algorithms in 1990 and deployed its initial neural network utilizing ML in its backend back in 1997.

"ESET has been working with machine learning algorithms to detect and block threats since 1990. Neural networks were added to ESET product's detection engine in 1998."

source: Machine Learning

source: Machine learning by ESET: The road to Augur

Other vendors deployed ML in their backends throughout the 1990s. There's no need to provide the dates for other vendors. It is sufficient to just provide ESET's ML dates.

At this point it just feels like Dan is sneakily advertising his software in the form of an discussion, especially as hes avoiding questions.

He did not fact check. That is for certain.

 

[ForgottenSeer 95367]

We unfortunately are not afforded the opportunity of knowing what attacks we are going to experience.

You cite the very reason that Microsoft created SRP and how security policymakers recommend it to be used; when the attack context is not known, then it is common sense and expedient to block by default, even blocking globally. Back then Microsoft stated it was not possible to intercept it all, analyze it all, classify it all in order to separate benign from malicious actions. Breakages will happen, they are few and far between and easily fixed with allow exceptions. Other security policymakers within the IT security industry embraced these simple concepts. They showed enterprises how default-deny as a matter of course is one of the best protection models, and the rest is history. SRP was widely adopted and now is a part of the enterprise security paradigm in all of its forms.

In my opinion, the best way to handle this rule is to include context, so that it is blocked when it needs to be blocked, and auto allowed when it needs to be allowed. For example, if a non-risky whitelisted app launches a cmd script, should it be blocked or not?

Emsisoft incorporated this type of context-based security in its behavior blocker back during its Mamutu era. If an admin entered a script within a console or executed it from a script file, then it would not be blocked. If the same script were launched by a suspicious or known malicious process, then it would be blocked. This is on top of the behavior blocker parsing the command line, analyzing it, and blocking it if the admin did not know they were executing a malicious script.

Context, within your meaning of the word, has been used by all the security software vendors for well over a decade. Solving this problem:

1. Malware uses PowerShell
2. Your utility to tweak Microsoft Defender uses PowerShell

primarily improves usability, albeit marginally. It also improves security if it takes decision-making away from the user, based upon the presumption that the contextual analysis is correct.

Simply blocking "unsigned processes, unknown signers", etc, is NOT zero trust. Sure, OSA will harden the system to a certain extent, but it is far from zero trust.

"Zero Trust" is a protection model that assumes the network segment and everything connected to it is always at risk to internal and external threats. It is a protection strategy that has nothing to do with whether or not a security software uses context within your meaning of that word.

 

[ScandinavianFish]

Theres also this G-Data blog post that single handedly destroys the whole "traditional/signature based/pattern based AV" marketing claim

The real reason why malware detection is hard—and underestimated

Researchers develop an AI with a 98% malware detection rate and 5% false positive rate. If you think this is a splendid technology for antivirus software, this article might change your mind.

www.gdatasoftware.com

 

[markstitovits]

I think Built in AVs will become even better and more people will rely on it.

 

[valvaris]

Hello to all,

I am very narrow minded when it comes to Security. Probably even seeing this in a unique way because of my mindset (Corp. Admin. / Instructor / Exam Coordinator / Security Officer):

(Oversimplified Corp. Use case)
1. User Training
2. Controlled Phishing Campaigns
3. Re-Train Users
4. Manageable Browsers (For me it is Edge Chromium - GPOs)
5. Multilayer Approach (Firewall - Segmentation - Endpoint Protection - Configuration OS - Configuration Applications and so on...)
6. Micro Segmentation for Resource access
7. and lots more...

(Home Use case)
1. User Training <- This is one point where people hear stuff exists like "Phishing" but cannot comprehend what it truly is! <- There are German Programms that highlight the issue but who will volunteer on training? ( DsiN-Digitalführerschein (DiFü) )
2. Consumer Setup - Home Network <- This is a total Nightmare <- ISP Routers with Preconfigured login and almost No Security! <- Pro-Sumers at least try with knowledge gained to setup something secure but must rely on trustworthy information. (If not from the IT)
3. Bloatware from OEMs / Bloatware from OS [Windows] < Microsoft <- How should a user react to that?! (Companys do not advice Home Users on the risks involved on the internet!)
4. Security Companies overloading their Security Suites with additional Services!!! (And even NAG if Services they want to push have not been bought!)
5. The future looks grim and when more sophistication comes in. There will be a point that even the Internet is segmented! (User and Corp.) (User Net full of Ads and Shady stuff -- Business Net streamlined for B2B and offers integrated Security measures / Access for the 1% to have a clean fast experience)

Sad to see this is going that way... -.-

Sincerely
Val.