Amrit Williams, BigFix CTO, discusses the information divide between the good guys and the bad guys with John Corman, research director for the enterprise security practice at The 451 Group.

Subscribe in iTunes:

Subscribe with XML:

FULL TRANSCRIPT

Amrit Williams: Welcome! This is Amrit Williams, your host on Beyond the Perimeter, and today I am joined by Josh Corman, who is the Research Director for the Enterprise Security Practice at The 451 Group. He was also the Principal Security Strategist at IBM prior to joining The 451 Group.

Josh, thanks for joining me today!

Josh Corman: I’m glad to be back!

Amrit Williams: Well, I’m glad you’re here, it was a great conversation and you and I have known each other for a while. We haven’t had a chance to speak on the air about this, but I wanted to get your thoughts. As you know, I was an analyst and I moved away from being an analyst to move into the vendor space. You were in the vendor space and moved into the analyst space. I’m sure we all have our own reasons for doing that, but tell me a little bit about what drove you towards the analyst community and The 451 Group, specifically?

Josh Corman: Well, maybe it is a momentary lapse of reason there; I just followed your advice. But, I think, I’m not an analyst and I’ve never really considered myself an analyst and I found that more-and-more people kept telling me that, wow, you’re an analyst. I guess, what it is, is I’m not really the kind of analyst that we mostly read today. I do look at the big picture, I do look at trends. I am very prone to pattern recognition. I gave a speech at a conference once and someone came out to me and said, so, that’s the best analyst presentation I ever saw. I said, I’m not an analyst. He said, yes, you are.

So, part of it was simply that I was getting very fed-up with security. I think you and I talked about this before. You go to RSA every year and you feel a little bit more depressed because being such a highly dynamic and evolving threat landscape and problem space, we have a really static and never-changing response to that dynamic threat. I found that the louder I got, the more people were responding to it and listening to it. I think, before you had Jack Phillips from IANS that institute on your podcast as well, but I really got a ton of value out of my faculty position there, because we talked to probably a thousand CISO types a year.

And the louder I got, the more I started critiquing things like PCI or things like my seven dirty secrets from last year, the more people responded. I said, you know what, I can continue to bellyache about this and rant, or I can try to take the bully pulpit and introduce little more intellectual honesty, get a little more accurate, make people think a little differently. So I am going to give it a shot. I think, we are in a perfect storm where it’s record high cost and complexity in security, I think, it was like 3.5% three years ago and now it’s 13% last year, according to some people.

And then you pair that with a really bad economy, it’s like, you know what, the vendors aren’t happy, the buyers aren’t happy, the VCs aren’t happy. And we are also by the way shifting the virtualization cloud. It’s such an upset and rocking the applecart, I’m like, if anyone is going to listen to fresh thinking or a new way to talk about security or resetting the priorities, it’s now, and I’m going to give it a shot, see how I knew.

Amrit Williams: Well, I certainly think everyone hopes you succeed and others out there trying to do the same thing do succeed. Do you think there is a chance that we can change what’s currently the dynamic of information security? I mean, every time we try to look at new methods for resolving the inherent foundational issues and security, we always get dragged right back into the same place we were before. What things do you see that inspire you to think that there are opportunities for us to advance the security programs?

Josh Corman: Well, discontent is the first step in any manner, or in any nation, and people are very unhappy right now. So if this is a few years ago, I would have said, look, it doesn’t matter how smart you are or if you have a clever point or you have a great sound, people are pretty stuck. To a certain extent, there are facts of human nature and facts of economics that will keep us stuck. There are some pretty powerful forces.

But, I think, you can’t really change anything until you have an operational understanding, an accurate map of the world. I don’t really think that we do. In fact, I think, we are going to talk about this, but I just wrote a piece on information asymmetry and it seems like if you track the last 25 years, our definition of what security is and isn’t, what’s important and isn’t important, has gone through multiple levels of filtering and twisting and perversion.

So, one of the first things I really want to do is start saying, let’s take a big, big step back, it’s been 25 years since the Brain virus in 1984, what is the current state of the market, what’s the threat landscape doing, what are the big vendors doing, what are the infrastructure players doing, where is the VC money going, what are the regulators making us do? Therefore, more aware or that I am extremely maybe more informed to make the right changes, we may know which things cannot change, but I think situational awareness is incredibly poor right now.

(00:04:55)

Amrit Williams: Well, situational awareness is a bit of a loaded term, because you could be referring to situational awareness of the state of an industry, situational awareness of the state of the threat or the state of a person’s environment. I do want to delve into that, but I also wanted to have you expand a little bit on this concept of information asymmetry and I did read the paper that you put out at The 451 Group, recently. I thought it was a great piece of what I imagine is going to be a foundational set of documents that you’ll put out, but can you describe for the audience a little bit about what you mean by Information Asymmetry and also talk about the timeline that you referred to in that paper?

