Are InfoSec vendors ‘sowing confusion’ and selling ‘useless’ products?

Security vendors are doing just swell but how much do they do - outside of selling products - to help the world become a safer place? CSO Online investigates.

As a journalist, you know the drill at media briefings. Hosted and paid-for by a vendor, and with speakers from the company - as well as (usually) an end-user or an academic, the idea is to bring journalists together with the experts to discuss the prominent matters in the industry. And if those issues and industry challenges can be resolved with one of the vendor’s solutions then everyone’s a winner.

The vendor gets the business, the press coverage and the thought leadership, while the journalist gets the story, the contacts and the free lunch. The speakers get some media air-time. It’s no surprise then, that these are usually enjoyable, if tame, affairs.

Except, on this occasion, one of the experts wasn’t following the script. Discussing mobile security, a then-consultant and now-CISO went against the grain, revealing how most enterprises could manage their devices in-house with Microsoft’s old - and not very sexy - ActiveSync. He went on to accuse the vendor community of selling ‘snake oil’ and spreading FUD (fear, uncertainty and doubt). “Vendors are part of the problem,” he said.

It was blunt, but it was interesting because it raised some pertinent questions: How much are vendors doing to make the world a safer place - and is it in their interests to do so anyway?

Are security solutions even fit to face the threat?

Almost all vendor offerings in the InfoSec space are built on fear and risk management. After all, if no one was concerned about data loss, why would anyone bother with security software?

Subsequently, millions of consumers and businesses worldwide today buy or download anti-malware tools, often in the assumption that they’ve ticked the box and made themselves secure.

Yet this ‘security’ is never guaranteed, especially in an evolving threat landscape where cybercrime-as-a-service and nation-state hackers are considered a reality. This has led some experts, including some credible if controversial names, to question if today’s security tools - like antivirus, anti-malware and DLP, are fit for purpose.

Speaking to CSO Online this week, McAfee co-founder John McAfee questioned if today’s security solutions are up to the job.

“The vendor community is largely operating under an old, reactive paradigm that no longer works. The old paradigm looks for damaging code, suspicious file transfers and malicious activities that can only be detected after a hacker first "sniffed" the system they were intending to hack. At this point, it is generally too late to avoid damage.

“Few vendors are providing proactive systems that are able to shut down the hacker within a few minutes of the hacker’s first sniff of the network. Very few vendors are addressing the rapidly growing problem of internal hacks.

“Unless we adopt, universally, a newer paradigm that recognizes that our threat vectors have migrated into a new universe, hacking will continue to escalate to the point that our entire financial and industrial complex will be threatened to extinction.”

He added that vendors “continue to delude customers by urging continued sales of useless products” and are “sowing confusion and creating much harm.”

Dudu Mimran, CTO of Deutsche Telekom Innovation Laboratories (also of the Cyber Security Research Center at Israel’s Ben-Gurion University), said there’s also an oversupply of solutions, which confuses CSOs.

“The current situation with security vendors vs customers is tricky. There is an oversupply where there are dozens of startups and companies providing different solutions based on different concepts for the same problems, which makes the CSOs very confused as for how to build their security stack and concept.

“There is no blueprint approach for enterprise security yet, and that keeps the market stuck. The main security problems that exist do not have yet complete solutions and each vendor in a way solves only 60 to 80% of each problem. This makes it more difficult for CSOs to become confident about their vendor selection strategy.”

The big money industry

Despite this, information security is emerging as a hot area for VCs. Analysts say it was a $75 billion market in 2015 (and expected to grow to $170 billion in 2020), while companies like FireEye, Kaspersky and Symantec have long emerged as household names.

IDC reports that security analytics/SIEM, threat intelligence, mobile security and cloud security are the new areas of interest for investors and this booming market, fueled by a record number of data breaches, has resulted in more security companies going public.

Last June, Rapid7 saw its shares rise 67 percent on the first day of trading on the NASDAQ, while UK-based Sophos raised $125 million on a valuation of $1.6 billion when it went public a month later. At the end of 2015, email security firm Mimecast launched its initial public offering (IPO).

Amar Singh, former CISO at News International and SABMiller

Dell SecureWorks has since joined the NASDAQ, while the Bain Capital-backed Blue Coat was to do the same before selling to Symantec for $4.6 billion.

LogRhythm, Mimecast, Bit9 & Carbon Black are all expected to follow suit in going public, and you can expect many more to come in a thriving market.

Join the CSO newsletter!

Error: Please check your email address.

More about Bit9Carbon BlackCSODellDeutsche TelekomDLPESETEuropolFBIFireEyeF-SecureIntelIntel SecurityInterpolISC2KasperskyLogRhythmMalwarebytesMicrosoftMimecastNASDAQNewsNews InternationalRapid7SecureWorksSophosSymantecTest

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By Doug Drinkwater

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts