Five years ago a firewall was all you needed for security on the Internet. Back then, no one had ever heard of denial-of-service attacks shutting down Web servers, let alone common gateway interface scripting flaws and the latest vulnerabilities in Microsoft Outlook Express. But in the wake of recent years came intrusion detection systems, public-key infrastructure, smart cards and biometrics. New networking services, wireless devices and the latest products regularly turn network security upside down. It's no wonder CIOs can't keep up.
What's amazing is that no one else can either. Computer security is a 40-year-old discipline; every year there's new research, new technologies, new products, even new laws. And every year things get worse.
I'm here to tell you it's not about the technology.
Network security is an arms race, where the attackers have all the advantages. First, potential intruders are in what military strategists call "the position of the interior": the defender has to defend against every possible attack, while the attacker has to find only one weakness. Second, the immense complexity of modern networks makes them impossible to properly secure. (Yes, I said "impossible," not "difficult.") And third, skilled attackers can encapsulate their attacks in automatic programs, allowing people with no skill to use them.
The way forward is not more products but better processes. We have to stop looking for the magic preventive technology that will avoid the threats, and embrace processes that will let us manage the risks. And that doesn't mean more prevention; it means detection and response.
On the Internet this translates to constant monitoring of your network. In October 2000, Microsoft discovered that an attacker penetrated its corporate network weeks earlier, doing untold damage. (Microsoft has been reticent about the exact details.) Administrators discovered this breach when they noticed 20 new accounts being created on a server. Then they went back through their audit records and pieced together how the attacker got in and what he did. If someone had been monitoring those audit records - from the firewalls, servers and routers - in real-time, the attacker could have been detected and repelled at the point of entry.
Monitoring also means vigilance; attacks come from all over and at all hours. It means that experts need to continuously monitor with the tools and expertise at hand to figure out what is happening. Throwing an intrusion detection system onto a network and handing a system administrator a pager isn't monitoring any more than giving a bucket to the guy at the other end of a fire alarm replaces a fire department.
Prevention systems are never perfect. No bank ever says: "Our safe is so good, we don't need an alarm system." No museum ever says: "Our door and window locks are so good, we don't need night watchmen." Detection and response are how we get security in the real world, and it's the only way we can possibly get security on the Internet. CIOs must invest in monitoring services if they are to maintain security in a networked world.
Bruce Schneier is founder and chief technical officer at Counterpane Internet Security, a managed-security monitoring company. He is also the author of Secrets and Lies: Digital Security in a Networked World (Wiley, 2000). You can subscribe to his free monthly e-mail newsletter, Crypto-Gram, at www.counterpane.com/crypto-gram.html.