Vendors shout woe loud and often - they want you to buy their product. But it's not all without foundation, says Dave Waller.
The modern world seems to spin on fear, uncertainty and doubt. We are used to being told that terrible things are in the wind, whether that's a terrorist attack or bird flu, or the ominous news that Ben Elton is writing a new musical. This trend towards FUD has been particularly prevalent in IT security. From the Y2K bug to the recent Conficker worm, security vendors have long been accused of exaggerating the scale of the threats we face, all in the name of shifting products.
This was a tactic back in the days when malicious code came mainly from bedroom hackers, but the vendor community is showing signs of growing up, not least because the threat has. These days they're battling attacks from well-organised criminal syndicates, which are taking on ever more complex forms, as seen in the sophisticated Chinese Aurora hack on Google last year. And with the internet becoming an everyday tool, people have come to understand the reality of the dangers – without the need for vendor-generated scare stories.
Yes, vendors still need to shout to sell products, but they are also keen to show that they've reached a new understanding: that educating your customers, and developing products directly suited to their needs, may prove more effective than simply giving them the willies.
We've all read figures from vendors describing the staggering levels of malware out there. And it is hard to read them without suspecting scaremongering, whether it's Trend Micro noting a new malicious binary every 1.5 seconds, or that there are now more than 100 million bot-compromised IPs in the world. Or Symantec's claims that security attacks cost businesses an average of $2 million a year. When the sums involve ethereal elements such as ‘loss of customer trust', it is hard to credit the figures.
Truth is, in a highly fragmented and competitive sector, vendors must compete for the loudest drumbeat in order to be heard. The unfortunate result: a cacophony of drums, by its very nature loud and ominous.
As to whether vendors are exaggerating the threat, it's hard to say. These figures are being released to help sell products, and whenever scientific data comes out with a financial agenda it's bound to feel uncomfortable. And vendors don't help themselves. They are fond of bundling all levels of malice together in one statistic, failing to discriminate between the fraction of malware that's genuinely threatening and the huge amount of malicious code that will cause no real harm. You get a bigger number that way. And that works when very few people will bother to read beyond the headline.
Even vendors agree this does happen, but are quick to point out that the financial reality of the industry shouldn't distract us from the very real dangers. “If I see a release saying we've seen twice as many malware samples in the past month as in the past ten years, the alarm bells start ringing,” says Richard Jacobs, CTO at Sophos. “I'll know how they came up with the figure and that doesn't make me comfortable. But you have to recognise the threat is out there.”
This is the nub of the problem. Vendors do have a responsibility to publicise the threats. It's their job. But overhyping a threat can be highly counterproductive. Consider the response to the Conficker worm. When it emerged, all eyes were on 1 April 2009, which had been whipped up in a frenzy of hype as the doomsday-style activation date. The day passed and nothing happened. But that doesn't mean the hype was ill-founded. While the backlash came berating the industry as the boy who cried wolf, everyone missed the real danger: that one of the most sophisticated pieces of malware ever had been working quietly away the whole time.
The case of Conficker is interesting, because for once it wasn't the vendors saying the sky was about to fall in. “Conficker was blown out of all proportion, largely by the media,” says Rik Ferguson, senior security advisor at Trend Micro. “Industry people were warning that the hype didn't help. It's better to say: ‘Here's the threat, here's what it means to you, and here's how we can help.' Not: ‘On 1 April, the whole net's going to explode.'”
Once the worm was away, vendors were quick to jump on board. Canny observers noticed McAfee introducing an Operation Conficker button to its homepage, which led concerned users through to pre-existing software. Opportunistic perhaps, but that's to be expected: it is sound business sense for any company with a product to sell, especially a technical one, to link it with current, headline-friendly threats.
That is, of course, as long as they're genuine – not always the case. “There was a report recently of a botnet of 75,000 machines using a Zeus Trojan,” says Ferguson. “It was picked up by the New York Times in a panic. But it's really an everyday occurence.”
Industry FUD was at its highest about seven years ago, when most malware came from script kiddies competing to produce the most damaging code. Back then, companies were forced to employ FUD just to get companies to latch onto the idea that such threats existed.
