Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: Squid T-Shirts |
| Israel Implementing IFF System for Commercial Aircraft »
March 10, 2008
Security Products: Suites vs. Best-of-Breed
We know what we don't like about buying consolidated product suites: one great product and a bunch of mediocre ones. And we know what we don't like about buying best-of-breed: multiple vendors, multiple interfaces, and multiple products that don't work well together. The security industry has gone back and forth between the two, as a new generation of IT security professionals rediscovers the downsides of each solution.
The real problem is that neither solution really works, and we continually fool ourselves into believing whatever we don't have is better than what we have at the time. And the real solution is to buy results, not products.
Honestly, no one wants to buy IT security. People want to buy whatever they want -- connectivity, a Web presence, email, networked applications, whatever -- and they want it to be secure. That they're forced to spend money on IT security is an artifact of the youth of the computer industry. And sooner or later the need to buy security will disappear.
It will disappear because IT vendors are starting to realize they have to provide security as part of whatever they're selling. It will disappear because organizations are starting to buy services instead of products, and demanding security as part of those services. It will disappear because the security industry will disappear as a consumer category, and will instead market to the IT industry.
The critical driver here is outsourcing. Outsourcing is the ultimate consolidator, because the customer no longer cares about the details. If I buy my network services from a large IT infrastructure company, I don't care if it secures things by installing the hot new intrusion prevention systems, by configuring the routers and servers as to obviate the need for network-based security, or if it uses magic security dust given to it by elven kings. I just want a contract that specifies a level and quality of service, and my vendor can figure it out.
IT is infrastructure. Infrastructure is always outsourced. And the details of how the infrastructure works are left to the companies that provide it.
This is the future of IT, and when that happens we're going to start to see a type of consolidation we haven't seen before. Instead of large security companies gobbling up small security companies, both large and small security companies will be gobbled up by non-security companies. It's already starting to happen. In 2006, IBM bought ISS. The same year BT bought my company, Counterpane, and last year it bought INS. These aren't large security companies buying small security companies; these are non-security companies buying large and small security companies.
If I were Symantec and McAfee, I would be preparing myself for a buyer.
This is good consolidation. Instead of having to choose between a single product suite that isn't very good or a best-of-breed set of products that don't work well together, we can ignore the issue completely. We can just find an infrastructure provider that will figure it out and make it work -- who cares how?
This essay originally appeared as the second half of a point/counterpoint with Marcus Ranum in Information Security. Here's Marcus's half.
Posted on March 10, 2008 at 6:33 AM
• 29 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I completely agree, security should not be looked at with so much of a broad stroke but when its comes down to it, its the money that matters. Forget the fact that the product costs too much and doesn't do enough. The only product for network security I like if Peakflow/X (yes its "very costly") but instead of magic dust you get real world indicators.
Bruce thank you for your honest posts - keep them up.
Lewis Donofrio Sr. Windows / Unix Systems Administrator 734-355-0592
While I agree that what you describe is a much desirable thing, I don’t see it happening currently. Consumers don’t choose products or services because they are secure, they choose them because they are cheap. And even if security is part of their requirements, they don’t understand it correctly enough and will merely buy additional “security”-flagged products which won’t be able to cure their flawed infrastructure and broken software. Security theater is not only for homeland security, it is a good part of the business in IT too.
"IT is infrastructure. Infrastructure is always outsourced."
I think Bruce has got it wrong this time, for once. IT is Information Technology, and information is at the very core of every modern company worth its salt. You cannot outsource information; and as many companies have discovered outsourcing all your IT is a bad idea.
There are certain aspects of IT which you can outsource, as long as they are not critical to your company: of course hardware, networking and operating systems are the best candidates. But others (such as your business logic) you have better keep under control. Otherwise, sooner or later you will find something which is now out of your control and which requires an immediate response, or lower prices, or a different approach. You are now screwed.
This said, security probably falls into those parts which you can oursource. Unless you are a bank or an airline or the army or... oh well.
Unfortunately Magic Security Dust of the Elven Kings and +5 Sword of Malware Slaying are not open source systems. The Dwarven clans of Mountain View, CA, continue to champion the security through obscurity meme by refusing to disclose the enchantments used in the Amulet of Botnet Protection.
