AV

It's been quite a while since I penned the original "Big is the New Small" piece back in February of 2006. Obviously a lot has changed and happened in the security space since then. So I figure on the first Monday in August, I'd revisit that position and figure out if it was still relevant.

To refresh everyone's memory, Big is the New Small was the moniker I came up with to describe why consolidation was happening in security and why it was going to continue. Customers were increasingly fed up with the idea of having to manage multiple products from multiple vendors to handle mature, somewhat commodity functions. And all things being equal, they want to buy these solutions from "Big Security," the large publicly held companies that have staying power.

Much of this has come to pass. The Big have gotten bigger by continuing to acquire technologies to fill out their product families. Large companies have always acquired smaller companies, that's nothing new. And the original concept behind Big is the New Small is that customers were tired of dealing with crappy little vendors. They'd much rather deal with bloated, unresponsive, lumbering vendors.

There are many that cling to the "best of breed" myth. It's even funnier when you think about folks positioning their offerings as "integrated best of breed," whether it happens on the perimeter or on the devices. Or even in security management. Integration/unification and best of breed are opposites. Oil and water. You get the picture. It just doesn't happen.

These ideas also are NOT an indictment of innovation, as many of the small vendors called it. It was a pragmatic view of how the industry is working now. Some choose to fight it, until Big Security swings by with a bag of money. Then they get religion pretty quickly. But even that isn't the point.

The point is that over the last 2 years, customers are looking for security that is "good enough." The main issue is that without anything that is truly innovative (and it's been quite a while since we've seen true innovation in the security space), customers have no choice but to go with good enough. Most of the new companies out there are focused on "better, faster, cheaper" models of improving the way things are already done.

Since security remains an expense and an overhead item, the natural inclination is to minimize cost, and that means to buy solutions that aren't the most expensive, but meet the needs in the most cost effective mechanism. That's this entire drive to doing security in the cloud. Since it's good enough, we may as well have someone else deal with it.

By no means am I saying that our protection is good enough, it's not. But I don't think it's because we have a lack of tools or knowledge. We collectively suck at protecting information not because we don't know what to do. We suck because we just don't do it. If we would actually use half the crap we've bought, and build a strong and credible security program - things would be a lot better.

Not perfect, but better.

But we don't, so it's not. Thus, good enough is here to stay. And as long as good enough is the primary criteria for most product/service purchases, it favors Big Security. They aren't much, but they are usually good enough.

Photo credit: "Good enough" originally uploaded by russelldavies

Continuing on with the 2007 Report Card series, the next Incite deals with endpoint security and the ever-present malware situation. It certainly seems it's getting worse, but is it still as impactful? Let's see...

Incite #5 - You (Mal)ware it well

The most significant innovations in 2007 come from the bad guys continuing to find new ways to compromise desktops and install rootkits/Trojans and other bad stuff, resulting in the first million bot network. Big AV responds with more integrated suites, but remains under siege from new entrants looking to milk the AV cash cow. For users, the best defense turns out to be a good offense as Pragmatic CSOs spend significant time and effort training users and pushing ISPs to address the damage of rampant bot activity.

Days of Incite Link:http://securityincite.com/blog/mike-rothman/2007-doi-day-5-you-mal-ware-it-well
Incite Redux Link:http://securityincite.com/blog/mike-rothman/incite-redux-july-11-2007

Final grade: B+

During a recent speaking engagement on endpoint security, I made the point that malware is pretty much ANYTHING that I don’t want on my desktops. I don’t care if it’s a virus, a worm, a Trojan, a keylogger, or any other bad juju – it shouldn’t be on my machine and I want an integrated endpoint security platform to get rid of it.

The good news is that the vendors have responded. Whether it’s the free stuff focused on consumers, or Big Security that have upgraded their stuff in 2007, we are seeing (finally) the justification for those annual upgrades.

What about these new entrants? Most importantly, big Microsoft was a no-show. They made a lot of noise in the early part of the year, and then… not so much. But that’s OK, since this is part of Microsoft’s playbook. They make a big splash; realize that they have some work to do on the product, disappear for a while and then eventually come back with something that is competitive. Clearly they have disappeared for a while, but in my best Governator voice – they’ll be back.

The reason this is still a B+? The ISPs remain blissfully unaware and unwilling to act to take many of the bots off their networks. And there has been little to no external pressure to force the issue. ISPs continue to ignore the issue, the bot masters continue to run to the bank, and millions of devices out there are just waiting to launch a massive attack on whatever is the next target of choice.

I wish there was any kind of good news on the horizon, but there isn’t. Users will continue to do stupid things, leaving themselves open to being compromised. The best that a corporate security person can do is to monitor their networks and figure out when one of their machines has been compromised. Rebuild it and contain the damage.

I always get a lot of VCs asking me what is hot in security. Where they should invest their money. Unfortunately, the best growth market in security is bots, but I don’t think the limited partners of the VCs would be all that enthusiastic about funding a band of criminals. Although it’s not unprecedented…

Check out the other posts in the Report Card series.