But by 2007, a lot of observers started to count malware as a thing of the past, with high-profile malware such as Code Red, I Love You, Slammer and Melissa all seemingly dead. Then Conficker blew the whole thing back into the spotlight, and companies were left facing a new reality.
And what a reality it is. Spamming has been replaced by corporate attacks within companies, simply because the returns are potentially so much higher. Data is king. Ransom attacks are becoming increasingly prevalent. Socially engineered strikes like the Koobface worm target the users of Facebook and Twitter, and indirect attacks such as phishing and fake anti-virus programs are everywhere. Anyone who hasn't been the victim of online banking fraud by now will know someone who has. And the threat isn't just down to malicious hackers – a politician visiting Iraq can now end up giving away potentially critical strategic information via his Twitter updates.
Google's run-in with China last year demonstrates just how far the threat has evolved. The Aurora hack was well-coordinated, intelligent and highly targeted. There has been a lot of speculation about the cause – an act of corporate espionage, or perhaps the Chinese government having a pop at the US. Either way, it's yet more evidence that vendors are now in a fight against serious syndicates operating highly technical, targeted attacks on companies and even individuals. Hard to discuss that without fear, uncertainty and doubt creeping in...
“There's no question that the majority of security firms aggressively highlight the threats out there,” says Andrew Dailey, MD of MGI Research. “But are they guilty of overhype? I don't know that you can say that. Every day there are instances of stolen identities, with governments and companies being targeted. You can see the threats are real.”
When an entire criminal economy springs up behind malicious activity, potentially involving nation states, and at the very least highly-organised nefarious syndicates, it's safe to say that even if threats are sometimes exaggerated, they are genuinely at a high enough level to make security a prime concern. It's like finding out that a scientist was wrong about the precise surface temperature of the Sun. Yes, they may be off by a few degrees, but that doesn't mean you should mindlessly jump in a shuttle and try to land there.
While overhyping is dangerous, companies are often too tight-lipped about run-ins with malware, which hardly helps either. Says Dailey: “When Google asked other businesses to come forward with problems they'd had dealing with China, it suddenly found itself apparently the only Silicon Valley firm that worked there. It's mad. After consulting with major FTSE and Fortune 500 firms, I'd say 99 per cent of all incidents go unpublicised.” In that sense, the hype around the Google Aurora affair may have been a good thing.
Speak to any industry insider and you get the same view: yes, the threats are being shouted about, but they have to be. Security is a hard sell, like breakdown cover or health insurance. It's hard to know how much worse off you'd be if the systems weren't running. And it can be hard getting that message through to the execs in control of budgets. “We often joke that we're undervalued,” says Mike Jones, security product marketing manager at Symantec. “It would be interesting to turn off the industry for a day, so people could value us more.”
But should customers value vendors? Are the vendors working hard enough to protect them against these evolving threats? The big vendors are often knocked for being complacent about innovation, and for killing the creative spirit of more dynamic start-ups when they acquire them. Others say they have too much power in the relationship – that vendors are too busy foisting features onto their customers to find out what the users actually need.
Vendors are quick to counter that. “There's potentially more innovation here than in any other sector,” says Matt Moynahan, CEO of Veracode. “It's not like making a tastier ice cream or faster car. We've got a common enemy that's driving us to innovate. Think of the effect Bin Laden had on air travel security. We're trying to defeat a genuine foe, when brands, fortunes and possibly even lives are on the line.”
The fight with cyber crime is often described as an arms race, and it's not surprising vendors are struggling to keep up – this is an incredibly fast-moving threat. Just as in the Tom and Jerry cartoons, the cat is always half a step behind the mouse. Yet it's hard to fault vendors on their level of investment. Symantec says it has thrown $1 billion into R&D in the past three years – hardly a sign of a company resting on its laurels.
Accusations that vendors don't provide what the customer needs may spring from their tendency to get carried away by specs, not the issues the software is addressing. But that too is changing. A vendor would be brave in the current climate to go off on their own and try to set trends and expect users to jump on the bandwagon. With the economy the way it is, it's far harder to persuade CISOs to blow their budget over empty threats than it would have been seven years ago. It's not the time to be releasing cool bits of kit for the sake of it. Dotcom days these aren't.
