RSA Conference 2012 Fearless Forecast – The Cloud of FUD

February 21, 2012 Leave a Comment

Next week, something insidious and life-choking will settle over the San Francisco Bay area and threaten everyone with confusion, nausea, and full loss of body hair.

The cloud of FUD.

For you South Park fans, yes, this is far more dangerous than the Cloud of Smug introduced in one of the classic South Park episodes (The Perfect Storm of Self Satisfaction). In the episode, the South Park residents begin to purchase hybrid cars (the Toyonda Pious) in large numbers, and their self-satisfaction in their eco-friendly ways creates a dangerous cloud of smug.  Unfortunately, the South Park cloud collides with two other clouds of smug, one from the general self-satisfaction of the SF Bay inhabitants and a rogue cloud from George Clooney’s Academy Award speech.  This creates the perfect storm of self-satisfaction with catastrophic results, destroying San Francisco and causing general havoc in South Park.

The RSA Conference is next week, and the amount of FUD in any normal RSA week can be problematic.  But this year, the IT security world is at an interesting crossroads.  The underpinnings of trust have been called into question through breaches of companies like Diginotar, and more recently, VeriSign.  Analysis released last week called into question encryption algorithms used by RSA, who is still reeling from a highly public breach last year. Studies indicate that breaches are on the rise, and targeted attacks (including the Advanced Persistent Threat) are hitting their mark with increasing frequency.  And we have no idea how many breaches are yet undiscovered and when we do discover them, we lack the tools to fully assess the damage.  The public disclosure of the VeriSign breach included language from VeriSign management that they were still not quite sure what had been stolen, in spite of the breach occurring in 2010.   Attacks like Duqu were illustrative of the growing sophistication in data gathering techniques to build even more sophisticated follow-on attacks.

We have entered a new phase in IT security to be sure, and all of this uncertainty will amplify the FUD volume to deafening levels.  That is because while there are several innovative companies offering real solutions to these new problems, the majority are scrambling.  When companies scramble in the IT security market, the result is a Perfect Storm of Self Preservation.  Those who lack real answers will look to duck and cover, and the predictable result will be epic volumes of FUD with a healthy undercurrent of smug.

Seriously, we should consider renaming the RSA 2012 exhibit area FUDapalooza! I am not talking about the usual “hamster wheels of pain”, “yes, I do that” (before a question is asked) level of FUD.  This will be highly advanced, super concentrated FUD.

For example, everyone, including the nice people that serve old, stale sandwiches in the lobby for $18, will have “The Solution for the Advanced Persistent Threat”.  Everyone will have the “Next Generation of Threat Protection” and “Your Weapon for Cyber Warfare”.  Companies that went the M&A route will have the “First Truly Comprehensive Security Suite/Platform”.  The large, “usual suspect” companies with the huge booths at the center of the floor will promise to plug the massive gaps that studies now show their own products to have.

I remember my first RSA Conference in 2005.  I was immediately struck by the signal to noise ratio (very little signal, copious amounts of noise) and lack of clear messaging and differentiation on the exhibit floor.  One of the more popular posts for this blog was about the animals you will see at RSA.  I can only imagine what 2012 will be like.

At the end of the South Park episode, Kyle points out to the citizens that driving a hybrid is really a good thing, but they have to learn to drive them without being smug.  The townspeople go back to their old gas guzzling cars, saying that “it’s simply asking too much”.  The RSA Conference could be an excellent place to explore ways to meet the new challenges we collectively face today.  Unfortunately, I think for most of my vendor comrades “it’s simply asking too much”, and most will instead take the Gladiator approach and unleash FUD hell.

The Cloud of FUD is coming.  Bring your Hazmat suit.

Filed under Endpoint Security Tagged with , , , ,

The Evidence is Overwhelming: Organizations are not Prepared for the Inevitable Breach

February 14, 2012 1 Comment

84 and 173.5.

