December 1, 2011 Leave a comment
This week I spent the day at a table at an exhibit hall at a conference. Traffic was light in the exhibit area and it gave me a lot of time to think, which is often dangerous. The show is was one of egalitarian exhibits where everyone gets the same six foot table, so there was no little vendors being dwarfed by massive booths with overwhelming A/V systems and elaborate staging. Mostly pop-up banners and table covers. The somewhat equal playing field allowed for some interesting observations and one important epiphany.
First, IT security is the land of really bad company names. I won’t call out any here. But, really?
Second, if it were your first time in an exhibit hall how could you possibly come to any rational conclusions? Every booth seemed to promise the same thing and share the same set of bulleted claims to the point that I think you could have randomly redistributed banners and most booths would have not missed a beat.
Finally, I was struck by the fact the emphasis on prevention and the pursuit of the perfect shield is really sending a very loud message if the attendees were willing to see the forest for the trees. Of the 50 tables at the show, 47 were about preventing attacks, 2 were consulting shops, and one, Triumfant, was about detecting breaches.
Notice I said breaches. I realize that everyone talks about detecting attacks as the recognition needed to prevent attacks. Triumfant is distinguished in that we detect successful attacks – the ones that get through the defenses. Therefore, we detect breaches.
And now for the epiphany: shouldn’t the vast number of prevention solutions and all of the noise really tell you something about prevention? If shields are working so darn well, then why do we have hundreds of shield solutions in the market? Why does your endpoint solution (AV vendor) continuously have to add layer upon layer of new technology? Why are you neck deep in the spent shell casings of silver bullet technologies that will finally provide you with the 100% of myth and legend?
Repeat after me: Attacks get through your shields. Attacks get through everyone’s shields. You have been breached. You can buy every prevention product on the market and you will continue to be breached. And no, this is not all about exotic targeted attacks and the advanced persistent threat. Sometimes it is just basic, opportunistic malware that gets through.
It gets worse. You are not prepared. You do not have the tools in place to detect a breach. The Verizon Business Data Breach Investigations Report showed that you will only find it yourself 6% of the time. You are unprepared to detect successful attacks, yet you continue to shop for silver bullets instead of facing the hard truth.
I am talking about the ability to detect a breach within minutes of infection, alert the proper personnel, and return detailed actionable information. If you choose wisely, you may even get a solution so sophisticated that it can build a remediation for the breach, stop the malicious software, and repair the machine (including collateral damage) also within minutes of the infection.
My big takeaway from my time at the shows was really quite simple: the noise and confusion of the security shows and the broad infosec market is actually telling you something if you step back and listen.