security battles

this spam link in eweek shows how security seems to get worse vs. better in the lager scheme of things.

We have seen a large jump in spam, getting through all kinds of filters also. I think Bill Gates said spam would fixed some time early this year, but the problem seems far from solved, even with a company as big and powerful as Microsoft trying to solve it.

As a company we have been in the security business since about 1993 when Windows NT was being rolled out in place of mainframes.  Ever since then the security problem was either ignored or was about to be fixed according to Microsoft and other vendors.  Vista and IE7 are the latest vendor products that are supposed to fix the security problem.  It seems the more we work on the problem the bigger the problem gets.   

The past few years non-security vendors added in security and they said the problem was solved and its not.  Security products still must come from security vendors.

What is working? Patching remains to be one thing we can do to really help with security, its a practical solution.  Removing unwanted software such as spyware and out of compliance applications helps  helps as does end-user training, security configuration management, firewalls, and strong password usage.  Not much is changing  there and that is why we focus on these areas - they work.   

Now industry is starting to ask, "if I am spending so much on security why am I not more secure?" I think the answer is more found in spending wisely vs. just spending, there are many expensive, complicated solutions that are hard to make effective, or are they just do not work.  If the answer is to just spend less the problem will of course get worse so its not clear on how we can go in that direction as an industry.

So what is new and what is going to solve the problem?   First, start using security products that solve the problem vs.  assuming the security add-ons from your  non-security product vendors are worth the high price (they are not the industry is finding). How do you do this? Start by understanding that security is hard and there is no easy solutions no matter what the vendors says.  Ask the tough questions from your vendors (including us).  Second, hold your vendors accountable for understand what security products you are buying and have them prove they are effective (again, including us). There is no silver bullet, as they say, if it sounds too good to be true it probably is.

As for spam, maybe we just need to ignore all those emails for a while since spam prevention products are not working.   But patching does work, strong passwords do work, user training does work, managing your current products does work, removing bots and unwanted software helps (prevention is better, but given the state of the browser industry removal is required)

Comments

People are becoming less satisfied with the return on their security dollars, and the problems are getting worse. Could it be that status quo technologies, which are primarily reactive, are just not keeping up to exponentially increasing numbers of threats?

Are incremental improvements in the same-old, same-old, really worth it? There is no silver bullet, as you say, when the technology is based on an inherently flawed design model, but to what extent are any technologies based on such a model worth a plugged nickel?

I think some of the smaller security shows are starting to wane because of this. There is nothing really innovative appearing and the whole industry is hinting of becoming stale as it collectively fails.

Posted by: Rob Lewis | Tuesday, November 28, 2006 at 05:38 AM

I do see the industry becoming a bit stale as you point out. Part of this is Microsoft entering the industry as they will give away products making it hard to develop markets, many entrepreneurs avoid markets like this.

Another part of the challenge here is the fact that every vendor added in "security" features to their lines. Features that do not really work, but that we sold as part of suites, or given free as part of other lines. Once business rolled out these solutions based on the trust they have from the current non-security vendors (now claiming to do security) they had already spent their budgets w/o really solving the problem.

A side effect of this is innovatation being crushed because new ideas are not listened to as much by many customers because they believe the problem is solved by the product they just bought from their current config management vendor or whatever, or they just got a free copy of something and the boss says they need to work with it.

To your point, I recently talked to one well know security industry expert and he believes its all over, there areno future markets left for security innovators. I am not sure I agree with him but I was surprised to hear it from him.

I of course still believe in the basics as applied to security, solid passwords, trained-end users, policies, patch management, out of band software management (spyware etc), basic security configuration management. These are the products we sell but that is why we build them, because I and others still believe in them. There is still some innovations to be made in these areas, mainly in ease of use on the entire network, speed, integration with process and current products of customers. These are more practical innovations than flashy, but they have a very positive effect. Thus far, I see no sign that the config vendors have taken over the security markets, far from it. We are seeing customers feed-up with products that do not work.

If the security industry is to grow we need to continue to educate our customers on the value of picking solutions that work, and we need to continue to buld solutions that work. In the past we in the industry had to work hard just to convince people to do anything with security, we are now past those days. Failing to do this the security industry will fade away without the problem being solved. Then what happens?

Posted by: Mark | Tuesday, November 28, 2006 at 09:16 AM