The IT Security Ecosystem – Time for Some Constructive Disruption

In a quiet moment in the middle of what was an exceptionally busy day yesterday I took the opportunity to walk through the length of the RSA exhibit hall.  And that is when it really hit me: when you are at RSA you are looking into a fascinating ecosystem.   One that has good guys and bad guys, successes and failures, established upper class and driven climbers.  And it is an ecosystem that is self-sustaining; with the ultimate irony being the bad guys for whom the ecosystem is created to protect us against are the fuel that keeps the whole system running.   And I would add that it is an ecosystem that no one seems to want to disturb, even if it may no longer be serving the best interests of the IT security user.

It all started with Microsoft and the proliferation of computers on the endpoint. This created an industry of people who looked to penetrate these machines.  At first, these attacks were just relatively disruptive, but it has evolved into serious, financially driven cyber crime.   As a result, an industry of defensive software was built on the notion that a hashed signature of maliciously intended software would protect our endpoint machines. 

This in turn started an interesting game of cat and mouse, as hackers sought new vulnerabilities and ways to evade this new defensive software.  Microsoft and other development shops fed the game by releasing software with plenty of vulnerabilities to exploit, complete with a strange new ritual called Patch Tuesday to discuss these vulnerabilities in a large ongoing public forum.   The bad guys of course leapt upon these vulnerabilities, which created new attacks that had to be addressed by new signatures.  

Rinse, repeat.

Lots of defensive software gets sold, lots of people make money (good and bad guys), and the ecosystem grows and flourishes.   And those for which the system presents a lucrative living, there is very little motivation to interrupt the system.  (As a disclaimer, the IT Security industry has been the revenue source by which I pay my mortgage for some time, so I guess I am part of the ecosystem.)   Even the customers served by the system are content to leave it the way it is and live under a perception of false security, even when the statistics tell a different story.  Because as long as they are not the ones targeted by these attacks (as far as they know), they prefer to feel secure rather than see that the system is in fact flawed.

The statistics are everywhere, so I won’t grind through them again.  Signature-based defensive software is simply no longer sustainable, and in spite of the flourishing ecosystem, more data was lost last year than the previous four years combined according to the Verizon Business 2009 Data Breach Investigations Report.  The neatly constructed ecosystem is unraveling like a cheap sweater and all of the flash and glitz and messaging on display at RSA cannot change that fact.

To be clear, I am not accusing IT security companies of something evil, premeditated, or contrived.  These companies are full of bright, thoughtful and innovative people who by and large have a passion for security.  And Microsoft is no evil Darth Vader. You don’t ever set out to build a comfortably numb ecosystem like we have today, it happens over time in a way that is gradual and is established before you know you are even in it.

We are at a crossroads.  Only time will tell if the industry is willing to make the necessary change constructively or if it will be dragged kicking and screaming because the customers eventually decided that, happy ecosystem or not, they are not being served.  Either way, it will likely be a very eventful 3-5 years for IT security.