The most significant innovations in 2007 come from the bad guys continuing to find new ways to compromise desktops and install rootkits/Trojans and other bad stuff, resulting in the first million bot network. Big AV responds with more integrated suites, but remains under siege from new entrants looking to milk the AV cash cow. For users, the best defense turns out to be a good offense as Pragmatic CSOs spend significant time and effort training users and pushing ISPs to address the damage of rampant bot activity.

I don’t know much. But I do know that in 2007, the good guys will continue to surf in the wake of the bad guys’ innovation. Whether it’s new and interesting social engineering attacks or new found zero day exploits on client side applications, we’ll see more desktop carnage and mayhem.

Why? The objective of the bad guys is still monetizing owned desktops, via spam, DoS, keyloggers, Trojans and their malware ilk. Hopefully we’ll be able to react faster this year, but continue to expect all sorts of zero day exploits on all sorts of products, both general computing and security specific offerings. 2007 could be the YEAR of client side bugs, as we may not see 365 new ones – but scarily enough, we may come close. Maybe this will convince some software companies out there to finally get their act together on secure coding.

So what will be the response from Big Security? More shit in the bag. It may not be as integrated as it needs to be, but it will be in the same install package. The most fought after real estate in computing this year will be on the desktop. If the Big AV vendors lose the agent, they are cooked. So you’ll see things like rootkit detection, anti-phishing, whole disk encryption, wireless hygiene, safe web browsing and the like added into AV suites. This is actually a good thing for users, as long as the policy and management get the needed integration as well.

But it’s still about price and with increasingly sophisticated updating and software distribution infrastructure; the switching costs of a desktop security suite are minimal. So lots of customers will. And that creates downward pricing pressure on endpoint security. Though I do expect the public AV vendors to hide the pricing pressure by blurring the lines between product and services revenue. This keeps the financial analysts burning the midnight oil trying to figure out what’s going on. That’s another group I don’t envy.

And though it continues to feel fruitless, don’t give up on user education just yet. Seriously. It takes years of consistent effort to make inroads and an educated user is still one of the best defenses out there. You can’t buy enough technology to stop all the attacks. So the user really is the line of last defense. Keep them ignorant at your own peril.

Home stretch baby. Here is Day 4 of the DR Top 10 IT Security Myths posts. The link to the main article is here.

Myth #7 - Hackers are a Necessary Evil (link here)

Just because an attacker can break through security doesn't mean he or she can actually secure it.

Clearly hacking and protecting are different skills. If you spend your time protecting systems and assets, understanding how a hacker thinks is a critical skill. But I guess to me the term "hacker" is kind of arbitrary. Most "hackers" nowadays don't try to break into networks, they let the networks (or the people that is) come to them. Phishing, pharming and other new fangled social engineering attacks are the new wave of crime, not "hacking."

Now there are some ethical issues to overcome. If someone spent time as a black hat, many organizations won't work with them on principle. I think they are right. I guess there's that whole forgiveness thing, for those that have repented, but if I am looking at two similarly capable folks - one with a clean background and another...not so much - I'm taking the clean person every day of the week. That minimizes risk, and that's what we do for a living, no?

But again, I think this is a poorly written and communicated myth-buster, so it gets a D.

Myth #8 - Antivirus Software is 100% Effective (link here)

AV tools are effective as a means of stopping known bugs, but attackers now routinely design new exploits to bypass them, experts observe.

Does anyone still believe that anything is 100% effective at anything? If so, smack them with a 2x4 HARD. There is no silver bullet and nothing is effective all the time. Nothing. But AV is still important. Why? Because it's all about the old adage, "if you don't remember history, you are bound to repeat it." AV signatures represent the history of malware. If we see the same thing again and we know it's bad, shame on us if we can't stop it.

But there are things that kind of just appear. Zero-day has become a horrifically overused moniker, but the reality is that it takes time to generate the signatures. And in that time, some heuristics-based or anomaly-based detection technique to get an idea that something is bad will help. It's all about layers. Gateway AV is one. Desktop AV is another. Other malware defense mechanisms provide additional layers. So, don't count on anything.

This one is pretty close, so it gets a B+

We'll wrap this puppy up tomorrow and take it over the finish line. Till then...

Given my limited opportunities to rant while I'm on vacation, I'll need to make this short. I just read Alex Eckelberry's piece (link here) lambasting Microsoft's security product pricing (for OneCare and Antigen) and I need to call bunk on this. This feels like more of a marketing stunt than a legitimate discussion.

To be clear, I am no Microsoft lover. With the exception of Office, I run away from Microsoft software as a matter of course. I'd throw out my desktop PC if I hadn't bought it a year ago. They've boned security since they started trying to be a player. But Microsoft is in every technology market, so I'm perplexed that smart, experienced folks like Alex would expect Microsoft to not try to be a player in security. He also ends the piece by intimating Microsoft owning the security market could be a threat to national security. I think he's been watching a bit too much "24" lately. Give me a friggin' break.

Alex believes that pricing will make Microsoft the security leader and that they are going to "kill their competition" by pricing lower than the other guys. I don't buy it. Customers (even small customers) do not buy crappy security produts. If the product doesn't work, then the market will not buy. It's as simple as that. SO if Microsoft doesn't have a product as good (or better) as the other guys, I contend that customers will not migrate. In this space, Symantec is the incumbent and you need to knock the incumbent on its ass to displace a customer.

