Right now, security services vendors are collecting data. Massive amounts of data. Just as meteorologists plant doohickeys on the roof to analyse the weather, security vendors stick doohickeys on their networks to catch malicious activity streaming by.
They're quite good at this, actually. Two recent examples: In January, Riptech announced it had culled more than 128,000 attempted attacks on 300 Riptech customers over six months. And in March, Predictive Systems amassed more than 12 million malicious-looking events from 54 sensors around the world in just three months. (That's about 90 attempted attacks per second, or put another way, roughly 27,000 attempted hacks in the time it takes you to read this column.)
Both vendors created detailed knowledge about infosecurity. Here's a tiny slice: The Riptech study found 30 per cent of all attacks came from computers in the U.S.; next was South Korea, at 9 per cent. In fact, five of the top 10 sources of attacks were computers in Pacific Rim countries. In terms of intensity (attacks per Internet user), Israel far outdid any other nation.
In the Predictive study, 49 per cent of attacks originated on computers in the U.S., but of the remaining 51 per cent, nine out of 10 originated on computers in the Pacific Rim, a third of those from South Korea.
Experts are playing around with the data, trying to determine if there's a correlation between socioeconomic factors and vulnerability of computer systems. They're looking at vulnerability by industry sector (where attacks go, rather than where they come from). They can map intensity of attacks based on current events (for example, whether attacks against an industry spike after certain events happened in the world). The data can be parsed any number of ways — it's just a matter of mining it, first.
Now, imagine this on a massive scale. What if all security vendors agreed to a six-month data collection period, possibly covering a billion instances of malfeasance? After the six months, they could turn over their data to an independent, nonprofit group (CERT? SANS?) that would create an omnibus, possibly recurring, infosecurity census. It's an exciting idea in public service. The data (stripped of identifying factors to protect the innocent, of course) would immediately provide CIOs and CISOs with a panoramic landscape to survey and learn from. Beyond awareness building, it could be used to instruct CIOs on architecture. Where do we need to build up defences and where are they pretty solid? Global companies would benefit from a global view of security. The government could use it to set policy, in the same way the population census is used to set policy.
Almost everything needed to make such a census happen is available: the data, the computing brawn, smart (and independent) agencies to handle the data, and security experts to provide analysis. The one missing element is the vendors' consent to turn over their data.
There's the rub. It's not likely vendors would ever consent to this, even though it would immediately benefit their customers. Riptech officials said flat out they wouldn't share the data with CERT or a similar organisation, because said data is proprietary. The head researcher at Predictive said that his data was "proprietary by nature," which seems sort of silly. What he means is it's proprietary by choice.
These studies, you see, are great marketing. Great branding. When asked about publishing Riptech's findings, a company spokesperson said he asks members of the press to mention the company's name in conjunction with the data as a prerequisite to access. Predictive is turning its data into marketable white papers. They are establishing topical authority that the sales team can cite when trying to sign on new customers.
"Their business is really hard right now," notes Alan Paller, research director at the independent SANS Institute, who liked the idea of a census, and also would like to see something along the lines of a closer-to-real-time National Weather Service early warning system developed, a venture he'll be soon begging vendors to participate in (another column, another day). "From the vendor's perspective, if they give away their data, they give away the thing that gives them the ability to get new customers," Paller says.
This is a glib defence. It suggests the vendors can only attract new customers by offering peeks at proprietary data. It ignores the fact that if all of the major players participated in a security census, everyone else would lose the sales "advantage" of having stats to attract new customers. And, it assumes the value lost by forgoing a little revenue can't be made up by the value created through a public census. Lastly, if your vendor implies it can't live without the money or the "mind share" it scrounges up through white papers and proprietary studies, you should evaluate the overall health of their business, posthaste.
So a security census will likely remain far off on the horizon, which is to say out of view of the security industry, which continues to exhibit a terrible case of myopia.