Co-authored by Frode Hommedal, a Senior Cyber Security Specialist for Telenor Security and Paul Vixie, CEO of Farsight Security.
As security breaches increasingly make headlines, thousands of Internet security companies are chasing tens of billions of dollars in potential revenue. While we, the authors, are employees of Internet security companies and are happy for the opportunity to sell more products and services, we are alarmed at the kind of subversive untruths that vendor "spin doctors" are using to draw well-intentioned customers to their doors. Constructive criticism is sometimes necessarily harsh, and some might find the following just that, harsh. But we think it's important that organizations take a "buyers beware" approach to securing their business.
Anything that can be communicated graphically, especially if there's color animation involved, will sell better. Buyers, being human, are visual creatures, and they inevitably feel greater, although misplaced understanding when value propositions are presented in pictorial form. Because quarter-on-quarter and same-quarter-next-year revenue growth is the main indicator of commercial health, there's an understandable tendency to show potential customers an "attack map."
In an "attack map", the world is shown in some form, and attacks are depicted (with color animation) as some kind of missile, launched from a country of origin, landing on a victim. What could be simpler? Your business is under attack from state-sponsored criminals, or just plain old "foreigners", and your prospective vendor appears to be able to track these attacks as easily as NORAD can track incoming ballistic missiles. The marketing message is: If you buy from us, we will tell you where the attacks are coming from, so that you can defend yourself. Or, even better, if you buy from us, we can defend you in real-time, using our cool tool.
We don't disagree with the underlying messages — there are a lot of attacks and a lot of attackers, and, if your company is online, you're a potential victim. You may need to outsource the specialized skill of knowing where attacks are currently coming from, and you may even need to buy a better firewall that can respond to real-time telemetry so as to deflect or repel targeted attacks that have no signature in any traditional sense of the word "signature".
Yet "attack maps" lead to grave misunderstandings, such as:
Most "attack maps" don't show actual "attacks." Instead, they are populated by event data — beautifully animated yet unfiltered, unverified, non-prioritized event data that while visually compelling is worthless from a security perspective.
Yet organizations will show these "maps" to decision makers, who, at best, will be mildly jazzed but ignore it — but, in the worse and more common case, will make decisions based on this garbage, either prioritizing resources or spending where they aren't needed against where they are needed, or learning a false sense of security, or, just as likely, a false sense of insecurity. The only beneficiaries from the resulting wrong-think will be shareholders and employees of the garbage-spewing security vendor, and of course, the bad guys, who as it turns out will have even less to worry about as they go about their work attacking us all.
Real attacks are so fuzzy and so numerous that no human can possibly follow them. If someone shows you color animation and claims that it offers any kind of clarity or indeed any kind of human understanding, then you should treat this as a "rigged demo" and ask why they are insulting you in this way.
Threat group attribution
A few years ago Mandiant released the APT1 group report, which garnered front-page news coverage. As a result, many security companies have made threat group attribution their most important marketing tool.
While there is some good work being done on attribution, it is extremely difficult to do and then most organizations have difficulty using the data to better protect their networks. The other issue is, to quote Jeffrey Carr, is accountability and liability. When security vendors misidentify or get the information wrong about a particular threat group, there are no real consequences. Since there is very little anyone can do to actually disprove attribution, vendors see little risk in offering this data to their customers.
Like with attack maps, threat group attribution can be more of a distraction than useful information and could cause you to spend your resources where you shouldn't.
There is some genuinely good threat intelligence available in the market and we as security professionals need to listen and learn. Yet much of what is currently being marketed as threat intelligence plainly is not. Instead, it is weak, technical threat indicators and, although these can be useful in the right hands, these artifacts are not "intelligence". This wrong-think term sends the following message: The answer is right there. We just buy this service, and we should have a pretty good idea of what's going on and what we need to worry about.
But when a feed is just weak threat indicators, like IP addresses and domain names, you aren't really getting any wiser. To use this information properly, you need a security infrastructure that can digest it. Then, and more importantly, you need people capable of vetting, verifying and prioritizing it all. To quote Sean Mason: You simply do not dump all indicators into production.