However, times may be changing, as indicated by the recent disclosure of the location of the One True Token Ring.
Security problems for home users are not caused by wrong network config. It's crappy software, stupid. And as long as my ISP doesn't install my software - nothing gonna change. On the other hand, in no event I will allow my ISP to look into my computer. What's mine is mine.
Automobile security is probably a good analogy. The first cars were fundamentally insecure, not having doors or needing a key for the ignition. In this way they mimiced the horse!
Time moved on, manufacturers started offering cars with the [additional cost] option of needing a key to start and you could lock the doors.
As time progressed, the option became a standard feature.
This wasn't good enough to satisfy insurers of upmarket cars in high-crime areas so aftermarket alarms/immobilizers appeared.
Now, you can't buy a car which doesn't already come from the factory with a rather effective alarm/immobilizer installed.
So it will be with the IT security industry. I think we're currently at the 'ignition key and door locks as optional extra' stage.
I think you are at least partially right. Security at the ISP level may be the end all, since they are delivering the packets, they can filter them as well to eliminate the malware. Unfortunately, that has the obvious downsides.
McAfee would have a problem with the shift, but Symantec has diversified greatly.
There is one unfortunate side effect of large non-security companies gobbling up smaller security companies. The good security gets hoarded.
The small security company can sell its solutions to hundreds of clients that need it. But after they are gobbled up by the larger non-security conglomerates, many will be forced to keep their security magic in-house, rather than selling "to competitors" (competitors to the large non-security company, not competitors to the small security company).
So the large company with the deep pockets effectively limits the distribution of the good security technology (or business practices, or pixie dust, or whatever).
I don't think this has happened with BT and Counterpane, but I can imagine it would if BT decided that it did not want to provide security services directly to Orange, T-Mobile, France Telecom, etc.
Sometimes there are bigger-picture advantages to keeping the vendors from being gobbled up by their larger clients.
0) Companies come to me offering a certain set of services at a certain price. I've discovered, over the years, that their ability to actually deliver what they claim varies even when they don't have "small print" to deal with.
Thus, unfortunately, I am often in the position of having to verify that their claims of capability are valid.
1) "Security is a trade-off". As security is a trade-off, and the same trade-off is not applicable to everyone, thus people who care about the trade-off will still have to understand what's happening under the abstraction boundary, either by black-box or white-box observation.
Doesn't the bundled security suffer the same problem as Suites?
The customer is going to pick the provider with the best overall package. Sure one of the contributing factors is security, but it's only one factor, and probably not the main one. The scope here is much larger than security. I'd bet bandwidth would trump security any day. If the provider chooses to implement a sub-optimal security tradeoff, there may be little that the customer can do about it, in this scenario, having relinquished the security choices to the provider.
One problem with outsourcing security is that we are still not mature enough to do it right. Most companies view it as a way to completely forget about it.
You have to take a look at the kind of people that you get to work with when you outsource. Even if the days of hiring openly ex-hackers and ex-virus programmers are almost over (at least publicly) you would be surprised of the kind of "jewels" that are out there.
Plain and simple, many are not to be trusted. For example, las time I was hiring someone for an information security position only one out of 5 candidates was found to be ok, and all 5 were working companies that offered security services. Many had one or several certifications recognized in the industry, but none of those would tell you that the guy is involved in drugs and criminal gangs.
On the other hand, to outsource successfully you must know what to ask for and how to measure the quality of the work being done. IT security departments might shrink to a single person, but companies still need at least one well prepared security professional on their side to look after the outsourcer if they expect to have good results.
Look what happens with products, many companies and individuals don't know what they need and have no idea of how to verify that what they bought is being at least somewhat effective. Without appropriate knowledge and a minimum of resources, outsourced services won't be any different.
You can't even get AT&T to install a line in any "reasonable" amount of time, yet you believe they're going to provide acceptable intrusion response? How long would you have to wait on hold to tell them you've got a virus outbreak and your business is down, much less actually speak with a human and get a technician dispatched?
