Drazen Drazic is the managing director of Securus Global, a leading Information Security consulting organisation specialising in application and network security, penetration testing and product testing for international security vendors.
He is engaged as a consultant across most industry sectors on Information Security policy and strategy. In earlier times, he has headed up Information Security for a global investment bank and Big-Four professional services firm, been a regional IT director and has spent years promoting and talking about information security. Twitter: @ddrazic
If we were to believe the marketing hype over the last 20 years, we should be in a position today, in 2011 where security is not the BIG problem that it is. Every “security” product has promised to take the pain away; make us secure, compliant (with every known standard), and to not only solve our problem today, but to future proof us also. Buy now and you need nothing else!!
In 2008, a large “security” company told me that if I bought their product, it would give me; “proactive protection against unknown and zero-day threats”. They seriously told me that! I didn’t buy the product. Did you? If you did and it worked, you’re probably not reading this website and instead are getting on with business without the need for a security team or any other security technology......
Let’s not pick on one company or another. We know they all do it and always have. But lets go back and ponder why we’re not secure today when marketing has been telling us for years, (well, since the 90's really) that their company has solved the problem for you..... (maybe someone just forgot to tell the hackers.....)
Packet filtering technology led the way to protect us on the Internet from bad things and then Firewalls became mainstream in the 90s to really ensure we kept the hackers out before IDS really raised the bar to protect us further, and then just to make sure, we moved to IPS technology. But to be even more sure, we were told we then needed WAFs to close the loop so to speak. Between the evolution of these technologies we’ve also had competing technology that was “promoted” to us on the basis that all of the above was no good and you needed “intelligent systems” that would understand what was good and bad traffic coming into your network. “Heuristic” network analysis! Wow!
Let me be a cynic for a moment. (Out of character for me).
It won’t be long before we have a Cloud Firewall (some are already promoting it), which I like to term a CFW. (I’d like CFW to be seen as the solution to APT). We’ll put the CFW in front of the WAF, which sits in front of the IPS, which sits in front of the IDS, which sits in front of the FW, which sits in front of the Router, which sits in front of the “intelligent” system sitting on your network finding the bad stuff that all the other missed. (Okay, before anyone gets too technical on me, I acknowledge you can mix this order of protection around to whatever floats your boat or is considered the “best practice” of the day.....”zone” it how you will.
Now I hate to be a party pooper just as the security product makers have now seemingly nailed the problem again, BUT, we have clients who don’t trust these security products without the products themselves first being security reviewed. That’s one of the things we do. And herein lies the problem.....many security products are insecure....inherently insecure.....as bad as bad standard TCP/IP protocols themselves.
So what’s the solution? Why break the evolution mould/pattern? Lets add more layers. Let’s start with the WAF, (because no one has invented the CFW as yet...or at least a real one). We need to put a WAFF (Web Application Firewall Firewall) in front of the WAF. It would be bad to have your WAF owned so you need to protect your WAF. No need to detail the rest as we move down the zones to protect the protection devices. LOL....you couldn’t make this stuff up.
BUT, we’ve always been told that defense in depth is key! So, somewhere in this quagmire of millions of dollars spent, we’re going to finally be secure.
Let me leave this at the moment with one last comment:
Defense in Depth can be destroyed by Complexity in Depth and always trumped by Stupidity in Depth. Are we too far gone to now go back to basics? There’s a story about an old woman who swallowed a fly.....