Request a demo
Contact Us

Chapter 1

Security Appliances’ Lack of Zero Day Attack Detection

For decades, IT Security detection and prevention products have been either end-user desktop software, or security appliances that sit alongside network traffic (occasionally in the middle), trying to find the bad stuff but lacking the ability to find the it fast enough to provide zero day attack detection

Desktop software for prevention has long been dominated by anti-virus (AV) products. Most people have viewed AV products as necessary, as well as bloated and not very effective, giving the desktop protection model a bad name. This negative perception has recently started to shift due to modern entrants such as Cylance, Carbon Black, Tanium, and Malware Bytes.

Most security organizations are used to appliances being the workhorse for their protection needs. As such, there are many categories of detection appliances, including: Firewall, IDS (Intrusion Detection Systems), Web Security Gateways, Email Security Gateways, Web Application Firewalls, and Advanced Threat Protection.

Indeed, the major security vendors today tend to have huge appliance businesses, including the old titans (e.g., Symantec and McAfee) and the new titans (e.g., Palo Alto and FireEye). As crucial as security appliances are today, they are eventually going to die out as the technology landscape continues to evolve. They’ll continue to get less effective, pushing detection to the machines that need protection as the need for zero day attack detection grows.


Chapter 2

The Following are Nine Reasons Why the Death of Security Appliances is Inevitable:

1. Companies are getting comfortable with cloud-based security.

Organizations, including governments and large financial institutions, are getting comfortable moving many security functions to the cloud (email, web, and vulnerability management, for instance). The result is that it becomes more reliable and easier to maintain solutions with a lower total cost of ownership.

2. Appliances are bad for cloud-based infrastructure.

Quite a lot of infrastructure is moving to the cloud. Even Capital One has moved 60% of theirs already. FINRA, the Financial Industry Regulatory Authority, has moved ¾ of their infrastructure to Amazon Web Services. Organizations aren’t willing to pay traffic cost or latency to hairpin out to an appliance, and vendors will try to provide “virtual appliances” within the cloud, which is an unnecessary bottleneck.

3. Appliances won’t be able to view the data required to provide zero day attack detection

In the United States, Edward Snowden’s disclosures were a wake-up call to those who thought encrypting data across the Internet’s backbone wasn’t particularly important. Many people used to think it was unlikely that anyone would have the means and desire to listen. It turns out, they were wrong. (Note that, in many other countries, the Government is quite explicit about this kind of access to Internet traffic). The standards community, in protecting against nation state attacks, are making it impossible for security appliances to rely on what is essentially a decryption back door, meaning companies will have to incur huge expense to provide both data privacy and give security appliances visibility to do detection. This is already on the horizon, with the forthcoming version of TLS, which secures every HTTPS connection.

4. Appliances will make managing hybrid environments difficult.

Hybrid deployments (i.e., partially on premise and partially in the cloud) will undoubtedly be a fact of life in the enterprise for a long time to come. That means, security teams must provide solutions for both kinds of environments. Today, while we’re still early in the adoption curve, security organizations are willing to implement different solutions to protect their cloud infrastructure and their internal infrastructure. Yet, it will become a burden—more costly, and more cumbersome to manage, so people won’t do it forever.

5. Appliances can’t see containers.

The DevOps movement is pushing toward microservices and containerization quickly. When multiple containers live on the same machine and talk to each other (frequently currently), that communication doesn’t go over the network and can never be seen by an appliance — even a virtual appliance. In addition, it’s important to recognize that appliances rely on IP or host names for monitoring, but in a containerized world, containers tend to be short-lived and many containers can share an IP address. That lack of visibility means appliances are far less effective at detection for modern production environments.

6. “Detection” appliances don’t actually detect.

In most enterprises, security detection appliances are usually sitting off to the side, looking at a copy of network traffic, not the actual network traffic. Organizations do this for many reasons: so that appliances eliminate unnecessary latency to network traffic, and so that they don’t become a single point of failure, for instance if they get flooded or have a bug. Worst of all, since it’s so hard to get high quality signal from network traffic at scale, appliances generate many false positives, which are a huge disaster for automatic response. And while traffic in the cloud can still be split off, it isn’t easy and it can come at a price.

7. Appliances are easy to circumvent.

While old-school devices (e.g., traditional Intrusion Prevention Devices) obviously sacrificed accuracy for speed, today’s more sophisticated appliances do a lot of processing on the data they see, so that they can give vastly better results, with far fewer false positives. Because they rely on emulation, an attacker has many options to detect and circumvent the emulation. Eventually, detection will move to the systems being protected, where there is no need to emulate, and there’s a much greater ability for security software to thwart an attack.

8. Appliances can’t auto-scale.

Generally, the appliances with the best detection consume the most resources. Even with a high-speed appliance, it’s generally not difficult to overload them. Once an attacker manages that, they can sneak malicious traffic through undetected. As companies embrace infrastructure that can auto-scale their applications, they will want to auto-scale their protection to improve their zero day attack detection, instead of failing open.

9. Appliances are too much work for too little value.

Finally, perhaps the single biggest problem that IT Security organizations wrestle with is that they’re drowning in alerts. Generally, that’s the case even AFTER all the raw data coming from around the network goes through a best-of-breed correlation and analysis engine. This problem is due to the horrible signal-to-noise ratio in security appliances, which is going to get even worse. Instead of hiring more analysts or letting more and more drop through the cracks, companies will look for detection approaches that provide much lower noise, which again pushes detection away from an appliance solution.

Chapter 3

Doomsday – when is it coming?

The confluence of encryption, cloud, and containers is making a poor situation intolerable. While alternative approaches don’t exist yet, they’re coming, and in the meantime plenty of large organizations are creating their own stopgap solutions that ignore or greatly devalue the appliance. This process will take a little longer to emerge. Yet in a few years, only the misguided will pay for a security appliance.

Don’t be one of the misguided. See how you can detect zero day attacks in real time with Capsule8.

Want to reference this later? Download this page as a PDF!

Death of the Security Appliance