The sentiment is valid - certain functions of IT can and will be downsized and outsourced, but I doubt the security market is ready for today's customer ignoring monopolization.
"If I were Symantec and McAfee, I would be preparing myself for a buyer."
They've already been approached - several times.
Outsourcing? Oh, you mean the CEO calling his sister-in-law's kid because he "knows about computers".
Why would said CEO spend $50K on security services when he can get it done for $100?
There's no doubt that today's security products are crap.
Last week I did a small test of antivirus software. I captured a handful of obvious malware installers from a P2P network, put together a control group of unusual but safe software (packed EXEs, update patch installers, custom security tools), and fed the whole collection to Virustotal.
Out of the products participating in Virustotal,
only one product correctly identified more than 1/3rd of the malware corpus. This product correctly identified the entire malware corpus, but had a 50% false positive rate on the control group. McAfee and Symantec got zero.
I don't care what scores AV products get when they are "impartially" "reviewed" against a static test set. If they can't catch malware that's in the wild today, then they're worse than useless as all they provide is a false sense of security.
Bruce, is that why you are predicting security is going to get worse? :)
Bruce is right and wrong on this one. He's overgeneralizing: IT is infrastructure, and simultaneously it's not infrastructure at all.
Network connectivity is infrastructure; it's something that leads itself naturally to outsourcing. Operating system development is infrastructure; it's something else that leads itself naturally to outsourcing. Network security can be outsourced with the network connectivity - you buy them bundled as a service.
Any IT product that is process related isn't infrastructure... it's embedded, it's organic, and it represents a bigger security threat than infrastructural IT... because people touch it, all the time.
You're never going to be able to completely outsource your ERP integration and have security be part of the package, sorry. You can try, and there's probably a couple hundred vendors who will tell you that they can manage your adoption of Oracle and make it secure; they can't (at least not well, unless they move in with you for a couple of years). For all the reasons that Bruce has mentioned a million times.
"Security is a process, not a product." If you're buying a product, you can buy a product that comes with better security integrated into it (and I agree with his point that this is where the industry is going in a lot of ways). But if you're buying a process, or trying to develop a process with technology embedded in it, you can't buy the security, you have to build it.
I don't particularly disagree with the general points made here. But it plainly doesn't follow that large security companies like Symantec should "prepare for a buyer." Clearly in such a world they are more valuable (and therefore more expensive to buy) as their role in IT is properly recognized and packaged for more customers. As it stands, they're just part of (to use the manufacturing analogy) a supply chain and could very well remain independent. And for our sakes, I hope they do -- such "vertical integration" leads directly to a mono-culture.
minor point, bruce, but if you think IBM buying ISS is an example of a non-security company buying a security company then i think you need to take a closer look at the set of hats IBM has been wearing for quite some time now... security is among them, they even had their own anti-virus product at one point, and developed computer immune system technology...
Hmmm... that was a good point: I think the points in this article contradict Bruce's "Security is a process, not a product," 'cause here he seem to say "security is not a process, not a product, but a feature."
Bizarre, isn't it?
Years ago my old security teacher said that there's a simple rule: You can't outsource security.
If you claim to be able to outsource security, you're actually outsourcing services or technologies that aren't really security but really a part of the 'other' service. This column clearly shows that the writer doesn't understand the essence of what security is. Security is a feeling, or it may be a probability of something unwanted happening but it is not services or technologies.
To anyone who uses closed source proprietary cocksuck-ware:
Do you trust a closed source product? Perhaps even the Windows operating system itself or Mac OS X and its closed nature and applications?
Then you are fucked, period, no exception to the rule, you don't know what that program can do, no really, shutup, you don't. It doesn't matter what some piggy CEO tries to sell you regarding the product, even if these people were telling the truth the programs themselves are often exploited by those with the skills, you can't audit the source, you have no hope of determining a state of security. Often anti-viruses are whitelisted for so-called police-ware, what happens when the hackers exploit these tools? When corporations like Sony push rootkit audio CDs? Or do you think they don't know about them simply because the real deals don't ejaculate their knowledge all over the crusty world wide web?
