Recently during a talk at Interop, Joshua Corman, security strategist for IBM/ISS, offered up “7 dirty secrets" in the security industry. The talk, titled “Unsafe at any speed: 7 Dirty Secrets of the Security Industry,” was aimed at explaining why companies should have a “healthy level of skepticism about what security vendors are trying to tell you” when evaluating your business’s needs.
Security vendors offer comments on Network World article. (IMG: J.Anderson)
Network World covered Corman’s talk quite well. However, while listing the seven points (dirty secrets) the coverage was missing something, rebuttals, or comments from security vendors. The Tech Herald, wanting to add some insight, contacted some vendors and asked for comments or rebuttals.
The comments are offered as is, and for the most part all of them are direct and to the point. The objective is to offer business and IT staffers a chance to see not only the “7 Dirty Secrets,” but to see where some common security vendors stand on them.
The following pages will contain the “secret” as described by Corman, and Network World, and the responses that Tech Herald received. Not all vendors responded to every point, some points will have more commentary than others. Again, this was simply a chance to add more to the original Network World article, and provide a counter point to the topic for companies doing research.
While not offered to the vendors as an issue to respond to, the first item that leads the Network World story was this line, “The goal of the security vendor is not to secure, it’s to make money.” Corman offered that as his “zeroth” secret.
To respond to this, Tech Herald simply argues; Name one company, security or otherwise, who tells you they are not out to make money and we can write pages on why this company is full of lies. Every company, even security vendors like IBM, is out to turn a profit. This is why we have “for-profit” and “not-for-profit” business licenses.
How effectively you, as an administrator or executive, can separate fact from fiction depends largely on how well honed your vetting skills are. If a company simply looked at one vendor to determine their security needs, then that company is missing several opportunities to learn and research. Recently, you have seen technology news mentioning vendors selling “snake oil” to companies, with charges that most if not all of the “solutions” they sell are worthless. This is true, but little to no credit was given to the business manager for the company who gets to sort and start the vetting process before a vendor is picked to supply any type of security offering.
There are “snake oil” vendors, but there are also administrators and managers in IT who are smart enough to see them for what they are. True professionals know there is no single cure for security related problems or issues. If there were, then security news would only talk about one company, and single threats.
Antivirus certifications are misleading.
Secret number one talked about anti-Virus certifications. Corman said they are misleading. AV certifications confirm that devices block all replicating code, one-hundred percent of it. The catch, Corman said, is that roughly seventy-five percent of the code hitting the network is non-replicating. “Certification means [the AV offering] caught 100% of 25% of the bad stuff,” Corman said.
Mark Bower, Director of Information Protection Solutions at Voltage, said that companies should immunize, rather than struggle to tactically defend growing and morphing enemies.
“Whilst virus management has its challenges, including concepts like blocking, another technique to protect information from Trojans which are often aimed at stealing data, is to immunize the data -- that is, treat the data such that even if a Trojan accesses it, the data is useless.”
This is not to say that virus management and detection should not be done, “Of course, it's still a best practice,” Bower said. “However, data-centric views (protecting information at the data-level … not the container-level), is an emerging technique that can be equally as effective at protecting data from Trojans and human attacks.”
Amir Lev, CTO of Commtouch, agreed with Corman’s first point. “I totally agree. Also - most AV certifications are done a posteriori - sometimes weeks after the Malware has been out, so the tests might show that the AV is blocking a Malware - but in fact it was not blocked during the attack at all.”
There is no perimeter.
The second “secret” is that there is no “perimeter” or rather; vendors say that the network perimeter must be defended, but most data which is actually lost doesn't go through the firewall. Corman pointed out that most breaches happen from theft or lost storage mediums (hard drives or USB keys).
“Most vendors talk about "defending the perimeter" against Malware, spam etc. - which is a must. However, the fact that data can be lost or stolen is a separate issue that should be covered by DLP, security procedures, and so on. It has nothing to do with the perimeter protection,” Amir Lev said.
"There still is a perimeter to be defended - which is why nearly all organizations still use firewalls. The challenge is that as we've become more and more reliant on information systems and computing resources in the course of doing business, we allow a much higher potential for threats inside the perimeter," says Frank Andrus, CTO of Bradford Networks.
"Employees use laptops and PDAs both inside and outside the perimeter, so you have to assume that what those devices are exposed to outside will be brought inside. Business partners, contractors, guests, and other non-employees are routinely allowed to connect from inside the perimeter these days, so you're now adding threats associated with users and devices that may be unknown to and/or unmanaged by your organization. And, yes, the 'portability' of storage media like external hard drives and USB keys adds to the challenge of protecting sensitive data," Andrus adds.