Josh Corman: Sure! I think, I called it Security Derivatives, are not so accidental linkage to maybe the economic collapse we’ve recently experienced. But it’s really the downward spiral caused by multiple stages of information asymmetry. I’m not going to give any economics lecture here, but a lot of us in this space, a lot of people I respect, some of the guys like Rich Mogull or people from The New School for Information Security, a lot of us are realizing, economics is playing a really important part. It’s a lot less about the techs and the technology in zero days and a lot more about sociology, psychology, economics.

This is a term often used in economics, so I’m not going to give you a Harvard Business lesson here. But essentially, the really simple example I use is, information asymmetry is when one party knows more than the other party and that leads to imperfection in the outcome and also a lot of room for abuse. What I’m basically saying is, if you go back to 1984 when the Brain virus came out we had a fairly linear direct model. You had a threat which caused someone say, ouch, and that created a demand and then vendors responded with a supply.

So, really linear, really simple, really easy. A virus hurts people, people want antivirus, so someone invents and sells an antivirus. But as things mature and evolve, you start to realize, you know what, the second stage here is the average security practitioner couldn’t possibly research and be aware of every single threat. So often, the people who would sell the products became an intermediary and they would first study the threat landscape, find out what people needed, develop some sort of cheer for that, evangelize that cure to create demand and then satisfy that demand. So it’s still a linear model, but the sequence changed. We are now learning about the threat from the person selling us the counter threat.

So, interesting things started to happen now as the threat evolved and we had spam and I was in the antivirus community at the time, where a lot of the antivirus players tendered, chose to ignore spam. There is kind of somewhat in their responsibility zone, but it was hard, it was new, when they kind of ignored it. The antivirus certification authorities never really required that.

Similarly, spyware came out around 2001, becoming very, very painful. The antivirus guys ignored spyware. You had dedicated point solutions like PestPatrol, for example, I think, is the one I referred to. For three years, people were re-imaging, dozens, if not hundreds of systems a week be it spyware anticipation and the primary vendors kind of ignored it.

Now, eventually, enough market demand forced them to make acquisitions or organically develop their own spyware and now your antivirus vendor is also your anti-spyware vendor. But they had to be forced to do it. What I saw there was the seeds of allowing us to say, you know what, I don’t have a solution to that yet, it will be hard to make a solution to that yet, so I’m not going to market or evangelize that threat, because I don’t have anything to sell.

Amrit Williams: But isn’t that the way that it’s supposed to work in a free market. I mean, isn’t what you just described exactly what a free market does? There is a set of problems and then people will address those problems when they feel there is an opportunity to monetize the solution. In the case of spyware and the introduction of anti-spyware, anti-spam, there really wasn’t a way to monetize those in the early days. There wasn’t really a way to monetize those until the problem had become so large that there definitely was what people would consider to be a market. Now I’m not saying that’s right or wrong, but isn’t that exactly how a free market is supposed to function?

Josh Corman: Yeah, it is. This was not the era of neglect or abuse of this information asymmetry. I think one mistake that a lot of our — the people of our industry make is assuming that this market is identical to other markets. In fact the great book by David Rice, ‘Geekonomics’ talks about some ways in which the formal market forces can’t self-correct, but I won’t give an owner’s views. At the moment, I’ll just say that it’s a good book and it’s thought provoking and had some lots of good arguments, pros and cons. But yeah, you’re right, this is where it gets in the paper I cover. It’s really the next order of loss here, because I’ve got an argument, one of the lead researchers and one of the three top three antivirus firms back in late 2003 or 2004.

(00:10:02)

And we were starting to notice rootkits and the spam and spyware was more of a delay which has showed how they are not really going to help you over the latest threats, they are going to help when you force them to. But those are really loud and obvious attacks.

Rootkits and trojans start to climbing up big time. And they were slow and they were stealthy, and their buyers didn’t know about them, and their buyers weren’t getting to a saturation point where they were demanding more of a solution. So I remember saying to this guy, rootkits are really serious, why aren’t you guys talking about them, why am I the only guy doing this, because I think I wrote something for Virus Bulletin about it. I called don’t bring a knife to a gun fight, and I bet you if I pulled that article right now and be as true today as it was when I wrote it back in 2003 or 2004. But essentially, the slower and stealthier things at this point the markets figured out are really serious, and rootkits are a household name sort of at this point.

My point is, why aren’t you talking about this? And his answer was really sober and really disturbing. He said, why would I highlight a threat I can’t stop? Why would I highlight a weakness? So as a shareholder he was absolutely right. But I also feel and I know others in our circles feel this way. The security is about stopping bad guys. I got in the security because I want to be a super-hero and the people are having massive reaches in intellectual property or they are having rootkits to their identities or their secret sauce. I saw rootkit is a far more serious threat, but I saw these trusted security providers unwilling or unmotivated to talk about them because it was highlighting a weakness in their solutions.