Switch to FOSS, now, if you value your privacy and security. Don't allow another corporation, organization, or individual to sell you another proprietary product under the guise of security. Go with Linux or OpenBSD, both are free. Stop supporting fat bastards who don't care about you or your security, and are often controlled by rogue governments and corporations and will gladly jump aside and whitelist malware approved by currency being shoved into their greedy anus.
while I agree about your point that "people don't want security, the want a product which (among other features) should be secure", I fail to see what outsourcing has to do with that.
In your essay "A Security Market for Lemons" from May 2007 you seem to have made all the arguments why outsourcing (particularly outsourcing aspects of security) is a bad idea: because, typically, "the buyer can't tell the difference -- at least until he's made his purchase".
I have made this experience in facility management and in utility companies: outsourcing resulted at the beginning in a support mess where basic things worked about as well as before but support in case of a failure/breakdown was considerably less competent. After a while, services were at best back to original level, but usually 10-20% lower for a price that was 10-20% higher. I do not think it will be much different in IT.
To "ignore the issue and just find an infrastructure provider" is simply shifting the problem to the infrastructure provider. He may have a more efficient setup for a basic service, but he is considerably less aware of your company processes - and that (in my limited experience) typically more than offsets the efficient setup - and now you are paying an additional overhead for inserting another administrative layer. The real solution will be somewhere in between outsourcing ("product suites") and employing people by yourself ("best-of-breed", except that a typical company can't afford the best-of-breed and will have to do with more-or-less-average-of-breed). This in-between-point may be quite different from one company to the next, and I don't think that general rules about it can be given.
Bruce, you are wrong regarding security outsourcing.
While it might be right for small companies that lack both the insight and the manpower to have some form of effective security - if any, I seriously doubt its bound to happen for even 200 man corps.
Im not talking about the operating part.
Security is about tradeoffs. These tradeoffs affect, beside your security posture, also liability. Ofcourse this can be mitigated to some degree, but to the extent you can mitigate a website defacement nowadays.
These tradeoffs will be made on a constant base by people and organisation that cannot evaluate and quantify the risk to your organisation. This you can not mitigate by buying a outside service.
Then, theres the point of different agendas, i dont want to start on that one. Hard to mitigate.
These aspects can be to some extent mitigated - by external audits, or insurance, etc. - but you will still have the burden of managing the outsurcer, and thats where the scurity part actually is. Now i seriously doubt you can outsource that.
At present there appears to be insufficient incentives for the software used on the majority of computers (i.e. MS Windows on PCs) to have security designed in. You can't patch on security. I think the analogy of car security is a good one. All current cars have a reasonable level security built in in relation to their value.
Bruce has a point. For you people who think you can't outsource security, you are wrong. Security has come to the point where an organization doesnt want to deal with it anymore. There are tons of services out there that will deal with the problem for you. Companies that will scan your network traffic and block virues, spam, malware, etc.. Companies that will protect your data from leakage. It all comes down to what a company thinks is feasable to protect them from threats.
Some think that by outsourcing your shifting the problem to the service provider. Well you know what. I dont care. Cause its not my problem any more. If my service provider fails to provide me a service that I paid for then I go after the service provider. That is no different than an internal threat coming through and affecting your business processes with the security measures you have in place internally. The only difference is that your now at fault for not having the right measures in place.
"Security has come to the point where an organization doesnt want to deal with it anymore."
Jay, organizations never want to deal with security. They only do when they are forced to. Shifting the problem (to another organization which, by your reasoning, doesn't either want to deal with it) is hardly going to be a viable solution. In the end you will have an endless chain of blame where one end feels the pain, another caused the problem, and the rest don't care at all.
I don't know how this is going to happen, but I agree with Bruce... At the end, the security industry is going to shift towards IT industry as a client. And when this happens, it is going to be better for IT players to buy security companies that pay day after day for its services.
No sé cómo sucederá esto al final, pero estoy de acuerdo con Bruce... Al final, la industria de seguridad va a cambiar hacia la industria de TI como cliente. Y cuando esto suceda, será mejor para los players TI comprar las empresas de seguridad que pagar día tras días por sus servicios.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.