Flaws in Evaluating Security Tools for Linux

Share and earn Cybytes
Facebook Twitter LinkedIn Email

Carbon Black recently published a report on the challenges of securing Linux-based operating systems and how Carbon Black is redesigning the approach. For more information about how the Cb Predictive Security Cloud, Carbon Black’s consolidated endpoint security platform, helps enterprises cut costs and realize significant business benefits, check out our webinar The Business Benefits and Cost Savings of Switching to the CB Predictive Security Cloud.

We can define our collective perception of what security is by investigating the questions we ask about the tools we use. To evaluate Windows security tools, two questions rise to the top:

  • Does this tool protect my system from viruses and other malware?
  • Does this tool support my version of Windows, now and in the future?


These certainly are important questions and highly valuable when assessing Windows security tools. When a tool designed to meet these criteria on Windows is ported to Linux and presented as an equivalent solution, we assume, often implicitly, that the questions we want answered are also equivalent. However, there are several flaws in using these questions to evaluate Linux security tools.


    The primary question we need to ask to evaluate a tool for Windows is: Does this tool protect my system from viruses and other malware? The reason this question is important to answer for Windows machines is because we know viruses and malware are a significant threat for them. If malware is a significant threat to a system, it makes perfect sense to heavily weigh malware protection in a security solution. However, due to the nature of Linux machines being critical assets that don’t regularly leave your environment, malware can be managed without the need for cumbersome tools . Malware certainly exists on Linux, but nowhere near the volume or variety as malware on Windows. ‘Bad things’ on Linux are almost exclusively fileless, meaning traditional solutions are ineffective and introduce unnecessary performance impact. By accepting a Windows security model on Linux, we implicitly weigh malware protection disproportionately high, even though we may know Linux malware is relatively scarce compared to Windows.


    On Windows, we also want to ask: Does this tool support my version of Windows, now and in the future? This question can be answered sufficiently if the security tool releases updates at the same pace as a fairly small selection of Windows versions you might use, typically quarterly or semi-annually. This is a perfectly appropriate answer for Windows because the release schedule is regular and relatively infrequent. With a quarterly release schedule, the tool would almost always be up-to-date. This is not the case with Linux. There are many different distributions with wide variation and independent release schedules, some of which include new releases every night. Given the pace of Linux development, a quarterly or semi-annual release schedule would result in a security tool that is almost always out of date.


    By promoting the Windows approach to security on Linux, vendors are saying that the impact of running the tool on both environments is acceptable. On Windows, the effects of a security scan range from unnoticeable to somewhat bothersome. Typically, users on Windows desktops are not utilizing all of the machine’s resources. A security scan can temporarily borrow some of the unused resources without significantly impacting the productivity of the user. However, Linux is not typically running on desktop machines. It’s powering servers, which have likely been tuned and optimized to run mission-critical applications and workloads. On production servers, unused machine resources are a waste of money and most organizations will do everything they can to maximize resource utilization. With little-to-no unused resources, a security scan will encroach on resources already in use and result in degraded performance of those mission-critical applications. In a fileless world scans have no effect.


The goals of this whitepaper are to bring light to the flaws with porting Windows security approaches to Linux, identify unique challenges with securing Linux infrastructure, introduce a list of questions one can use to better evaluate a Linux security offering, and propose a core set of design principles on which strong Linux security offerings can be built.

Read Now

Thanks for joining us as we explore “Re-designing Linux Security: Do No Harm” our report on the challenges of securing Linux-based operating systems in the modern era. Join us next week as we continue to profile this report.

The post Flaws in Evaluating Security Tools for Linux appeared first on Carbon Black.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Carbon Black, Inc.
Carbon Black is the leading provider of next-generation endpoint security. Carbon Black’s Next-Generation Antivirus (NGAV) solution, Cb Defense, leverages breakthrough prevention technology, “Streaming Prevention,” to instantly see and stop cyberattacks before they execute. Cb Defense uniquely combines breakthrough prevention with market-leading detection and response into a single, lightweight agent delivered through the cloud. With more than 7 million endpoints under management, Carbon Black has more than 2,500 customers, including 30 of the Fortune 100. These customers use Carbon Black to replace legacy antivirus, lock down critical systems, hunt threats, and protect their endpoints from the most advanced cyberattacks, including non-malware attacks.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?