Even within a security company who is a vendor of security services, it can be hard to convince the leadership team that we (a) do not have, yet (b) really do need, a clear picture of our own threat landscape. And if we can't bridge what we know about our own infrastructure and assets, with an idea of what our threat landscape is, all of the "threat intelligence" in the world won't do much good when the pushing and shoving inevitably starts.
Just as "data" is being sold as "intelligence", a lot of security technologies are being sold as "security solutions" rather than what they for the most part are, namely very narrow focused appliances that as a best case can be part of your broader security effort.
Too many of these appliances do unfortunately not easily integrate with other appliances or with the rest of your security portfolio, or with your policies and procedures. Instead, they are created to work and be operated as completely stand-alone devices. This really is not what we need. To quote Alex Stamos, we need platforms. Reusable platforms that easily integrate with whatever else we decide to put into our security effort.
The weaknesses exploited by bad guys may appear to be on the perimeter of a victim's network, or in the components of a victim's infrastructure, but in fact the weaknesses we mostly see are in the culture of organizations and in the psychology of the staff and especially of the leadership, and no "security solution" wrapped in a black box can fix that.
The users who are wowed by "attack maps" are probably also clicking on "get rich quick" schemes in their e-mail. The buyers of magical security boxes they don't understand based on the promise of permanent safety are probably not applying vendor patches to their infrastructure, and that infrastructure is likely to be made up of other magical boxes that nobody quite understands.
Don't let a vendor get away with hand-waving, proprietary solutions, or opaque assurances. If you don't understand how it works — really understand it, mind you! — or you don't see how it will integrate with the rest of your security effort, don't buy it.
Wishes for 2015
We live in an elbow of human history where our militaries, police and governments cannot protect us from common attacks, because those attacks are not physical, and those attacks occur in a part of reality that has no borders. Military, police and government forces are very good at defending borders, which is why attackers have changed their tactics so as to make borders irrelevant.
So now every connected organization and individual has to defend themselves from a world-wide set of attackers, which is unprecedented in the last thousand years during which "nations" mattered more. This situation will change, because it's too inefficient to last. But meanwhile we have to stop playing "cops and robbers" and pretending that all of us are potential targets of nation-states, or pretending that any of our security vendors are like NORAD.
Perhaps if a few decision makers can be convinced that they've been mesmerized by color animation that has no real meaning, by threat "intelligence" that isn't, by security "solutions" that aren't, then 2015 could be a much-needed turning point in the history of Internet security.
There are no silver bullets in Internet security — no way to kill the monster in a way that it stays dead. We in the Internet security business look for current attacks and learn from those how to detect and prevent those attacks and maybe how to predict, detect, and prevent what's coming next. But rest assured that there is no end game — we put one bad guy in prison for every hundred or so new bad guys who come into the field each month.
There is no device or method, however powerful, which will offer a salient defense for more than a short time. The bad guys endlessly adapt; so must we. Importantly, the bad guys understand how our systems work; so must we.
What would do more good for most organizations than increased Internet security spending, is a tough love school out in the mountains where the leadership team learns what actual threats feel like and what kind of team work and planning it takes to build a secure environment. Security does not come from locks or weapons or cameras — rather, it comes from attitude and awareness and positioning.
Safety when walking from a restaurant to your car in a dangerous inner-city neighborhood doesn't depend on martial arts as much as posture, situational awareness, inner calm, self-honesty, and certainty of purpose. Safety on the Internet is no different.
|Data Center||Policy & Regulation|
|DNS Security||Regional Registries|
|Domain Names||Registry Services|
|Intellectual Property||Top-Level Domains|
|Internet of Things||Web|
|Internet Protocol||White Space|
Afilias - Mobile & Web Services
.eco launches globally at 16:00 UTC on April 25, 2017, when domains will be available on a first-come, first-serve basis. .eco is for businesses, non-profits and people committed to positive change for the planet. See list of registrars offering .eco more»