“You have to start from a point of asking: ‘What do you need, Ms or Mr Customer?',” says Symantec's Jones. “You can't just push your own widget. That level of power would be lovely, but no – these days if they don't need it, they won't buy it.”
The threat landscape is what sets the vendor's agenda. Look at the rise in malware for mobiles – the vendor community may have shot itself in the foot by harping on about the threats prematurely, but now, as the likes of iPhone and BlackBerry become more accepted as platforms, so increasing volumes of data are being moved that way. The criminals spot that, and it dictates where vendors have to play. And the same goes for the move to the cloud.
“Virtualisation comes along, and then comes the movement to protect it,” says Garry Sidaway, director of security strategy at Integralis. “The markets and methods are already well defined. It's the same as the net or mobiles – the vectors are already set, and vendors are just looking at how to resolve the problems.”
Hence you see the likes of Trend Micro's Threat Protection System, which not only tells you you've got a virus, but how it got there. Lumension is attempting to overcome the crushing volumes of bad code by pioneering intelligent whitelisting, which allows companies to focus on what elements should be on their systems, not what shouldn't.
“We use market analysis to identify shifts,” says Alan Bentley, Lumension's CEO. “A long time ago we realised we would reach a point where just running anti-virus software was no longer viable. So we were ahead of the curve when that shift happened: in the past 12 months the level of malware has gone through the roof.”
The upshot in the post-Conficker landscape is that vendors are learning to communicate better. There's a different atmosphere. We've seen real industry-wide cooperation, both in the Conficker Working Group and in companies combining their technology – look at Intel and VMware and RSA working together to secure the cloud.
But vendors shouldn't be listening just to each other. The customer has the most important voice. “The industry has traditionally been set on having the loudest drum beat,” says Moynahan, “but ironically the best skillset you can have is listening. Pay attention to your customers, know their pain point, and tell them how your solution will address it: that's our approach and it works like magic.”
Vendors certainly seem to be climbing down from their ivory towers, talking – and listening – to users via CISO advisory boards, Twitter, Facebook and online forums. You only have to look at the number of blogs running on vendors' websites, with vendor employees blogging about media exaggerations of the threat landscape. How times have changed.
It seems that the evolving threat and business landscape have led vendors away from scare tactics: the threat is fearsome enough. “A secure environment may not be a matter of life and death,” says Symantec's Jones. “But it can be the difference between a good and bad quarter. It's not professional to make a soap opera of these issues.” Sensible words indeed. So when it comes to Fear, Uncertainty and Doubt – the Musical, we should be safe for now.
Ahead in the cloud?
Cloud computing is moving on a strong wind of hype. And it's a grey area, which is fitting. Virtual hosting is being touted as the answer to every business need, with vendors repackaging tools ‘now with added cloud'. But as a system that involves storing a business' data on external servers, cloud may well be brewing a security storm.
Like outsourcing, the beauty of the cloud is that it can drive a company's costs down, helping it run more efficiently. Products such as Trend Micro's Smart Protection Network, a cloud-based security system, boast of more dynamic threat detection, and of taking the processing burden away from the user's network.
Yet if the cloud solves problems with one hand, more issues are slipping through the fingers of its other. At this year's RSA Conference, vendors were unusually quiet about the next big thing: they were too busy voicing concerns that no-one was addressing the hailstorm of security issues that the cloud may soon unleash, as companies put increasing volumes of potentially sensitive data onto virtual servers beyond their perimeters.
“Most cloud companies don't have the same data centre security discipline as bigger companies,” says Andrew Dailey, MD of MGI Research. “When you hear of a cloud start-up telling Barclays it's safer to use their hosting capabilities than Barclays' in-house ones, that's a bit silly.'”
The cloud is still very much in a transformative phase. But while investment is being driven by the likes of Microsoft, IBM, Amazon and Google, it's hard to see others with the right financial muscle to really compete.
