8 Dirty Secrets of The Security Industry

Joshua Corman from IBM ISS had a great presentation at Interop “Unsafe at any speed the 7 dirty secrets of the security industry” which has been receiving strong media coverage (here), and (here)…my favorite reference is from Alexander Wolfe at Information Week (here)

An IBM security expert ripped the scab off the dirty little secrets of the security industry in a highly entertaining presentation Wednesday at Interop. Joshua Corman, principal security analyst at IBM Internet Security Systems, highlighted the gaping divide between what customers think they’re buying (safety) versus what security vendors are most intent on selling (stuff that’ll bring in the bucks). Here, in condensed form, is his list.

#0 Vendors do not need to be ahed of the threat they only need to be ahead of the buyer

The goal of the security industry is not to secure, the goal of the security industry is to make money. I think we all know this conceptually, and even with the best intentions in our capitalistic society we must understand that security companies are motivated by profits. This isn’t necessarily a  bad thing, but it should help to dispel the myth that security companies are smarter than hackers, they aren’t, they are just  smarter than the buyers.

#1 AV certifications do not test/require trojans

AV certifications are BS, they are essentially the AV industry’s equivalent of duck, duck, goose as vendors move up and down the rankings from one test to another – who gives a crap if in test 1 AV vendor A detected 98.4% and AV vendor B detected 95.7% and AV vendor C detected 97.6% and then in test 2 it all chagnes, especially when they are not testing their ability to detect the really nasty, stealthy, sophisticated non-replicating malcode that iz in yur bits stealin yor bytes.

BTW – Kurt Wismer is pretty passionate when it comes to Anti Virus, he is like the Guardian Angel of anyone who would dare to speak ill of the poor, defenseless AV companies. He recently posted on why the AV vendors were NOT falling behind using an “dog shit” analogy (here)- classy, professional, and uncomfortably hilarious. Honestly I am not sure what the hell he is talking about, but I am sure he will post his thoughts in triplicate soon 🙂

#2 There is no perimeter

The endpoint is the perimeter, the user is the perimeter, the business process is the perimeter, the data is the perimeter – the perimter is not the perimeter. Those who decry securing the endpoint and espouse the virtues of network security obviously do not care about the importance of protecting the ever increasing intermittenty connected, remote computing devices that move in and out of the corporate network like a transient looking for a warm underpass to sleep for the night, all the while bypassing perimeter and network security.

So why should we care if we do a really good job of protecting critical assets with the latest network security thingie? Well ask yourself if confidential data ever makes it’s way onto mobile devices, smart phones, handhelds and laptops – no, you say – really? nothing confidential in email? Bob in accounting doesn’t ever download propritery information to work with over the weekend? Your engineers only access source code from the security of Ninja-proofed, tempest shielded, lead walled closet surrounded by an army of M16 wielding bodyguards?

#3 Risk management threatens vendors

Risk management forces an organization to focus, to move towards policy driven proactive security and away from reactive, ad-hoc security models that drive knee-jerk secuity buying. Security vendors love knee-jerk security buying (see dirty secret #0)

#4 There is more to risk than weak software

There is a myth in information security that postulates the theory that if all software was secure we would eliminate threats – this would be true only if we didn’t allow computers to be turned on, connected to the internet and people were not allowed to use them, but they weren’t really designed for that. We all know there is no patch for human stupidity and social engineering is one of the easiest ways to infect a box, so the never ending cycle of vulnerability disclosure -> scan -> patch -> rinse and repeat keeps us locked into a never ending hamster wheel of misaligned goals and mismatched expectations.

#5 Compliance threatens security

When I was with Gartner we would publish a Cyber Threats Hype Cycle and for many years we placed Regulatory Distraction as a threat to enterprise security. The thinking was that being compliant doesn’t = improving security, whereas implementing strong security measures would generally make one compliant. Although we have made strides in defining more prescriptive compliance initiatives many organizations work to pass an audit as opposed to work to implement controls that actually benefit the organizations security program.

#6 Vendor blind spots allowed storm

Storm eats AV for breakfast, it doesn’t need vulnerabilities, it leverages outstanding social engineering, it is self-defending and resilient…

  • Warning: Pregnant women, the elderly and children under 10 should avoid prolonged exposure to Storm.
  • Caution: Storm may suddenly accelerate to dangerous speeds.
  • Storm contains a liquid core, which, if exposed due to rupture, should not be touched, inhaled, or looked at.
  • Do not use storm on concrete.
  • Do not taunt Storm

Microsoft did not kill storm worm (here), it is still out there lurking in the shadows like a malicious interloper (here) waiting to ridicule your inadequote reactive security measures and laugh at your inability to remove it from the internets.

#7 Security has grown well past “Do it yourself”

The days of dropping in a box and flipping a switch are long gone, we are in an era where the combination of people, process, and technology must be coordinated and well planned or you not only risk a failed deployment but the loss of business or worse.


5 thoughts on “8 Dirty Secrets of The Security Industry

  1. re: #1

    one more reason not to give the certifying bodies much heed, i guess (as if the fact that vendors have to pay to be tested and get mulligans isn’t reason enough)…

    some testing bodies (av-comparatives and av-test) do use non-replicative malware in their tests, but they don’t really do ‘certification’…

  2. Nice post!

    #0- A subtle but necessary difference!
    #2- Unfortunately, I disagree, there will always be a perimeter of some sort or other. It’s just not the easy, single network perimeter fence we knew in 1995. But we still maintain lines, differences in trust, and access. Those create perimeters… I think anyone still maintaining there is no perimeter has too rigid and archaic a definition of perimeter. (Besides which, I still think plenty of orgs can get by with the 1995 perimeter yet…)
    #5- Amen. 😦
    #7. DIY to a geek like myself means running Snort instead of an appliance that does it for me. That DIY is still viable. I think you mean the security department can’t do it alone anymore. 🙂

  3. 0, 3 & 5 are so close to the truth it is painful – as security pro’s this is the reflected reality of the corporate world that we inhabit

    Truth is often stranger than fiction….

  4. Pingback: The 11 Worst Ideas in Security « Amrit Williams Blog

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s