Internet Security....the final word.....well maybe the second final.....ah, maybe one more after that.....

Drazen Drazic

Drazen Drazic is the managing director of Securus Global, a leading Information Security consulting organisation specialising in application and network security, penetration testing and product testing for international security vendors. He is engaged as a consultant across most industry sectors on Information Security policy and strategy. In earlier times, he has headed up Information Security for a global investment bank and Big-Four professional services firm, been a regional IT director and has spent years promoting and talking about information security. Twitter: @ddrazic

If we were to believe the marketing hype over the last 20 years, we should be in a position today, in 2011 where security is not the BIG problem that it is. Every “security” product has promised to take the pain away; make us secure, compliant (with every known standard), and to not only solve our problem today, but to future proof us also. Buy now and you need nothing else!!

In 2008, a large “security” company told me that if I bought their product, it would give me; “proactive protection against unknown and zero-day threats”. They seriously told me that! I didn’t buy the product. Did you? If you did and it worked, you’re probably not reading this website and instead are getting on with business without the need for a security team or any other security technology......

Let’s not pick on one company or another. We know they all do it and always have. But lets go back and ponder why we’re not secure today when marketing has been telling us for years, (well, since the 90's really) that their company has solved the problem for you..... (maybe someone just forgot to tell the hackers.....)

Packet filtering technology led the way to protect us on the Internet from bad things and then Firewalls became mainstream in the 90s to really ensure we kept the hackers out before IDS really raised the bar to protect us further, and then just to make sure, we moved to IPS technology. But to be even more sure, we were told we then needed WAFs to close the loop so to speak. Between the evolution of these technologies we’ve also had competing technology that was “promoted” to us on the basis that all of the above was no good and you needed “intelligent systems” that would understand what was good and bad traffic coming into your network. “Heuristic” network analysis! Wow!

Let me be a cynic for a moment. (Out of character for me).

It won’t be long before we have a Cloud Firewall (some are already promoting it), which I like to term a CFW. (I’d like CFW to be seen as the solution to APT). We’ll put the CFW in front of the WAF, which sits in front of the IPS, which sits in front of the IDS, which sits in front of the FW, which sits in front of the Router, which sits in front of the “intelligent” system sitting on your network finding the bad stuff that all the other missed. (Okay, before anyone gets too technical on me, I acknowledge you can mix this order of protection around to whatever floats your boat or is considered the “best practice” of the day.....”zone” it how you will.

Now I hate to be a party pooper just as the security product makers have now seemingly nailed the problem again, BUT, we have clients who don’t trust these security products without the products themselves first being security reviewed. That’s one of the things we do. And herein lies the problem.....many security products are insecure....inherently bad as bad standard TCP/IP protocols themselves.

So what’s the solution? Why break the evolution mould/pattern? Lets add more layers. Let’s start with the WAF, (because no one has invented the CFW as yet...or at least a real one). We need to put a WAFF (Web Application Firewall Firewall) in front of the WAF. It would be bad to have your WAF owned so you need to protect your WAF. No need to detail the rest as we move down the zones to protect the protection devices. couldn’t make this stuff up.

BUT, we’ve always been told that defense in depth is key! So, somewhere in this quagmire of millions of dollars spent, we’re going to finally be secure.

Let me leave this at the moment with one last comment:

Defense in Depth can be destroyed by Complexity in Depth and always trumped by Stupidity in Depth. Are we too far gone to now go back to basics? There’s a story about an old woman who swallowed a fly.....

Show Comments

Editor's Recommendations

Solution Centres


View all events Submit your own security event

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Media Release

More media release

Market Place