The danger comes in companies rushing into the cloud. “I'm awaiting the first high-profile security breach in the cloud,” says Dailey. “That'll send the hype the opposite way – it will quickly go from being the essential platform to one to avoid at all costs.”
While parts of a business may suit the cloud, others won't. Email and web filtering both seem right in the cloud, while other sensitive elements just belong with the user – like manufacturing systems controls or identity management.
There are significant opportunities for innovative vendors. “The next generation of users won't even need an operating system,” says Garry Sidaway of Integralis. “They'll just need a web browser. How do you license that? Or control access? Vendors need to push along these lines.” Indeed, we can expect to see the cloud become a huge catalyst for entitlement and data-masking technologies.
Customers care only about their business, not whether a server sits in a cloud. By putting users first, vendors could well benefit from a bright silver lining.
CISO's view: Bryan Littlefair/Vodafone
We often find ourselves sitting with a vendor who's pushing their latest silver bullet, saying that if we use this one product all our problems will go away. As a CISO, you have to be able to see through that. You need to understand your business and your product, and know exactly what will work for you.
These days, security concerns are many and varied. Malware has evolved into a defined money-making venture. The bad guys are simply following the money, and this drives the malware on. One significant threat vector is distributed denial-of-service attack (DDoS). Home PC users are relatively easy prey, opening spam and infecting their machines, and coming under the control of bot-herders who use them to bombard corporate sites and disrupt business. Then there's data loss, a huge subject, making regular front-page news.
Businesses need a complex defence mechanism against this weight of threat. Trouble is, no one vendor can really deliver that all-conquering silver bullet to cover the breadth of security problems.
That's why Vodafone works with a range of vendors. Each tailors a niche product to specific needs, and it's my job to take parts of each and integrate them into a solution that's right for our business. It's like pouring a jigsaw out onto a table, and putting the pieces in place in the right order so the bigger picture emerges.
When someone is selling a product, you can't just say ‘wow'. You need the ability to reverse-engineer it: you have to identify the product's potential benefits, the potential risks, how it could be misused, and any unintended consequences of taking it on.
Cloud, for example, may be the big buzzword right now, but a business needs to understand it is not the answer to everything, and approach it with the same level of due dilligence as anything else.
Cloud certainly adds to the security issues. But you can't rely solely on the vendor community to get security right in any area. Cyber criminals prey on the weak, and everyone can protect themselves if they use a layered solution. You need to get your security policies, procedures and standards right. That way you can remove 90 per cent of potential problems immediately.
Vodafone is a huge enterprise, and we carry a lot of weight. We sit on R&D councils, to help drive product development to meet the issues. Working in this way with vendors is a win-win. And we've got good headway on the bad guys. They're well resourced, but so are we.
Jericho Forum's SAS – A tool to knock down the wall of hype?
If any users do have a problem with hype, they can always call on the Jericho Forum. The IT security thinktank has just released its Self-Assessment Scheme (SAS), a tool that allows vendors and their customers to check whether that all-singing, all-dancing product is actually doing the job.
It's an admirable project with a worthy aim: to ensure new products are based around the needs of users, not the feature-happy tastes of the vendors' R&D and marketing teams.
“The scheme was set up to help users know which nasty questions to ask vendors, to help differentiate between sales pitches,” says board member Paul Simmonds.
The tool is free, and is designed to assess how well a security product matches up against the Jericho Forum Commandments – 11 principles of good security design. It asks a series of niggly questions geared to exposing a product's security flaws.
Says Simmonds: “The biggest problem is actually badly architectured solutions. And that comes back to not asking the right questions. That's at the heart of it all. Because users aren't asking the right things, they get bombarded with a lot of noise from sales teams.'
The answers are aggregated into a self-assessment scorecard which shows whether the solution meets the acceptable security standards. Vendors can publish their scores on the Jericho Forum website as well as on their own websites and marketing materials, providing a benchmark against which users can judge them and their competitors.
“Vendors are out to promote their products,” says Simmonds. “It is their job, after all. The trick for users is to achieve a balance of security and cost, based on the risks pertinent to their business. But without a reference of how you work that out, you have to take at face value what vendors and resellers – and even security magazines – tell you.”