Nice Essay on Security Snake Oil

This is good:

Just as "data" is being sold as "intelligence", a lot of security technologies are being sold as "security solutions" rather than what they for the most part are, namely very narrow focused appliances that as a best case can be part of your broader security effort.

Too many of these appliances do unfortunately not easily integrate with other appliances or with the rest of your security portfolio, or with your policies and procedures. Instead, they are created to work and be operated as completely stand-alone devices. This really is not what we need. To quote Alex Stamos, we need platforms. Reusable platforms that easily integrate with whatever else we decide to put into our security effort.

Slashdot thread.

Posted on April 28, 2015 at 6:21 AM • 10 Comments

Comments

Rufo Guerreschi April 28, 2015 6:56 AM

We are building one such platform, with full sw/hw stack, from user-accountable standard body, to fabrication overight to onion routing nodes: User Verified Social Telematics

Emily BaehrApril 28, 2015 7:23 AM

What do you (or other commenters) think of Maltego? And would it work with this onion thing the above commenter mentioned?

Adam MontvilleApril 28, 2015 8:09 AM

We do need platforms, and those platforms need to be based on international standards being developed within international standards bodies. The platforms need to understand the IT business processes being supported - HW/SW inventory, configuration management, vulnerability management, incident response, and so on.

There are several such efforts underway within the Internet Engineering Task Force. Security Automation and Continuous Monitoring [1], Managed Incident Lightweight Exchange [2], Interface to Network Security Functions [3] (not yet chartered), DDoS Open Threat Signaling (not yet chartered).

I encourage anyone interested in establishing an interoperable information security platform to engage in one or more of these open standardization efforts.

[1] http://datatracker.ietf.org/wg/sacm/charter/
[2] http://datatracker.ietf.org/wg/mile/charter/
[3] http://datatracker.ietf.org/wg/i2nsf/charter/
[4] http://datatracker.ietf.org/wg/dots/charter/

Martin WalshApril 28, 2015 8:43 AM

"We're the experts. If anyone is going to come up with improved security it would be us. But since you ain't us, your product is no good."

Martin WalshApril 28, 2015 9:22 AM

"Yes, our records were compromised four times last year, but don't worry. We're COMPLIANT. Besides, the experts determined it was only because someone in the sales dept clicked on something and that led to the breach. So from now on, no one will click on anything."

Martin WalshApril 28, 2015 9:29 AM

"Hey everybody, this is the big cyber-innovation contest announcement! That's right, submit your security innovations now. Our team of experts from the Federal Government will review your ideas and let you know if they're any good or not. You might even win a prize!"

Nick PApril 28, 2015 11:31 AM

@ Bruce

He was right up until companies needing to build a platform. I've previously detailed how companies repeatedly tried to go against the flow by building secure platforms. Intel and partners lost around a billion on capability-secure products supporting high-level languages. Most simpler schemes that protected code or pointers at little cost went nowhere. The web servers, DNS appliances, VPN's, and so on with strong security have been mostly ignored or gone bankrupt. With Solaris 10 costing $200+ million, who in their right mind would spend that plus security engineering costs on a new platform when the market never buys them?

In all likelihood, people would build a platform which Stamos would reject on grounds of cost, speed, incompatible with insecure standard X, not backward compatible with insecure product Y, doesn't leverage insecure language Z, and so on. He gives us a hint with the nanosecond line. Good news is I've got schemes for highly securing against code injection with minimal modifications to processor or OS. He might accept or fund something like that.

Yet, with market always rejecting secure products, there's very little incentive for anyone with money to spend millions to create and market new ones. The market should show some incentive by voting with their wallets on existing high security products. That might be a start.

Coyne TibbetsApril 28, 2015 11:37 PM

Too many of these appliances do unfortunately not easily integrate with other appliances or with the rest of your security portfolio, or with your policies and procedures. Instead, they are created to work and be operated as completely stand-alone devices.

It could be worse: We could get devices subject to the add-on rules. "Well, yes, we realize you spent a million on this device and we promised it would do X, and it will, but only if you add on device B and C and D and E and ...."

ThothApril 29, 2015 1:01 AM

How well a product sells is quite standard. Most people would look at usability and convenience. You can sell a ton of security features but the user has to go through a good deal of trouble just to get probably an email encrypted (PGP encryption ?) which seldom people would want to have those sort of trouble.

Secure products do sell well if the security features are part of the product's strong points and provide convenience.

Not to forget, most "secure products" like the HSMs are only CC EAL 4+ like the Safenet Luna and Thales nCipher HSMs and compared to ordinary OSes like Windows, OpenBSD and Linux, they are all CC EAL 4+ certified too !!!

Most security are not user-friendly and does not integrate well into common appliances. What is necessary are security that integrates into common appliances.

Not to forget, a ton of Govt Security products like secure portable computing devices and high security military appliances advertise themselves to work with common appliances like Windows OSes (yucks but true).

"Don't let a vendor get away with hand-waving, proprietary solutions, or opaque assurances. If you don't understand how it works — really understand it, mind you! — or you don't see how it will integrate with the rest of your security effort, don't buy it."

This line stands out (reminds me of what's going on around me) and most vendors love to do their sales hype. Be very careful and be very alert. I have reviewed a few security products and those hand wavings in the security industry is a huge thing and they are getting better at blinding their buyers year after year. Knowledge and experience is your only armour as that's going to save you from trouble.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.