The failure of the security industry
A CSO with a budget must be in want of a thousand dedicated point solutions, says Alex Stamos, CISO, Yahoo.
Alex Stamos, CISO, Yahoo
It is a truth universally acknowledged that a CSO with budget must be in want of a thousand dedicated point solutions.
Like many security executives, my email, snail-mail slot, LinkedIn profile and cell phone field a constant barrage of offers from well-meaning but insanely aggressive account representatives. They arrive in waves from companies big and small. They offer solutions to my data analysis problems, zero-day malware and “advanced APTs.” Any demonstration of reluctance on my part is parried with a quick “Ok, I'll circle back later.” In my dreams, I squint up at the flock of sales cyber vultures, “circling back” until I lose my will to resist their entreaties, or perhaps to live.
The problem is not only that these companies build beautiful websites that refuse to explain what they sell and instead wax poetic on their “solutions,” or that their slide decks lecture me on what threats I face (“BYOD really means Bring Your Own Malware!”). The problem is that almost none of these products work in a real environment.
For the most part, the security vendors I meet believe that IT departments want to run another agent on their Windows laptops, that production engineers are willing to put a cheap Lintel 1U security device in their critical path, and that every company's security team is staffed like a Top-5 bank. These assumptions are not true. Companies across the world are waking up to the fact that their security posture is insufficient to fend off the threats that breached Sony, Anthem and JPMC, and we can no longer build products like it's 2005. Some ways we can adapt:
"Companies across the world are waking up to the fact that their security posture is insufficient to fend off the threats that breached Sony, Anthem and JPMC..."
Build platforms – The activation energy to qualify, purchase and deploy a security solution is not widely variable and for most enterprises the opportunity cost of choosing a product that solves a very small problem outweighs the price. The security industry needs to build reusable platforms with pluggable use cases. Why should five separate security agents hook the Windows kernel (and introduce instability) when one collector process could feed intelligence to five products? Why would I keep many copies of my syslogs in proprietary databases when one standard storage mechanism (like Hadoop) could be queried by security products from competing companies?
Focus on user experience – The explosion of security needs means the median security engineer in 2015 is less experienced than her counterpart in 2005. Security companies need to recognize that most of their addressable market cannot properly consume their products and that user experience is a bigger priority than getting more checkmarks in a Gartner report.
Accept asynchronicity – That's not a album from The Police, but a mantra that needs to be embraced to provide security services on modern networks. Big Data, cloud and container technologies mean that most enterprises will be deploying 100GbE inside of the datacenter and corporate campus this year. At those speeds, security products have about 6.7 nanoseconds to decide whether an Ethernet frame is malicious or not. These days, network security has to be pushed into the end nodes, and decisions need to be made at a much slower pace than packets arrive and remediations performed out-of-band.
Evolve or die, that is the reality facing the security vendors, lest the cybervultures feast.