Less than zero requires intelligence
Kudos to my buddy Alan Shimel for coining a new term that seems to have some legs. In this epic post (here) and follow-up (here) Alan adds some clarity to this whole zero day thing. Of course, what fun would it be if I didn't weigh in on the matter? Fact is, even if it is good for ratings, I'm not going to pound on Alan for what is sure to become another horribly overused marketing term that will further confuse users and keep the PPT-heads in most security vendors working over the weekend to show how their refriger-ovens stop a less than zero attack.
Why? Because Alan is right. We do need to draw a distinction between attacks that we know about and attacks that come out of nowhere. I differ a bit on how zero-day attacks are discovered. I'm of the opinion that it's white hat folks that discover most of the zero-day attacks out there and then in good conscience report that to the vendors and work through a responsible disclosure process. Maybe that's what Alan is saying, but I'm not sure. I'm not sure I'd refer to security research as "bug testing."
I also pick a little bone about how effective current defenses are at stopping what he calls "zero-day" attacks because there is no patch (or signature) yet even though the vendors know about the problem and either reputation-based (like virus outbreak filters, et al) or behavioral-based options (including anomaly detection on either the host or network) are fraught with peril from false positives or negatives.
But that's neither here nor there. The one thing we all agree on is that if the good guys don't know about the exploit, there is a very low likelihood that you can do anything about it. Both less than zero and zero-day attacks are dangerous, that's for sure - but at least with a zero-day the vendors are supposedly working on a fix.
So what are we to do? Hold our hands up and whimper? Pray to the vulnerability gods to pass over our humble enterprise? None of which are really strategies, though they may make you feel a bit better. The answer is intelligence. Not your SAT score, we leave that to the Mensa-card carrying crowd. I'm talking about the gathering of intelligence relative to what the bad guys are up to.
This was one of the subjects of a NetworkWorld column (here) and these points are more relevant now than ever before. I got the power and usefulness of intelligence drummed into my head when I was at TruSecure. We had research guys (I'd say gals, but none were female) that would spend their entire day (and most of their nights too) penetrating hacker networks, tracking bot activity (yes back in 2003 the early botnets were forming), and trying to figure out which of the infinite number of vulnerabilities would be targeted soonest.
So the only way to really deal with a less than zero attack is to know it's coming. The only way to know its coming is to have a spy in the bad guy's network, and candidly that is not really the purview of any end user. So you end up subscribing to a security intelligence service (if you can afford it) or maybe expect that your preferred vendor's offerings are better because they've got that intelligence underlying their product offerings.
Ultimately, I believe that security intelligence is a high value, premium service that large enterprises buy from folks like IBM (ISS X-Force), Symantec, VeriSign (iDefense), CyberTrust or eEye. I know lots of other vendors (especially the AV vendors) have research teams too, but they are more focused on pumping out signatures once a problem is identified - once it becomes zero-day in Alan's lingua franca. Mid-sized businesses can't afford this stuff, so they'll end up picking products because of the intelligence. This is an emerging differentiator that will increasing in importance over the next 18 months.
And I do have a problem with the "less than zero" term is that really bad 1980's movie depicting drug mayhem in high school LA. I'd rather think of less than zero in the context of one of my favorite Arnold movies, "The Running Man." You remember the classic quote once Ben Richards puts Subzero on ice: "Subzero: Now you are less than zero!" Now that's the way I'd like to think about these types of attacks.