I also want to point out that Symantec and McAfee's current pricing levels are a result of them systematically raising prices over the past 5 years. To my knowledge, AV is the only technology market where prices have consistently gone UP over time. The Big Yellow and McAfee have had customers over a barrel for the past 5 years, and now Alex is shedding a tear because someone that could possibly compete and do the right thing for customers (which is to add functionality for a lower price) is going to hurt McAfee and Symantec. Sorry, but I'll keep the Kleenex in my pocket.

Innovation drives technology markets and candidly, neither Symantec nor McAfee has done much innovating in the AV suite for a long time. They added anti-spyware because they had to, Webroot (and even SunBelt) was poking them in the eye. McAfee adding SiteAdvisor was the first innovative thing I've seen in years out of these folks. As I mentioned quite a while ago (read the Genesis post here), shame on Symantec for letting Microsoft redefine the desktop security market as a service including backup. Symantec should have done this long ago. But they were too busy milking their cash cow.

Don't feel bad for these guys. Seriously. Darwin is alive and well, and if you don't innovate - you go away. Yes it's brutal, but it's the reality of commodity markets. And prices go down in commodity technology markets, whether Alex likes that answer or not.

Finally, Alex finishes with no suggestions for how to derail Microsoft's march on the security market. This is a cop out. I'll point to an example in the retail space. Smaller, local retailers that couldn't compete got slaughtered when Wal-Mart came to town. Others tried to stop progress through legislation (not allowing Wal-Mart to build). That is a short term solution and doesn't fix the root cause of the problem - a distinct lack of innovation and inability to add value. Retailers that either had better service or a unique value proposition welcomed Wal-Mart because it made their uniqueness that much more apparent.

I have a suggestion for everyone out there. Take the lead of folks like Intuit, Oracle and now Google, who have beaten Microsoft back as a matter of course for years and years. Get off your ass and solve some customer problems, as opposed to crying about big bad Microsoft coming to your town.

eEye has found a pretty serious vulnerability in Symantec's AV software. You've probably already read about it (Stiennon covered it - http://blogs.zdnet.com/threatchaos/?p=334 and here is the AP link). The fact that the vulnerability exists is not what's interesting.

It's that eEye has disclosed that it found the vulnerability this week, notified Symantec and is not telling anyone any specifics until the patch is released. It kind of turns the public relations aspect of vulnerability hunting on its ear.

Clearly not satisfied with getting credit at the bottom of the security alert, eEye disclosed the vulnerability to get full credit now and also to make the public point that their host intrusion protection product protects against the flaw. That leads me to believe that most HIPS products will stop the attack.

Of course, this attack is already a non-issue because once Symantec patches the hole, the updates will be automagically distributed to all of the vulnerable software. So everyone is getting worked up about an exposure that will be patched before any real details come to light. 

I'm not sure I'm cool with this "I found something but I'm not telling you about it" approach. It is clearly better than fully and publicly disclosing the issue (and how to exploit it) with no warning. Since this is a PR strategy for eEye, they couldn't have waited until the patch was out,  then their ability to say that their HIPS product stops the attack is gone.

So I guess we'll need to get used to this. Vulnerabilities will be found and sort of disclosed, but without enough information to cause damage. And PR folks will stay very busy working the media up into a frenzy for an attack that will never amount to anything.

 

Stop the presses! Analyst Rob Enderle has caught security vendors being...security vendors. Here is InformationWeek's coverage of the news that security vendors are trying to capitalize on these new Mac OS vulnerabilities.

His big issue is that because the security vendors have publicized the vulnerabilities, the hacker community got to work on exploit code. That is crap and a very flawed argument. First of all, it's not like these vulnerabilities are a secret. Every security vendor shares information and there is a big open source community focused on vulnerabilities as well. So it's not like you can really keep this stuff a secret. And the fact that Apple had a fix very soon after the announcement indicates that these issues were not surprises to them.

Secondly, the architecture of the Mac OS means that even if you are infected, it will be hard to get exponential proliferation of the worm. But to think that security vendors wouldn't try to use this as a marketing hook is naive. How many press releases do we see after every Microsoft Patch Tuesday? You know the headlines: "Vendor A's groundbreaking ferpolator stops nasty Microsoft problem before it's an issue." We see at least 15 of these for every high profile issue announced.

Did security vendors take some kind of oath that they wouldn't market their wares opportunitistically? Give me a break! The AV vendors are trying to make their numbers like everybody else, why vilify them because they are doing their job?

Now the impetus is on end users to figure out whether there is anything to the hype or not. Personally, I think it's a non-issue. That being said, I am in the process of buying an AV product for my Mac. I've just been lazy and it's this kind of thing that is a buying catalyst for someone like me, and probably lots of other people. I'd rather be safe (and $40 poorer) than nailed if something really does happen.

So I will buy the insurance. But don't shoot the friggin' insurance salesman because he brings up the issue that someday you might die.