Monday, July 20, 2009

The NEW Infosec is upon us! (but we're still armed with old products!)

Everyday I read dozens of articles regarding cyber war, DDoS, cyber espionage, the President's cyber czar (which, as I understand, remains unfilled), a TON of pro and con opinions in the press, and dozens of analyst opinions. This doesn't include vendor pitches and the deluge of advertising aimed at the Information Security dollars that will be spent in the coming years.

I'm going to lay it on the table in the hopes that someone will get it... today is the first of a couple of blogs offering comments about where we are, why we have issues, and hopefully, what we can do about it.

Here's number one... Vendors.

Vendors -companies who sell infosec products -don't get it!

Entrepreneurs want to hype their companies all with the hopes of making their products, companies and books looking better than than they really are will say anything to make it sound like the products are the best thing since sliced bread. In fact, many just don't get it. I can't tell you how many presentations I've sat through, only to ask the hard questions --hard questions about not the 80% of the threats they've built their pitches on, but about the top 20% of the threats that come in through spam, phishing, and drive-bys --all fueled by sophisticated social engineering? Yeah? Whadya gonna do about that?? So vendors, here it is --your products are built on the old threat models. Get with the program. Hire people with recent experience and sell GOOD products rather than products that try to solve EVERY problem. Find the pain point in the market, get really good at it, and fill the hole as best you can. Do your homework! Use a competitive intelligence guru who knows your space and can tell you exactly what your competitors are doing. Please, for the love of God, please, don't come see me without having detailed competitive intelligence in your back pocket. I swear, if I hear one more entrepreneur tell me they don't have any competition I'm gonna puke.. and then kick you out of my office.

Medium sized vendors.. I've got to pick on Security Information Management for a moment. Great idea, but it's making our SOC analysts dumb. They have come to rely on the boob tube with absolutely no idea what's going on the background. These products have turned skilled analysts into movie watchers. What's worse? The vendors have'em hooked like crack whores. Once the licenses are bought, and the SOC works on the SIM/SEM GUI, the company never looks back and will continue to pay over and over and over and over and over. They'll keep coming back for more because the sunk costs are two high to leave behind without without the CISO getting really red faced over the already money spent. Why do I have so many issues with SEM/SIM? Remember the old days when we watched a VT100 screen with IDS logs passing by? We were inundated with information but had no idea which ones were important. Today we have the same issue. How do you know what's important? OK, I'm a pretty seasoned guy, and can (sometimes) tell by looking, but most SOC analysts aren't. They need to know what's bad and what isn't. Then, they need to be able to look deeper. So, SIM guys, make it so! Bells and whistles aren't worth a damn if everything looks important. I can't tell you how many times I walked into the SOC, saw the SEM top ten list on the big screen and asked what was happening with the number one... I always got the same answer ... "It's a false alarm." Bull shit.

Larger vendors (like the Antivirus Vendors), can sit on their laurels and enjoy the fruits of ineptitude. That's right, I said ineptitude. Do we really know how (in)effective antivirus is? It's a good thing it's cheap! If it didn't why would we need so many layers in our defense in depth program? A/V should be able to kill anything landing on the computer, but, alas, they cant. Instead they have to rely on a whole slew of other technologies to do their job, and guess what? There's no way to correlate all of those things together to tell what's good and what's not! Sorry folks, I've come to the realization that A/V vendors would rather expand their market rather than make their product more accurate.

Bottom line. Vendors are out of touch with their market. Here are a few things that'd make things a WHOLE lot better.

1. Small and medium size companies --use Competitive Intelligence as a regular part of your marketing team. CI can help with pricing strategies (by finding out what competitors charge), product management, and long range planning. For the cost of one engineer, you can have a VERY clear idea of what you're facing and where the niche is.

2. Larger companies? Pay attention to your customers. Premium service packages are nice, but not if you're only catching 10% of the problems. The products should work first time, every time, and be right.

Next time... Magic Quadrant!

Jeff