These are two significant statistics I picked up from the “Trustwave 2012 Global Security Report”.  I downloaded the report yesterday to review the analysis and the salient numbers from the study.  If you read this blog, you know I quote liberally from the Verizon Business 2011 Data Breach Investigations Report”.  I felt it prudent to see if the Trustwave report aligned with the VBDBIR and my frequent calls to wake up and smell the coffee about breaches.

The short answer is that they do and it does.  84 represents the percentage of breaches that were discovered by someone other than the breached organization.  This aligns with the VBDBIR number of 86%.  I noted that the 84% is actually up from the 2011 Trustwave Report number of 80%.

The numbers on self-detection are of interest to me for two reasons.  One, they scream that organizations are quite ill-equipped to detect a breach and the problem is getting worse.  They dump money in pursuit of the perfect shield, but are essentially unable to know when those shields fail.  And frankly, if I have to convince you that your shields are failing, you may be in the wrong profession.

Second, they underscore that when an organization gets breached, knowledge of the breach is not being contained within the organizational walls.  If a third party finds it, the secret is out.  Organizations cannot ignore the reputational risk that comes from a breach. And there is a coming storm of breach notification legislation that will make the problem even harder to ignore.

The real thunderbolt comes from the 173.5.  Because 173.5 is the average number of days between the initial infiltration and discovery for those attacks discovered by third parties.  173.5 represents the average amount of time that the adversary has free access to the systems and confidential information of the attacked organization.  The report notes that for companies with active discovery initiatives, this number goes down to 43 days.  Better, but no less unacceptable.

I will say it again (and again, and again).  Organizations are going to be breached.  Organizations are not equipped to detect breaches, and once a breach is detected, organizations are not equipped and prepared to respond.  Stop trying to build the perfect shield, step back, and address your exposure to breaches now.  Embrace the fact that you will be breached, and build a rapid detection and response capability.

Need to see something beyond statistics? Just today an article on the Wall Street Journal Online noted that Nortel had been breached without detection for over ten years.  The article discusses SEC breach notification guidelines and the impact on acquiring companies, the potential impact of the breach on Nortel equipment, and implies that the breaches may have contributed to the ultimate decline of the company.

The lesson is simple really.  The Trustwave report and the Nortel story show (again) that while you are busily trying to build that perfect shield, you may already have an adversary working undetected on your systems with relative impunity.

Filed under Endpoint Security Tagged with , , , , ,

Targeted Attacks Versus Advanced Persistent Threat – Pragmatic Versus Dogmatic

February 7, 2012 Leave a Comment

In some circles of IT security, debating the exact definition of what constitutes an Advanced Persistent Threat (APT) is far more incendiary than debating politics or religion.   I was forced to wade into these tumultuous waters this week as I was making updates to the Triumfant Web site.   Specifically, I was curious to see if there was some industry consensus as to the dividing line between the two classifications. Silly me.  I should have known better.

The volatile nature of the definition of APT makes the dividing line between targeted attacks and APT equally volatile.  The industry has not settled on any one dimension to distinguish and APT attack, much less a specific point on that dimension.  For some, APT is determined by the nature of the attack, or the target of the attack.  Some, most notably Richard Bejtlich (@taosecurity) define APT by the threat actor.

After some research, it became obvious that the one thing the debate needed was yet another attempt to differentiate APT attacks and targeted attacks, and being shallow and self-centered, I knew I was just the guy for the job.  My simple classification came down to pragmatic (targeted attacks) versus dogmatic (APT) and actually incorporates most of the elements of the debate.

At the high level, I consider APT attacks as a subset of the broader category of targeted attacks as both are attacks written to perform a specific purpose against a specific target.  Both value stealth and seek long-term infiltrations.  Both involve sophisticated adversaries that often use many of the same techniques.  Given the two categories are not exclusive, what I am attempting to capture is the point where a targeted attack becomes an APT.

Targeted attacks are pragmatic because their motivation, and therefore their approach and behavior, lies in monetary gain.  A targeted attack is likely designed to extract confidential information or intellectual property.  It is conceivable that the attack could be disruptive, but pragmatically, disruption does not provide a return on investment.   Targeted attacks value stealth and long-term infiltration, but only to the point where they serve the pragmatic need.   Not quite smash and grab, but not the longer-term persistence sought with APT.  Targeted attacks rely heavily on techniques that leverage human nature (social engineering) because the adversary lacks access to the human-gathered intelligence available to the APT threat actor. Finally, a targeted attack may be reusable against other targets, albeit with some modification and mutation of the malware.

