Amrit Williams, BigFix CTO, discusses how profit and politics have changed the security landscape with John Corman, research director for the enterprise security practice at The 451 Group.

Subscribe in iTunes:

Subscribe with XML:

FULL TRANSCRIPT

Amrit Williams: Welcome! This is Amrit Williams, your host on Beyond the Perimeter, and I am back with Josh Corman, who is the Research Director in the Enterprise Security Practice with The 451 Group.

Josh, thanks for coming back. We were speaking before about a paper you put out at The 451 Group called Security Derivatives, and in it you speak about information asymmetry. We were speaking about some of the first stages of what you describe in terms of the timeline of information asymmetry, beginning with the first sort of initial virus concepts and then the market’s response to that by creating anti-virus software.

We then touched a little bit on how the vendors, the security vendors themselves started to filter out the information they were giving to the purchasers, so you had information asymmetry between the buyers and the providers.

And then right when we left off you had touched on the new information asymmetry that progressed from that, which is the information asymmetry between the security developers, the security vendors themselves, and the threats and the attackers themselves. So I wanted to just get back into that flow and take it from there.

Josh Corman: Sure. I mean, we have basically gone through successive filtering from reality. So if in the original model there was a threat, and I knew about the threat and I purchased for the threat, that was pretty direct.

The second generation, I think I sort of call it the Trust Me Generation, and that’s really when there were too many threats so the vendor themselves became the de facto. The trusted security advisor would study the threats, educate the buyers about the threats to create demands and satisfy it.

The third era I think is where we started to leave off, which is trust abuse, and that’s really where some of the harder threats, that are going to take a lot of R&D effort, something like group hits.

There wasn’t lot of demand for it, because they were slower and stealthier, they were fairly difficult, so a lot of the vendors just really weren’t talking about them. So we started to abuse that trust and filter; if we knew 15 threats, we would only market and message to the ten that we could solve and make money on.

The most troubling one is which is where we left off, is the next step, I guess we will pick up there, where it was blind spots. The threat has evolved and accelerated so rapidly, whether it’s 2004 or through 2006, we started to see that most of the threat was primarily driven by ego, I call that the prestige era, whereas around that time frame it really started to multiply and accelerate to be profit, politics, and prestige.

So all the e-crime we have all been beaten to death with, has very different motives and very different uses. They don’t want to be loud; they want to be stealthy, and financially successful, whether it’s a cyber protest or even state-sponsored attacks and reconnaissance .

So those other two Ps, profit and politics, in addition to prestige, really changed the game, but many of the incumbents who had a big nest egg in legacy portfolio were resistant to talk about that, but more importantly, their R&D teams, they just don’t get it. A lot of them are so stuck in that early era that everything is a virus and gets a signature, it’s about cranking out signatures more quickly or something.

They develop blind spots, to the point where now if there are 20 threats, the vendors don’t even know about more than 10 or 15 of them. So it’s this subset of a subset. If we strictly use normal market demand, the buyer just doesn’t know enough, there’s too much complexity, too much change. And because they are relying on, usually their vendors as their source of trusted advisor, you get a highly sub-optimized system.

Amrit Williams: I think the thing that I wanted to touch on a little bit is, is that — let me test this with you, because I am not even suggesting that this is the wrong lens to put on this problem. Is that the right way to look at it though, I mean, from a vendor’s perspective, not yours of course? Because if you think about it, there’s an inevitable progression to the type of attacks that we are going to experience. They are definitely going to continue to become more sophisticated, new technologies will come online. Those will have inherent vulnerabilities, they will be exploited. So that problem doesn’t seem one that is easily solved by looking at, how do we look at the threats and what protections do we develop against those threats. That does need to occur.

Are we missing something here, which is — and let me just test this with you, does it matter what the threat is, shouldn’t the response be, it doesn’t matter how the attack occurs, if I can figure out a way to detect it, then I just need to figure out a way that I can make sure my business stays online?

I know that that’s overly simplistic, but let me give you just a little bit of what I am thinking here. I had a conversation with someone recently about the energy utilities and how they should respond to the potential of the smart grid and how that would be attacked and on and on and on.

(00:04:56)

And the comment was made that the PG&E, for example, which is the Pacific Gas and Electric, the energy utility here, in Northern California, where I live, that they didn’t do enough and weren’t really prepared for an onslaught of attacks against the energy utilities by hackers.

I asked the question, I said, well, do you think that they are prepared for the other things that bring energy to a halt, because at the end of the day their main objective is to ensure that energy is provided to their constituents? What I do notice here in Northern California is that PG&E is actually pretty good about trying to restore energy when there is an operational failure, and at the end of the day does the consumer of the energy, the consumer of PG&E care what impacted their inability to get energy? They don’t; they just want to know that they pay for a service and it’s provided.

And are we missing that side of it, which is the response side, the business continuity side? I know that it’s not as an attractive and exotic discussion that people like to have in the information security arena, but how do we rationalize those two sides to find balance between the two of them?

Josh Corman: So I think there’s a couple of issues tangled up in there, and one of them is confusing anti-threat, specific anti-threat terrorism as the only form of security, which I don’t believe.

Another is the notion of survivability or resilience. Chris Hoff is a big fan of this, I am a big fan of this. We do a lot of this with our round tables, through IANS, and in our conference speeches. In fact, back in, I think it was like in 2001, maybe even earlier, Carnegie Mellon was first talking about this — pushing the idea of survivability. So not that you can prevent the attack, but that you can maintain the mission throughout the attack or recover more quickly. So that’s another topic entirely.