Mark Bower agrees pointing out that, "Data is the perimeter."
"Whilst many enterprises struggle with the gap between the boundary of control and the ever expanding domain in which business data is shared, where traditional perimeter controls don't apply, a data-centric view (a contemporary view from leading analysts such as Forrester Research and 451 Group) is that the data itself is the perimeter. That is, protect the data in the first instance and thus the protection travels with the data itself. Data is exposed only under permitted circumstances, and this is enforceable throughout the lifecycle of that information. This approach eliminates the need to continuously define, monitor, and manage a traditional perimeter, and allows the extended enterprise to retain control over its data irrespective of location," Bower adds.
A third expert, Steve Lauberstein from PKWare adds, "In today's business world, in order to enhance business growth, data often needs to be exchanged with external employees, business partners, and even customers. That cannot be done within a "perimeter" as traditionally defined, unless your business partners and customers are forced to come into your perimeter, and then only to view the data. Ultimately, what needs to be protected is the data itself. Persistent security that always stays with the data, regardless of how it is transmitted or stored, will fill the gaps created when sensitive data leaves the "traditional" network perimeter."
"The growing number of threats and potential vulnerabilities is exactly why "layered security" and "defense-in-depth" approaches are the most effective. There is no one threat, so there is no one ideal security solution. So, we still need firewalls to defend the perimeter. We need anti-virus and anti-Spyware applications to prevent the spread of known Malware threats. We need IPS and Network Behavior Anomaly Detection (NBAD) solutions to protect against zero-day attacks and malicious hacking. We need Network Access Control (NAC) solutions to secure access to network resources and enforce usage policies on the network. This is what "layered security" and "defense-in-depth" are all about," Andrus summarizes.
Risk analysis threatens vendors.
The third secret is that risk analysis threatens vendors. Corman says. "You need to understand the environment and the big priorities," he says. The idea is that vendors are threatened because if a companies risk assessment does not cover their top business needs, then the assessment is of little or no value. “Security vendors want businesses to buy what they sell, so they push specific products to block specific threats. NAC, for example, might solve a real problem. But if the problem doesn’t have a major impact on the company’s top three business priorities, it probably doesn’t need to be addressed," Corman adds.
Mark Bower responded to this point, "Vendors need to adapt to risk -- not force changes to manage risk or push square peg in round hold solutions."
He adds, "Risk analysis is a proven technique to discover threats. Mature methods and frameworks like ISO17799 prove this, and the outcome of risk assessments should be twofold; To develop a risk convergence strategy to bring groups of threats under one manageable process, and as a tool to allow experts in the enterprise to illustrate to executive management what the utmost risks are to revenue generation, stability, and reputation. I would challenge vendors to provide greater agility and adaptability in risk management and security solutions as we do with our core technology. For too many years, vendors have touted technology for technology's sake, forgetting the way business happens. Just look at classic PKI -- great technology, but it bends business processes out of shape and impedes business."
The trend in security, to be fair, is that larger IT shops focus on security as a process within business. However, smaller companies are sill looking for the silver bullet, and often look at risk assessments as a way to cover the company in a blanket policy regarding security. These companies are the ones who need the most help with security.
There is more to risk than just weak software.
The fourth point Corman made is that there is more to risk than just weak software. "If software were perfect, we'd still have viruses, Trojans, etc., that don't need software flaws to work," Corman says. Corman was referencing the vendors who push products aimed at vulnerability protection on the software level.
"True. Software vulnerability is just a single aspect of Malware penetration. Human faults (social engineering tricks) are no less important. (and there are many other options for data leakage)," Commtouch CTO Amir Lev said.
"This is partially true. Risks also come from complexity. The more moving parts, the more possible failures, more complex testing, and increased vulnerabilities. Look at legacy key management systems that have to manage millions of keys. Data loss, software failure, scale limits, and other classic I.T. problems quickly rise to the surface. Simplification at core architectural level can improve the natural robustness of systems. This is evident with stateless key management -- data loss is avoided as there are no moving parts, so vastly easier to manage, build and expand on, and scale limits don't apply as there is no growing state to manage," Mark Bower added. "New technologies like IBE (Identity-Based Encryption) can thus replace more complex and cumbersome systems and reduce risk accordingly."
Rishi Bhargava, director of product management at Solidcore Systems said, "Corman is correct in highlighting the fact that the latest security breaches are nothing to do with weak software. Taking the argument further, the traditional approach of having signatures to identify viruses, trojans etc., does not work either, as every unknown software could potentially be a trojan. Imagine a targeted attack against a big company where an insider could be involved (this is not unheard of). In such a scenario the only form of security that works is based on whitelist approach where the known image is locked down and everything else is unauthorized."
