Day 4 of Incite: Losing the Religion

Everyone finally realizes in 2006 that regardless of technical approach (IDS vs. IPS vs. firewalls vs. anomaly detection) it’s all about detecting and blocking malware quickly and effectively. Users expect to see multiple techniques implemented, spurring another wave of consolidation as vendors look to bring complete enterprise-class UTM solutions to market.

Religion is one of those topics that I don’t discuss with much of anyone. I believe what I believe, and you can believe what you believe. Different strokes for different folks, no?

But in the security business it’s never that easy. When vendors are trying to show why their approach is superior, which will entice you to buy their product, religion is VERY important. Besides in some sleeper cells, it’s hard to find a more religious group of folks than security CTO’s espousing the merits of their techniques to put a stop to the latest attacks.

Is intrusion detection dead, as our friends at Gartner projected a couple of years ago?  Does intrusion prevention meet the need? Is anomaly detection the new thing, that is finally about to break out? Are those the right questions, or are we just passing the time until we see something in 2006 that renders all of the existing techniques useless?

I’ll let you in on a little secret. Customers don’t care. Let me say that again to make sure you got it. CUSTOMERS DON’T CARE.

I know all you end users out there are nodding your collective heads. You just want the problem to go away. Stop the worms, stop the zero day attacks, stop the malware, spyware and all the other “wares,” that keep you up at night. As security continues to mature as a business, the market will care less and less about how something works, just that it works.

Do you think customers care whether MySQL uses the same query optimization techniques as Oracle? What about whether Cisco and Juniper use the same implementation of the BGRP protocol? Right, you don’t care. You want to get your data and you want the network to be fast. The other stuff is just filler to be put into RFPs.

But I digress. Let’s compare some press releases that were issued as a result of the recent WMF vulnerability.

• TippingPoint Preemptively Protects Customers Against Microsoft Vulnerabilities, Including Metafile Vulnerability
• Internet Security Systems Preemptively Protects Customers Against Windows Meta File (WMF) Exploits
• Third Brigade's Host Intrusion Prevention System Stops Attacks That Could Exploit New Microsoft Vulnerability

All three of these vendors use different and/or multiple techniques to “proactively” stop the vulnerability, with the same results (if you believe the releases anyway). What’s the difference between how the TippingPoint box or Third Brigade software stop the attack? ISS has multiple products that can address the issue, which one should you use? How is that different from what the other two are doing? Right, that’s the point. It doesn’t matter, as long as the exposure is contained, you are cool.

Now let’s examine the same phenomenon within a specific sector, take anti-spam, which is something I know a little about. Are signatures or heuristics the right approach? It only matters if you are a sales person trying to differentiate the product. A customer doesn’t care, as long as it stops the spam. All of the recent tests have yielded very similar results regardless of what technique is used. So customers are using the religion to pit one vendor against the other and drive the prices down. Free market economics at work!

So, all of that being said, each technique does have certain strengths and certain weaknesses. Many of us have studied the theory of “Defense in Depth,” which says do more rather than less and as long as the defenses are complimentary, your security effectiveness will go up. So, the long term answer for the vendors is to do everything. For example, absolutely do signatures AND heuristics to detect spam. But, here’s the kicker – shield customers from the complexity of these multiple techniques because they don’t care.

We will see further consolidation in 2006, driven by this need to hedge the bet on which techniques are ultimately most effective. Once all of the techniques are available from one vendor, why would customers want separate boxes? They don’t, so this will spur the need to roll out enterprise class unified threat management (UTM) devices that actually provide all of the techniques in an integrated package. Remember the rallying cry: No mas box!

That’s Day 4. Tomorrow we’ll switch gears a bit and discuss endpoint security.