I use the term dogmatic to describe APT attacks because APT attacks are largely driven by emotional/philosophical motivations, primarily politics.  This places higher value on stealth and persistence than a targeted attack because it enables the adversary the freedom to alter post-infiltration activity to respond to evolving external events.   This is the proverbial low and slow approach that places high value on maintaining an established presence in the targeted system or network.  APT attacks may also be broader in their impact to the targeted organization because disruption may provide the same political impact as exfiltration.  APT attacks often consist of multiple parallel attacks to ensure infiltration and ensure that discovery of one path does not cut off presence in the network.   That is because a pragmatic adversary may be able to move onto the next target, but the target for a dogmatic adversary is dictated by the politics of the moment.

I am going to be very candid and say that I really have no real emotional or professional stake in this debate.  Triumfant excels at detecting these attacks, and the dividing line has no affect on that capability.  I simply was creating a web page on targeted attack detection and a separate page for APT detection, and I was doing the due diligence to be as accurate as possible.  Why separate pages? Both terms (“targeted attacks” and “advanced persistent threat”) are frequently used search terms, so it was all about providing information to those who get to the Triumfant site through organic search.

So there is my take on the debate.  Not sure if the pragmatic versus dogmatic designation helps, but it resonated with me, so who am I to not feed the fire?

 

Filed under Endpoint Security Tagged with , ,

VeriSign Breached – Who Can You Trust Redux

February 2, 2012 1 Comment

It was reported by Reuters today (“Key Internet operator VeriSign hit by hackers“) that VeriSign has disclosed that the company was hacked in 2010.  This is significant at many levels.

First, VeriSign essentially handles the credentials for over half of all Web sites, specifically sites ending in .com, .net and .gov.  VeriSign executives could only say that they “do not believe” that the critical domain name services, leading many to speculate that VeriSign does not yet know the extend of the breach.  And even if the domain name services were not compromised, compromise of any of VeriSign’s other services could still represent significant risk to a very large number of companies and government agencies.

Given that VeriSign has not been forthcoming with details and frankly does not seem to know yet the full extent of the breach, the security of an enormous amount of Web sites is in question this morning.  I am not sure that this can be understated.  Depending on what we learn about this breach, the tectonic plates of online security may have just shifted significantly.

Second, the VeriSign breach is a huge blow to the topic of trust on the Internet (see  the blog post “Certificate Authorities Hacked – So Who Can You Trust?“).  This trust was already significantly impacted by the RSA breach last year and the compromise of several certificate authorities (CAs) such as DigiNotar.  But the aggregate affect of these breaches, in my opinion, is dwarfed by a compromise of VeriSign.  Consider that the “s” in “https” is based on Secure Sockets Layer (SSL) certificates, the majority of which are issued by VeriSign.  Suddenly the ubiquitous lock icon and green indicator of  web site trust suddenly do not feel so secure and trustworthy.  The past months have been filled with questions about the trustworthiness of SSL, and this breach will pour gasoline on that fire. In a broader sense, the article points out the RSA and VeriSign attacks are designed to undermine the fundamental underpinnings of authentication.  This puts all transactions – business, government, personal – at risk.

Third, the VeriSign breach came to light in a 10Q filing with the SEC that listed the breach in accordance to the new SEC guidance on breach disclosure.  Reuters did a search of such disclosures and found the VeriSign admission.  Without the SEC guidance, this breach may never have come to light and the companies that trust the integrity of VeriSign’s services would have never known.  I draw the conclusion that there was no communication of VeriSign to their customer given that the CTO of VeriSign at the time of the breach learned about the problem from Reuters.

