ClearNet Security

On my last several ‘exit calls’ for security assessments I’ve wanted to ask the customer if they had anything alerting them to the activities performed.

The obvious need for detection is a tiresome mantra to repeat, given that prevention will always fail. In fact, is it not better to log all activities (e.g. syslog, netflow, successful sessions, etc.) in spite of using prevention tools? If knowing you’ve been compromised is a better state that not knowing, then isn’t it better to pay appropriate attention to all the events versus haphazardly trusting prevention solutions?

I just finished an external security assessment for a Bank which had an IPS enabled firewall. They requested two rounds of scanning: one with the IPS features enabled and the other with them disabled. Results: no difference. This from normal to aggressive scanning (full 65k scans, full vuln. scans from multiple tools, few metasploit shots, exhaustive brute forcing, etc.) and without any efforts to be elusive.

I’m betting if I ask this client if he noticed any activity spikes or if he was alerted to anything he’ll say no. Furthermore, I bet he has nothing setup to help him easily go check.

I’m running across more and more of these where it seems the first indicators of something bad is when actual fraud occurs. Compromise, theft of data, spread of attackers’ control -- all missed opportunities to detect and contain because of an unbalanced reliance on prevention tools.

How do you balance a giant list of customer feature requests with your in-house splashes of innovative ideas?

It seems really hard not to get buried coding incremental improvements while keeping your head above ground. With your head buried, you’ll eventually lose sight of the vision and get blindsided by competitors.

Several start-ups I’ve played at were driven almost entirely by customer requests. I’m not debating the value of that. But when it is used to control all the development cycles you begin to create a culture allergic to creativity and risk.

Good team dynamics can help tremendously for encouraging members to be creative – I think the challenge is keeping it that way while championing a customer driven style of development.

I read a WSJ Opinion article today by Harold Evans titled “The American Way” which, in a sense, paralleled the ideas presented by Tom Kelly’s recent presentation at RSA around innovation.

Efficiency, once the be-all and end-all, is no longer considered enough for survival in the world economy. In a global marketplace, efficiency – and the cost cutting associated with it – is essential but may not be enough when competitors in China and India can discount you to death with demographics.

That got me to thinking in our industry how often we see claims of “innovation”, but which are really not.

We should reserve the terms ‘innovation’ and ‘innovators’ for real change and not confuse it with different functions.
[…]
Entrepreneurship, the assumption of risk, may not be innovative at all. You assume risk if you open a new auto dealership, but this is not innovative unless you are the first.

Blend in the key points from Tom Kelly’s presentation (or books) and you’ll see how powerful it is to continually aspire for true innovation.

“Tom has observed a number of roles that people can play in an organization to foster innovation and new ideas while offering an effective counter to naysayers. Among these approaches are the Anthropologist, the person who goes into the field to see how customers use and respond to products, to come up with new innovations; the Cross-Pollinator, who mixes and matches ideas, widely disparate people, and technologies to create new ideas that can drive growth; and the Hurdler, who instantly looks for ways to overcome the limits and challenges to any situation.”

Tying this back to the security industry, I’ve been stricken with the illness inducing problem of inspecting massive data sets for important events. A real innovative breakthrough to me would be if someone built an easy-to-use and easy-to-manage system (one that accepts all possible data sources) that handles the crushing volume of disparate events on enterprise networks while truly notifying me of only important events.

To cite a small example, I’m installing several pieces of “security software” for a client considerate of threats: Snort, OSSEC HIDS, Central Log Aggregator, etc. I’ve played with several products which purport to do all I wish, but none of them are succeeding or innovating to me – none feel like they are offering real change or doing something other than offering different functions. Maybe I’ll try the Hurdler role for some time to see what I can do.

How about trying to play a role?

Last week I attended presentations from the Americas Growth Capital Conference. Several of the presentations featured prominent CEO/CTOs in the security products game.

I connected with a view echoed by a panel discussing the difficulty of selling security point solutions.

They raised the issue of their desire to set their customers’ expectations that their products will fail. Catastrophic failures, they said, are rare events. Their products are designed to work most of the time, but they repeated the fact that it is too expensive to build products which escape all bad things.

To limit the embarrassment of a product failure, they work on educating their customers and suggesting to each to invest in a good incident response strategy. This keeps the prices competitive, establishes trust, helps to level expectations, and addresses product failures caused from rare events.

I don’t know how well they convey this when the goal is to sell, but I liked the message.