Compliance threatens security.
The fifth point Corman made, that compliance threatens security, earned the most comments. Corman said that meeting standards such as PCI or HIPAA is not enough to keep a network secure. “The problem is that regulations create a budget and resource conflict between what compliance demands and what network executives think really needs doing to best secure the business it supports.” Corman also pointed out that compliance can also inform an attacker what defenses are present, because of the various needs as required by the government.
Trey Ford, director of solutions architecture at WhiteHat Security, comments, "Overall, Tim Greene's [Network World reporter not associated with The Tech Herald -ED.] brief of Joshua Corman's presentation does a solid job of discussing the very real need for, "a healthy level of skepticism about what security vendors" communicate."
"The fifth 'dirty secret' in his article states that, "compliance threatens security.” While I personally didn't see the presentation, Tim alludes to Joshua speaking on the 'check-list' mentality of organizations that exhaust resources and budget pursuing the 'approval' of some mythical auditor- and I see this as a rather narrow view. All men may have been created equal, but data certainly was not. Compliance requirements are created by groups interested in a specific dataset. HIPAA was enacted by the U.S. House of Congress back in 1996 to ensure the protection and privacy of patient records. Visa and MasterCard have led the Payment Card Industry in the charge for industry self regulation in an effort to protect consumer data and payment channels," Ford continues.
"The prescriptive control set called for by each regulatory body serves as a baseline for what they require to protect their data set in discussion. This is a starting point for corporate discussion. If disinterested executives are focused on only sliding by- it is easy to consider regulatory compliance as a threat to security. I submit that in the same breath these executives will likely not have sought any form of security had compliance not been in the picture. Regulatory Compliance has served the security industry by forcing corporations to take a long look at how to find threats and systematically eliminate them, and how to ensure this isn't a one time event. Compliance has supported information security in the boardroom," he concludes.
"This could not be further from the truth. The compliance requirements have come because of weak security, poor controls, arbitrary and non-standard ways of managing risk. Very few compliance standards, if any, specify a given approach, and quite simply, without the stick of compliance we would be in a far worse state of affairs. Criminals and well-funded hackers don't sit still -- they are actively in pursuit of information as data is now monetized. Standards like PCI show enterprises what criminals already know -- credit card details have value and have to be protected. Most protection guidelines are in-line with best practices and often change to adapt the best approaches. Encryption in PCI, for example, and robust key management," Mark Bower says.
"Risk does, however, exist in cases where compliance is a simple checklist -- a product sitting on the shelf "to be installed some day,” or a mish mash of unmanageable point solutions, or solutions that only cover one small corporate area leaving the virtual front door open. Any enterprise that attempts to manage security by obscurity by assuming their data is so obtuse nobody will find it is asking for a worst case scenario -- an attack and breach possibly without detection. Encryption, Defense-in-Depth strategies, and managing risk have been around long before PCI or HIPAA, so suggesting that being compliant to one makes you more vulnerable seems contrary to common sense as well as years of proven best practices. It should be noted that security is about prevention." Bower adds.
Stephen McCalmont, Chairman, and CEO of Avior Computing, comments, "While we agree with both points, there is a lot more to the story. Regarding meeting standards not being sufficient to ensure security, this is true. The HIPAA security standards are almost ten years old at this point, and there are numerous new threats and vulnerabilities, that exist today that are unaccounted for in the HIPAA standards. The PCI standard is much more current, but gaps can exist between what is specified in PCI DSS, and what should be implemented as a best practice based upon today's threat environment. The Hannaford breach is the perfect example of this. The answer lies in proactive risk assessments of the organization, and the development of a best practices control set that includes the relevant standards and compliance regulations, plus those that the organizations management deem necessary to counter relevant risks and threats."
“On the second point, Mr. Corman is correct to a point. Knowing the compliance regulations that affect an organization can possibly tell an attacker what the minimum controls that are in place might be. However, the assertion is a little weak. Many organizations understand that the various compliance regulations are neither sufficiently detailed, nor current enough to ensure (by themselves) adequate security. These organizations will likely have implemented controls that are well beyond what is specified in each regulation,” McCalmont adds.
“Avior's view is that the answer to both questions really lies in developing a unified compliance and risk management process that maps relevant regulations and standards to a common control set. This control set will likely have numerous best practices controls specified that are well beyond what is found in any one regulation. Perhaps most importantly, an assessment process must also exist that allows for easy and regular assessments to ensure compliance to the unified framework.”
