IT security vendors' sole purpose is to generate revenue and they will only create solutions to stop dangerous threats when they are incentivized to do so, the principal security strategist for IBM Internet Security Systems said Wednesday at Interop in Las Vegas.
“The goal of the security market is to make money,” Joshua Corman told an audience of about 175 people. “All they have to do is exceed your comprehension of the threat, and they'll get your money. They have an agenda and their agenda is to sell you something.”
Corman, whose session was titled “Unsafe at any speed: Seven dirty secrets of the security industry,” outlined a number of ways in which end-users are being manipulated, often at the expense of their organization's security posture.
As the notion of risk management extends into IT departments, don't count on vendors to weigh a company's true needs into their sales pitch, Corman said.
“As long as you're still focused on the big picture, you'll keep buying stuff from them,” he said.
Meanwhile, vendors are placing too much emphasis on vulnerability management and failing to address other avenues for attack, such as poor system configurations – weak passwords, unhardened networks, etc. – and uneducated employees, who can be duped by tactics such as social engineering, Corman said.
In addition, anti-malware companies are failing to create solutions to block certain threats when there is little means for them to significantly profit, he said. A prime example of this is the Storm Worm
, a socially engineered trojan that has led to the infection of tens of millions of PCs worldwide. The malware has been going strong for nearly one-and-a-half years and there is no end in sight, Corman said.
The problem is, mostly home users have been impacted because businesses can leverage behavior-based tactics to fight the threat, he said. Therefore, there is no real monetary reason to build detection and remediation capabilities into standard anti-virus products.
Corman added that often vendors spend too much time trying to understand a threat and not enough resources on effectively fighting it.
He also blamed anti-virus certification testing for failing to vet products on their ability to detect some of the more insidious and financially driven threats, namely trojans and rootkits.
Citing a recent Sophos study, Corman said roughly three-quarters of new malicious code is trojans.
Corman did not just pick on the solutions providers. He also blamed compliance mandates for getting organizations' focus off security and onto meeting checkbox requirements.
“The problem with compliance is it split our attention,” he said. “Please don't let [mandates] be the sum total of your risk strategy.”
One of the audience members, Ian Malone, who works in information assurance at California-based Synectic Solutions, which provides security solutions to the U.S. Navy, said he agreed on this point with Corman.
“In my environment, it needs the utmost security,” Malone told SCMagazineUS.com after the presentation, “especially with all the talk of the government being a target.”
Corman also argued that compliance protocols, particularly the prescriptive Payment Card Industry (PCI) Data Security Standard (DSS), often provide a blueprint for the hacking community. He cited the recent data breach
at Hannaford Bros. supermarket chain as an example of an organization that got hit even though it recently had been PCI certified.
“Isn't PCI killing security by obscurity?” he asked.
Corman also addressed the need for businesses to shift their focus off the perimeter -- even as vendors continue to hawk network-based solutions in earnest, such as data-loss prevention.
"The lion's share of data loss is not even a perimeter problem," he said.
Audience members agreed.
“There are so many other ways things can pass through the perimeter,” Bruce Pollard, IT director for California-based Royal Paper Box, a printing firm, told SCMagazineUS.com afterward. “It's just not that simple anymore.”