The potential impact of this breach could make this event the tipping point in the call for more strict guidance and perhaps even legislative action in regard to breach disclosure (see “Prediction Regarding Data Breach Detection – Soon to be a Regulatory Requirement“). Proponents will have a field day with the idea that VeriSign may have never disclosed the breach without the SEC guidance.  But opposition to such action will also use the event as an argument against such action. The article intimates that the breach is a persistent attack done by a nation-state, or an Advanced Persistent Threat attack.  Such an attack at a company such as VeriSign has far reaching impact on national security, so there are those who would not want the attack disclosed before there was reasonable time to perform analysis, attribution, and potentially launch a counter attack.  Mix this attack in with a presidential election year and I predict the skies will darken will calls and counter arguments for legislation.

Fourth, this event may finally take many over the emotional hump  of clinging to the hopes that 100% prevention is still possible (see “The Emotional Barriers to Embracing the Presumption of Breach Doctrine“).  The article quotes security consultant Dmitri Alperovich as saying “prevention is futile”.  Those who have clung doggedly to prevention in the face of mounting evidence will find it hard to continue to do so.  It is okay.  Those of us who have already accepted the inevitable are here, waiting for you without judgement.  Just let go.

Fifth.  I will have much more to say about this subject, but notice that although the breach happened in 2010, VeriSign still does not know the extent of the damage.  There were even intimations that they may not have completely eradicated the adversary from their systems.  This is proof to my ongoing statement that organizations are not equipped to detect, analyze, and respond to breaches.  Trust me when I say I have much more to say on this topic in the very near term.

Watching this story unfold should prove to be quite interesting.  Quite interesting.

Filed under Endpoint Security Tagged with , ,

Prediction Regarding Data Breach Detection – Soon to be a Regulatory Requirement

January 30, 2012 3 Comments

In a post last week titled “Proposed EU Data Protection Fines Push the Lack of Breach Detection Capabilities into the Light“, I noted that the proposed European Union data protection rules would impose fines against organizations who did not report data breaches in a timely manner.  After that post I came across a story (“Companies worry about SEC’s advice to disclose cyberthreats“) in the San Jose Mercury News that noted that the SEC is continuing to amp up the pressure on companies to disclose breaches in their public disclosures.

I am not usually in the prediction business, but I noted in a blog post on February 25, 2010 titled “Intel Notes Attack on 10K – Are We Heading to Mandated Disclosure of Cyber Attacks?” that the SEC might soon mandate disclosure of breaches.  Given the increasingly digital economy, it would make sense that investors would consider breaches material information.

I am old enough to have seen similar patterns like this through the years.  Guidance by the SEC is one very public data breach away from being regulation, and those organizations that read the tealeaves and are prepared have a distinct advantage over those who ignore the signs and signal and are forced to play catch-up.

So I will break from form and make a prediction: by the New Year, we will either have or will be on the way to having multiple regulatory provisions that will require prompt (24 hour) notification of breaches.  Organizations can scramble then, or they can start looking at technologies (like Triumfant) that are focused on detecting the attacks that evade their protection software (shields).  Given that knowing when (again, the IF ship has sailed) you have been breached is critical information that every organization should want and have anyway, this is not the worst initiative ever catalyzed by regulatory mandate.

Why not beat the rush?

Filed under Endpoint Security Tagged with , ,

Proposed EU Data Protection Fines Push the Lack of Breach Detection Capabilities into the Light

January 26, 2012 1 Comment

Recently proposed updates to the European Union’s data protection rules may force companies in the U.S. and abroad to take a hard look at solutions that tell them when they have been breached.  According to a WSJ article, the proposed updates will affect U.S. companies that “are active in the EU and offer their services to EU citizens”.

Of specific note is the requirement to notify authorities and customers of data breaches within 24 hours.  Breach notification laws are not new and there are notification statutes in the U.S. at the state level.  But the breadth of the EU provisions, the 24-hour requirement, and the fines for noncompliance have seriously amplified the debate.

In particular, the 24-hour requirement has companies really nervous.  This is justified when you consider that the Verizon Business 2011 Data Breach Investigations Report showed that less than 5% of data breaches were discovered in the first 24 hours.   An article on the EU updates in CSO Online leads with the subheading “Many companies don’t have the sophisticated systems for identifying breaches in the first place”.

