What is true enterprise security and how do you get it? Bogus promises by vendors are all too common. In this recent Network World chat, outspoken security analyst Nick Selby humorously tackles the truth about data leakage products, smartphone protection, hotspot threats and the word "solution." Nick Selby leads The 451 Group's Enterprise Security Practice. Selby also serves as The 451 Group's Director of Research Operations and is on the faculty of the Institute for Applied Network Security.
Security start-ups promising protection from bot attacks seems to be the rage. I'm skeptical. Should I be?
Well, the only alternative answer to your question would be my advising you to be gullible, so I think I'll go with A, yes you should be skeptical. Bot attacks are launched by people exploiting vulnerabilities for profit. The cost of an owned Windows box is really low - in Dan Geer and Dan Conway's recent Owned Price Index, he states the cost as US$0.04 - so the costs involved in getting a lot of them to do something awful is fairly low and the chance you'll be caught even lower. When companies come out and state that they can promise protection from botnets, I'd start by asking lots of questions and being very careful about believing the answers. Not saying they're lying, just saying that what they're promising is to fix a constantly moving target.
What is the biggest load of nonsense that security vendors are pushing at us?
This will sound like semantics but it's been the devious insertion by vendors of the use of the word "solution" and its take up by buyers. I could say that a farm that's biodynamically sustainable and militarily defensible is a "hunger solution," but calling an IDS a "solution" is a little ridiculous. It's saying, 'Oh, good, they've solved the problem of intrusion! Good for them!" It's truly insidious that people are now referring to products of some genuine but specific value as something that has solved a problem. Enterprise IT is like New York City - it will be great when it's finished.
Along those lines, what about data leak protection - is it a "product/solution" or is it all hype?
That they can stop intentional theft of data, and that they can - in a vendor's own words, 'Stop all leakage and loss in any language, via any channel'. What utter tosh! Anti-data leakage (ADL) boxes and agents are great at reducing noise, at stopping stupid and inadvertent leaks which are clearly the most prevalent source of confidential and regulated data dissemination BY VOLUME (not by severity). That says a lot. But protecting your data is about far more than just stopping accidental leakage, it is about understanding how your company does business and the processes by which it turns information that it processes into checks made payable to it. On March 31, we're releasing a long format report on this very subject called Mind The Gap. It sets forth a no-cost framework to help end users get a better grasp on how to prioritize and understand the flow of data through their organizations. It then helps them prioritize the problems and use information to get vendors of four classes of related products (ADL, disk encryption, port and device control and database transaction monitoring) to better understand their needs to start addressing the problems of unprotected data in the enterprise.
If a vendor (say a start-up) comes up with what they feel is a new approach to addressing security concerns, or a specific issue (say, stronger user authentication), what would you call it if not an authentication solution?
I'd err on the side of "product", seriously.
Are integrated end-point security suites (i.e. Symantec/McAfee) as effective as best-of-breed 'solutions'?
Not sure about the exact answer as I would say that it varies. But as far as the "is the agent dead?" kind of question, I would say that, interestingly enough, we find that we are seeing greater demand -- in fact increasingly shrill and irritated demands - from the enterprises to get agents right, unified and functional. We saw GE chuck out Symantec and the Miami Dade School System chuck out McAfee because of dissatisfaction with agent unification and performance, updates, customer support and stability. But we are also hearing from end users that they are desirous of ADL and port and device control and disk encryption agents to be unified with antimalware and host behavior-based IPS and the like. Guardium and Imperva tell us that their agent uptake for database servers is now through the roof. (Disclosure: Guardium is a 451 customer; Imperva is not.) So we say that there is tolerance for agents provided that they work, play nicely with other programs and don't blue screen Windows.
We see ADL as an important part of something bigger - and that something bigger is likely to be the second tier antimalware vendors who know a thing or two about building agents. So in that list we would out AhnLab, Hauri, Grisoft (AVG), Panda, Trend Micro, Sophos, Kaspersky, BitDefender, GFI Software and other companies (disclosure: Sophos is 451 customer) as tops in looking to extend their antimalware agents to look at data leakage. We've seen Utimaco (a 451 customer) and other disk encryption vendors doing the same thing. So are agents dead? No. It's just that most IT people wish they were. However were it not for that latter bit, companies like BigFix (a 451 customer) and Lumension (not a customer, and a company whose name sounds like a prescription sleep aid) would have less to do.
HauteSecure released a new version of its anti-drive-by-download product recently. Is there really a market for browser plugins that do this sort of thing?
Well, if you ask the guys at Finjan, Grisoft (AVG), Symantec and McAfee then the answer is yes. But the real issue I suppose is the reactive nature of this. I like the power of the gang by companies like Prevx and indeed Haute of trying to use the users to gather intel and feed a central hive to disseminate. But at the end of the day it's reactive and therefore by definition behind the eight-ball from the get go - whaddaya think?
Do you think security vendors are creating problems then, to which they have the solutions for? That sounds very cynical...
I am not seeing the connection between what I said and what it seems like you thought I said. . . As we all know, Microsoft is to blame for everything. What I do mean to say is that security vendors often have very valid things to say about very real problems, but they get so caught up in the cycle of hype and marketing that they forget to speak English. Take the anti-data leakage guys - they solve an enormous problem, yet they insist on saying that they solve the WHOLE problem, ALL OF IT! It's disingenuous and needlessly distracting.