Kishore Yerrapragada, CTO of embedded products at Solidcore Systems adds, "As of today, most of the compliance rules (whether it is PCI or SOX) are open for interpretation. These interpretations (made by auditors and IT) take least resistant or easiest path while implementing them on IT systems. This approach gives a very false sense of security to the organization. A false sense of security is worse than not having any security at all. Most of the recent problems we are seeing and hearing in the retail industry can be attributed to this approach."
"Organizations hit by stolen credit card problems in the recent past had all met PCI Compliance, but that didn’t make them completely secure. Compliance requirements and penalties force organizations to be more focused on simply “meeting the deadlines," rather than continuous maintenance of security guidelines. Secondly, compliance requirements are more like anti-virus definitions; they are only playing catch-up to the trends in attacks. This gives a huge window of opportunity for any attacker. Organizations have to approach security as security and then, as a side product of having security, meet the compliance requirements," Yerrapragada adds.
Vendor blind spots allowed the Storm Worm outbreak to happen.
Corman’s sixth point was that vendor blind spots allowed the Storm Worm outbreak to happen. Corman contends that corporate defenses, which check behavior of various network devices, can spot a machine that has been taken over by botnets. However, there is no such protection for consumer networks. “Storm recognized the biggest blind spots in antivirus and exploited them, and Storm employs great social engineering,” Corman says.
Bower comments, "This also depends on how consumer information is managed. With more and more consumers online, I agree this threat is entirely real. However, new SaaS security models aimed at consumers, put data-centric protection technologies into the hands of consumers, where there’s no complexity or training required. I therefore see this trend changing as the data-centric approach extends from the enterprise to consumers. Indeed, in many cases enterprises will use the same standard technique as can be used directly by consumers -- a convergence of putting "enterprise power" in the hands of the ordinary person on the street, if you will … and at such a price point that it's a no-brainer."
“Consumer networks are always more vulnerable than corporate networks; this is not the vendors' blind spot. The Storm Worm got through most AV solutions in the corporate sector as well, because traditional AV engines are not capable of blocking multi-variant, zero-hour, massive Malware distribution,” Amir Lev adds.
Security has grown well past do-it-yourself.
The seventh and final secret on Corman’s list was that security has gone well past the do-it-yourself. Offering that security is so complex no company can do it alone, and will need the help of the security vendor to secure the network. “It’s not enough to have the right tool. It needs to be installed and configured properly for the environment,” Corman says.
"There's no question that security can be complex, and one organization may not have all the resources or knowledge needed to solve all of its security challenges. Security vendors should absolutely be counted on to provide expertise and to support customers in securing their networks - it's just part of a good business relationship. At the same time, a good security solution should help to reduce complexity and automate things as much as possible, so the business can focus its resources on its most important issues. That's the type of relationship you want with any vendor, not just a security vendor," offers Bradford Networks CTO Frank Andrus
"This I would agree with - the scope and set of risks and threats is vast and varies by system and type. However, bringing this back down to something that is manageable - in defining the scope of risk - requires new approaches, such as a data-centric security model. If security can be applied to data in such a way that it lives with the data wherever it goes, then the scope of the challenge of managing risk is vastly reduced. ...After all, we are already seeing this with IBE emerging as the preferred approach in securing content with a huge number of OEMs, such as Microsoft, building it into core platforms," adds Mark Bower of Voltage.
"If "Information is Power" as the old adage implies, then it stands to reason that information security is paramount to the strength and growth of today's forward-thinking organizations. Realizing this advantage will require enterprises to carefully select those strategic security processes best performed by in-house resources and those tactical functions that can be outsourced. To the extent these functions performed internally can be automated, each information security role should have a complimentary tool to perform such critical tasks as complex correlation, real-time event forensics, historical incident analysis and risk assessment for regulatory compliance. With the proper mix of advanced security instrumentation and a staff of capable security professionals, enterprises can maintain an exceptionally high standard of information protection required in today's environment without offloading critically strategic functions to third-party entities who may not fully appreciate the ancillary customer value or direct operational impact of information security decisions," Leland added.
There was an eighth point, submitted by Dr. Phyllis Schneck, vice president of Research Integration, Secure Computing. “Nothing is ever secure. No security product can provide one hundred percent protection; sometimes you don't know what you don't know. However, the proactive use of security intelligence, coupled with awareness and risk mitigation tools provide the best and most reliable business protection."
Mirroring the point made by Trey Ford at WhiteHat Security, the Network World coverage of Corman’s talk was great. The comments here add another prospective view to the original talk. They should be treated as presented, commentary on the subject by the vendors themselves.
Comment on this Story