I have no sympathy here.  There are solutions that can detect an intrusion to corporate systems within minutes of the infiltration, so the lack of capability is not from a lack of technology.  Companies have long settled for shielding the perimeter with traditional approaches to defense from the usual suspects of IT security.  Forgive my lack of compassion, but the EU requirements are the bill coming due for stubbornly sticking with old approaches to new problems and blindly relying on the large IT security vendors rather than considering innovative solutions.

In the interest of disclosure, Triumfant does provide a solution that will detect a breach within minutes of the infiltration.  Triumfant is not a DLP tool, but what Triumfant will do is quickly detect an attack that gets past the company’s shields and provide a very detailed analysis of the attack within minutes.  Triumfant uses change detection and contextual analytics to detect the attacks that evade other security software, making Triumfant able to detect new malware attacks, detect targeted attacks, and detect the advanced persistent threat.  Security professionals tell me that the analysis Triumfant returns would take a seasoned security professional hours or days to produce.  We call this Rapid Detection and Response: the ability to detect the problem, provide actionable analysis, and remediate the attack within minutes of the infection.  Once the point of entry is identified, the company can then determine if data has been compromised, and if so, the extent of that compromise.

Companies continue to ignore the realities in front of them (such as the 5% statistic) and continue to pour their resources into shields.  Plugging in another appliance onto the network or installing another solution that requires prior knowledge to detect attacks won’t fix the problem.  Nor will blindly trusting the large IT security companies.

The time to look beyond traditional approaches and the usual suspects has not only come, it has passed.  Companies have resisted change for reasons only they know, but I suspect they are not willing to look past traditional approaches and embrace technologies that re-write their perceptions of how IT security tools work.

The EU requirements are not causing the problem; they are pushing the problem into the light.  And in doing so, they are also dragging into the light the companies that have too long ignored the changing realities of security.  Companies that were unwilling or unable to step into the light themselves.

Filed under Endpoint Security Tagged with ,

Hearing the Sound of Inevitability – Rapid Detection and Response

January 20, 2012 4 Comments

It appears that the IT security market maybe finally hearing the sound of inevitability.

In an InformationWeek article by Matthew J. Schwartz called “10 Security Trends To Watch In 2012”, Schwartz puts “Breaches now inevitable, say businesses” as number 1.  Number 1! Finally the message seems to be permeating the years of flat earth thinking in the IT industry and the broader market!

Quoting Schwartz:  ”The new mandate, then, is not just to maintain killer defenses, but also to have the right technology and practices in place to quickly detect when the business has been breached, and then to block the attack and ideally identify how the breach occurred and what might have been stolen.”

Well said.

This the exact concept behind what Triumfant calls Rapid Detection and Response.  Understanding that shields are not, and will never be, 100% effective and your organization will get breached.  It is, as Schwartz says, inevitable.  Therefore, Rapid Detection and Response is about detecting attacks that infiltrate machines as close to the moment of infiltration as possible, providing the analysis to make an informed response, and stopping the attack and repairing the infiltrated machine. It is about understanding that this not a DoD or NSA problem about detecting the Advanced Persistent Threat but the very hard reality that targeted attacks are getting through your shields.

What remains to be seen is how quickly this grasp of the inevitable will be followed by action.  The problem with the inevitable is that it does not wait for us to grasp it – it is happening all around us regardless.

(BTW, some of you Matrix fans may be surprised by my choice of picture. I searched relentlessly and could not find a single picture of the exact scene moment when Agent Smith delivers his “sound of inevitability” line.  I was disappointed. The Internet, it seems, is not yet 100% – much like the shields people trust too much to protect their endpoints and servers.)

Filed under Endpoint Security Tagged with , , ,

SOPA, PIPA, and Wikipedia May Have Been an Important Wake-up Call

January 19, 2012 Leave a Comment

The wailing and gnashing of teeth you heard yesterday was the audible and digital screams of marginal students who could not complete their homework by copying and pasting from Wikipedia.  To call attention to the opposition to the SOPA and PIPA legislation, Wikipedia and other sites either went black or had visible displays of opposition.  Beyond inconveniencing students, I wonder if we will look back on SOPA and PIPA as a marker in history in regards to the fight to keep the Internet free from censorship.

