Report Card: 2007 Incite #9 - Help Wanted: Fortune Teller

Keeping with my just in time philosophy, it's time to finish up the 2007 Report Card. Which is good timing since today is the last day of 2007. I wish you and all of those important to you a happy, healthy and prosperous 2008. See you on the other side (of the New Year).

Incite #9: Help Wanted: Fortune Teller

CSOs need to increasingly flex their psychic abilities as exponentially increasing attack surfaces mean new controls must be targeted to protect the most likely targets, which are identified by discerning the true value of corporate business systems and increasingly sophisticated (and productized) security research. Network behavior analysis allows organizations to “react faster” by understanding network traffic dynamics, but integration with remediation solutions lag, forcing customers to continue to do the heavy lifting themselves.

Days of Incite Link: http://securityincite.com/blog/mike-rothman/2007-doi-day-9-help-wanted-fortune-teller
Incite Redux Link: http://securityincite.com/blog/mike-rothman/incite-redux-july-13-2007

Final grade: C-

We saw the death of responsible disclosure in 2007, and that means security researchers are still big players, but they have leveled the playing field by disclosing vulnerabilities at the same time they tell the vendors.

Honestly, I don’t much care to weigh in on the good vs. bad side of disclosure. It is what it is and I can certainly see the rationale by many of the research folks out there who are done having a big vendor ignore their attempts to do the right thing. The arrogance of many vendors still perplexes me, but whatever…

Ultimately this Incite wasn’t about disclosure, the first part was about the business of security research – which never materialized. Why? Basically, end user organizations won’t pay for what they can get for free. Can they get a “hacker’s eye view” of a new vulnerability? No. Can they get a lot of security research folks take on the issue and the workarounds via the wonders of RSS? Absolutely.

Which is exactly what most organizations are doing. CSOs are staying current by monitoring the plethora of information sources out on the Internet. The folks trying to “sell” research just don’t have a compelling enough value proposition to get people to pay – so they won’t and that just reflects pretty pragmatic behavior. Who am I to argue with pragmatism?

The final piece of this Incite is pretty disappointing as well. Security monitoring continues to be a solution looking for a problem. Actually the thought leaders in this discipline (like Richard Bejtlich) know what the problem is – but the broad market isn’t listening.

I’ve harped all year on the need for organizations to REACT FASTER, and unless you are monitoring your stuff – I don’t know how you do that. But evidently other folks know better than me, since they continue to do the same old same old and figure the answer will be different. Our networks continue to be infested with bots, our machines compromised and things are not getting better.

Yet no one wants to slay the sacred cow of “proactive” defense, figuring that new algorithms will solve the false positive issues and allow us to block attacks that we’ve never seen before. Something’s got to give. Maybe 2008 will be the breakthrough year, where monitoring solutions are finally packaged in a way that every organization can use them, or maybe an open-source solution will appear to allow security folks to play a bit with monitoring and learn how powerful a method it is to secure things.

Whatever the answer, I sure hope we are spending more time in 2008 figuring out what is not normal, than blocking stuff we’ve never seen.

Check out the other posts in the Report Card series.