Amrit Williams: But let me test something with you, Josh, because I do agree with everything you are saying with some slight differences. I think one thing is that I agree with the dynamic that you described about information, asymmetry between the security vendor and the security buyer. I am not exactly sure that the security vendor is in the best position to be seen as a trusted advisor. What it sounds like to me is that there was a gap in the market which is there was no overwhelming security advising body, whatever that body is, that allows either the vendors or the market itself to understand what the threats were. And there were attempts to do that, but I think it was difficult to monetize, I think SecurityFocus was one of the companies that had looked at that, and obviously, they were acquired by Symantec.

But what I wanted to test with you is this, is that, the way that information asymmetry is described in the way you just talked about it, it implies that this security vendor is doing something wrong by not providing thought leadership in certain areas. And I am not sure that’s exactly what you are saying but I wanted to give you an example. I had this, the opposite side of this discussion with a vendor, and rootkits, botnets are similar in some regards to that as well. Botnets are allowed and I think people understand them, but for the most part, an organization isn’t incented to stop botnets. They are incented to stop infections on their own machines, but when the infections on their own machines are causing pain for another company and not their own company, it becomes harder to justify spend on anti-botnet technology if such a thing existed.

So I am having a conversation with the vendors a couple of years ago and they show me what they considered to be a very advanced method for detecting and stopping botnets. And they wanted to understand what the market opportunity was and how they would sell it to the enterprise. And I said, I don’t think you can, because I don’t think that anybody is going to buy anti-botnet technology, the way that you are looking at describing a botnet. What they’ll buy is more protection, potentially to stop infections and pain that they are experiencing. But what they were really looking at is botnets infecting an organization but basically being used to attack others.

And this was the reverse of what we usually see, this was a vendor trying to do some forward thinking, trying to get something to the market and basically, the market is just not going to pay for it. In that case, we all know that in this free market society that we have, these vendors are in exist to increase shareholder value, to improve the bottom-line. If they spent resources, if they spent money, marketing dollars, whatever trying to show the market that they do need this technology, they probably would not have made the money back that they spent or invested.

So how do we change that dynamic, which is again in a free market society, there has to be a market to sell something to even if you know that it exists, and I completely agree about the problems with rootkits and botnets. Before I left Gartner I think I had, rootkits is the number one potential problem in the next five years, is the cyber-threat cycle that they used to produce. So how do we do with that dynamic, which is we blame the vendors for not providing thought leadership and not allowing these new things to occur. But we also have to look at the fact that if a market does an exist form, what is their incentive to do something about it?

Josh Corman: Well, I am going to slightly differ to that, and I don’t think we are in disagreement, I was more describing the narrative of how spending actually happened versus a more optimal way of approaching it.

Amrit Williams: Sure!

Josh Corman: And a lot of the savvy buyers, they never got their education from the vendors. They were either their own local trusted security advisors or they hire consultants or they went to DefCon and Shmoocon and Black Hat and did primary research.

(00:15:06)

So there are ways to do a better job. But the lion’s share, I basically do a narrative of the lion’s share of the spending in the security 25 years, and where some of the abuse was allowed to creep in. There are ways to mitigate that, in fact, I think at the end of the paper that you saw a few early ideas of how to fix that. In most of our research for the first part of the year is going to be describing what is and how it flows, but then also making positive recommendations like you are alluding to.

Amrit Williams: Well, it’s interesting. By the way, I don’t think we are in disagreement either; I was just trying to ask about a dynamic.

Josh Corman: I am actually less concerned about where we’ve gotten thus far, in this narrative, it was the next stage. I mean, of course, people aren’t going to highlight a weakness that makes perfect sense. It was more a matter of that’s when I saw that we started to filter what we knew. So if the AV (ph) player or the large security incumbent knew about 15 threats, they would really only market or describe or evangelize or sell to the ten that the mainstream knew about. So we had that first big delta between what we knew and what we were selling or solutioning to. And that started to get a little bit more concerning to me.

The real concern came when I started to notice that the vendors are not only filtering what they tell their clients or what they message at conferences or in the press outlets, it’s more a matter of, they don’t even know what’s going on anymore. So if this last level of asymmetry where the threat landscape has evolved so quickly in ways that the traditional old guard can’t really understand or fathom that there is now a fairly large gap between what’s actually happening and what we know about as in the selfish filters and you’ve got 20 threats that exist; 15 the vendor knows about; ten they sell you solutions for.

Amrit Williams: And this by the way I think is one of the most insidious problems that we face in information security, this aspect of information asymmetry. When we come back I want to dig into that a little bit deeper. So stay with us. Thanks Josh!

Announcer: You have just listened to Beyond the Perimeter, sponsored by BigFix.Inc. Views expressed on this podcast are the personal opinions of podcast participants and do not reflect official positions of their employers or BigFix.

Thanks for listening!