First for the disclaimers.  It is not the intention of this blog to express political views, and those views expressed are my own and do not represent Triumfant as a corporate entity.  My specific political persuasions are not important, but I am by no means a political animal or an activist.  I do fall squarely on the side of less government intervention.

First, SOPA and PIPA may have awakened some social and political awareness in the younger generations.  Jokes about Wikipedia aside, the fact that it went dark on a school night likely spiked awareness of the legislation like no other event could have managed.  PIPA was suddenly something to look up (but not on Wikipedia), instead of the cute sister of Kate Middleton.  Darkening the web sites that these generations rely so heavily on for their everyday life made some impression, and likely opened their eyes to a life where the Internet is not free.

Second, SOPA and PIPA woke up the general populace to the potential for censorship within our own country.  There were reports yesterday that several of the websites of key members of Congress were slowed to a crawl by the traffic to their sites.  The groundswell of opposition sent several senators and representatives backpedaling at a rate that can only politicians can.  Because of SOPA and PIPA, people now know that Congress is capable of trying to regulate that which they do not understand, and that which few if any of us want them to be regulating.

The World Wide Web is a obviously a two edged sword.  It has opened a world of information to our fingertips, created interesting new paths for communication, and created a new platform for commerce.  It also is a huge void full of cat videos, Lee Dewyze, and the Kardashians.  At its worse it is riddled with spam, malware, pornography of the vilest kind, and hate.   The dark side is a function of the unfiltered nature of the Internet, but censorship won’t make that go away – the bad will survive but the good will suffer.  We in the IT security business fight against the dark side of the Internet daily, but I dare say that most think it is a fair price to pay for the absence of censorship.

Lastly, SOPA and PIPA are a useful discussion point for the evolution of national and world economies to the realities of online commerce.  Debates about the demise of bricks and mortar businesses, digital rights management, and other related topics are not new.  But the businesses that don’t bother to evolve with the digital economy continue to look toward Washington to retain their old ways through bad legislation in the face of the natural forces of a changing market.  David Meerman Scott had a great blog post about this very idea on his WebInkNow blog yesterday.  Scott cites the music industry’s attempts to protect their long-standing business model as music moved into the digital age.  I also found this interesting article that contrasts Best Buy and Amazon.

It is my opinion that is not in the best interest of all of us to start down the path of censorship to protect the archaic business models of those who cannot evolve in an online world.  I think thanks to SOPA, PIPA, and Wikipedia, there are more of us who understand that principle, or were at least introduced to that principle, than there were before yesterday.  I don’t think we have seen the last of bills like these in the Senate, but I am confident that the citizens are better informed of the potential ramifications of such legislation and will once again take a stand.

Now if you will excuse me, I have a white paper to write now that Wikipedia is back online.

Filed under Uncategorized

Story on Targeted Attacks Dispels the Presumption of Complexity

January 12, 2012 1 Comment

I came across a story today that really speaks to the mythology of targeted attacks and their much-hyped subset, the Advanced Persistent Threat.  In a story on the Threatpost Blog by Paul Roberts (@paulroberts) called “Attackers Reused Adobe Reader Exploit Code From 2009 In Extremely Targeted Hacks“, Roberts provides insightful details on a targeted attack that used Adobe exploit to go after system integrators that specialize in working with the DoD.

The story nicely shows how targeted attacks don’t have to use a cutting edge zero day exploit or some new DeathRay level malware to succeed.  In this attack, the attackers went after an Adobe vulnerability (since patched) called CVE-2011-2642 (first reported December 9, 2011) and leveraged exploit code that dated back to 2009.  The malware planted was the Sykipot Trojan, malicious code known to the IT security industry.

Too often I think that business people hear “Targeted Attack” or “Advanced Persistent Threat” and get a visual image of super smart adversaries in white lab coats creating exceedingly complex and sophisticated attacks.  They assume that targeted means specialty built attacks that take enormous effort to conceive, construct and deploy.  They see it as rocket science.  And in some ways, I think that they use these misconceptions to talk themselves into thinking that no one would expend such effort to target their systems and creating a false sense of security.  They apply the business concept of “barriers to entry” to presume they are safe.

As this analysis shows, a targeted attack can be cobbled together from spare parts on their workbench. The barriers to entry in regards to the technical side of targeted attacks are nominal and easily scaled. All it takes is a motivated and intentional adversary that believes that your systems have something of value, and you can be the victim of a targeted attack.

As Robert’s story shows, companies cannot hide behind false presumptions that there is inherent complexity that reduces the odds that they will be the victim of a targeted attack or APT.  Companies need to step up to a rapid detection and response strategy as part of their IT security thinking.  Triumfant excels at detecting targeted attacks and detecting the advanced persistent threat, and is an example of solutions that can close the security gaps that leave companies open to such attacks.

Filed under Continuous Monitoring Tagged with , , ,

RFIs – You Don’t Know What You Don’t Know

January 10, 2012 Leave a Comment

RFI’s drive me crazy.

First, I think the concept is a Gordian knot.  I need to learn about something I do not know.  I will learn by asking questions in a static, rigid format.  Okay, but if you don’t know about something, how can you hope to ask the right questions to get the information you need, or hope that your questions don’t inhibit receiving the real information you need, which you don’t know you need because you don’t know.  You don’t know what you don’t know, so how do you expect to ask questions so you will know.  See – Gordian knot.

Second, the amount of bias is staggering.  I will ask people who have a vested interest in swaying my thinking for the answers I need.  I will ask the vendors.  The vendors that are in a daily dogfight in a crowded and often confusing market where every vendor tells much the same story.  Vendors that hold Maslow’s proverbial hammer and will therefore put every answer in the context of the nail for which their hammer best drives.  Vendors that know before you ask that the answer to every RFi or RFP question is – surprise! – yes.  Vendors that are on commission for heaven’s sake!

Well, Jim, why wouldn’t I ask the vendors?  They are most helpful.  Some offered to actually write the RFI for me.  I see your point and that seems perfectly reasonable.  It frees you up to interview foxes to watch your hen house.

What really frustrates me about RFIs is the lost opportunity to get exposed to truly innovative solutions that the organization could actually use to fill very real gaps in their IT security.  Why?  because most RFI writers don’t know what they don’t know and therefore ask questions about what they do know: the same tired technologies that are at the heart of the very gaps that need to be filled.  RFIs are written from the sound bites from analysts and vendor web sites and industry pundits.  So what comes back is the same tired answers and nothing new is discovered.

You don’t know what you don’t know.  But what you do know is your problem, and that is where you should start.  You may not be ready to admit it publicly, but you know what gaps your organization has.  You know malware is getting past your shields, and you know that you are not equipped to know when and where. RFIs should not use vendor terminology or be bound by the solution de jour.

Write your RFIs to real, unfiltered gaps and problems, and provide a framework for vendors to provide solutions, but stay away from pre-dispositions.  Doing so will quickly sort marketing speak from real, innovative technology that is not more of the same.  Questions should be heavy on detail about the problem, but not have artificial fences or filters as to how the problem can be solved.  Old assumptions should be abandoned, because those assumptions were largely forged about attacks and attack techniques that have evolved exponentially and have shattered those assumptions.

Tell me your problem and open your mind to the answer.  Am I biased about my product?  You bet I am.  But give me the opportunity to honestly (yes, there are more honest vendors out there than you may think or have been led to believe) provide you alternatives that you may not have even heard about, much less considered when writing the RFI.  You may be surprised what is out there.  After all, isn’t that the point?

That is all for now, as I have some RFI’s to compete.  Let’s see. Question 1…(thoughtfully pondering)…”Yes”.

Filed under Endpoint Security Tagged with ,

Older posts

Follow

Get every new post delivered to your Inbox.

Join 408 other followers