I think, should they care? I think yeah, they should care, and I am not trying to be one of those tin foil hat brigade guys, but a lot of times I would be pulled in for my clients, whether it’s the ISS or IBM ones. A large pharmaceutical company had a custom piece of malware take the research data and ransom it for six figures successfully. They are wondering why their anti-virus didn’t work. Well, their anti-virus was never get to work, because that model of threat, with the advanced persistent threat, was not going to — if you have a virus written for one target, there’s no Patient Zero to create a signature from. Patient Zero is Patient Z, it’s over.

This was not an edge case, this was most of my work for the last several years for  these kinds of examples where the threat was becoming more sophisticated, and the available supply of security simply wasn’t up for the task of noticing the slower and lower and more quiet things.

I mean, Richard Baily does very good thought leadership, and a lot of talking about infinite response and how to build your infinite response workbench, and the kind of tools, and that we want increased visibility, and how do you go firefight when you notice these things, but most of these breaches he was referring to, I mean the compromise was resident for seven plus months or so. I mean, take whatever report you like, these types of attacks simply can’t be noticed or prevented with the lion’s share of the spending that we are doing on legacy controls.

Amrit Williams: So you touched on it right now Josh. They can’t be prevented with a lion’s share of money that we are spending on the legacy controls. So I want to just shift a little bit to talk about what can we do, because I know that I am in agreement with you; I have had conversations with you before about how we spend so much time fighting last week’s, last year’s, last decade’s battle. There is a lot of regulations that push us to do that. There is a lot of information that says that’s the best thing to do, and we neglect looking at the type of technologies, the type of processes, the type of methodologies, that would allow us to have better visibility and better response to threats that cannot be detected by these legacy controls. How do we break out of that?

Josh Corman: Again, it’s the awareness factor. I mean, the last stage of the paper on derivatives was that, even for the things that we are getting spending two or three years ago, the economic downturn, and the too much cost complexity has people retreating to compliance as the simplified, really shortlist of the controls you should spend on. And given that the budgets are so tight, people are basically passing on it and not spending a penny more.

The conversations and debates I have had recently has been about the very dangerous and all-consuming impact of compliance mandates, and specifically PCI. There has been a lot of debates, I think you have been following.

But my concern is that, of all the things we need to do, the executives are saying, look, we have no money, you are taking up too much. What are the things we have to do? If you are not going to get a find, I am not going to give you a budget for it. So you have gone from 70 known product markets, down to the ones that directly map to the digital, those in the PCI, for example.

(00:09:49)

And I know the people listening are going to say, PCI is only meant to handle card holder data, etcetera, but the derivatives and the copies we have conflated compliance as an industry best practice, and it’s being misapplied in the enterprise because people think that is the best thing you are supposed to do, the minimum you are supposed to do.

And even the stuff that the vendors are selling, which was already a subset of a subset, we have now focused most of the spending on the compliance mandates and usually not a penny more.

I had a big argument with the CIO and I said, you know that you need to do more than this. You know that you have already had three breaches, two of them public. How can you cancel this project? And he said, Josh, I might get hacked, but I will be fine, and it was really that simple for him.

So the last stage of derivative here is, if we have got 40 threat types and your vendors know about 30 of them, and they only have solutions that sell you for 20 of them, and you are only going to be able to have a budget for the really old, the really antiquated ones that are in some sort of compliance or government or industry mandate, like a compliance reg, this is the very dangerous downward spiral where most spending is on a very small subset of controls, and most of those controls are very ill-suited to handle the kind of awareness and infinite response.

So I didn’t answer your question about what you should be doing, but if we don’t recognize that if our entire risk management program is a cut and paste and execution of 12 rules from some credit card company, we don’t have a chance of increasing our visibility and noticing these smaller, stealthier, or financially impacting threats.

Amrit Williams: We do feel we have crossed the chasm, where most organizations are more fearful of regulatory compliance than they are of the actual threats coming from some Eastern European organized criminal gang that’s trying to steal money from them.

Josh Corman: Part of it is that, it’s a possible threat versus an actual threat. I mean, the fine is real. The attackers from — the sophisticated attackers are also real, but you are taking a gamble.

And another part is that — you heard my 7 Dirty Secrets talk, and you know how hard I am on the vendor community, but the vendors kind of — they then go tone deaf to fud, too much fear, too much doubt, and we made them realize that there’s more lions and tigers and bears that they can ever handle. Some of them are real and some of them are fabricated, like the snake oil markets. And they have tried to retreat it to a more simple and mandated final holistic controls, and that’s the real big concern.

I mean, there are technologies; I mean, I have been a big fan of what you guys have been doing at BigFix for a long time, because you don’t have to anticipate what the attack is. If I want to ask a question of any number of systems in my population, I can do so. If I want to affect the change on those systems, I can do so.

So the SIMS are becoming potentially more strategic, the log management stuff is properly used. A lot of the infinite response things. Some of the botnet technologies or network anomaly detection, things like integrity checkers on the endpoint. There are a good list of controls that you can use to prevent known threats and unknown threats, loud threats or stealthy threats. The problem I have is, good luck as a stray practitioner getting a budget for those, because right now, at least in 2009, most of the dollars were spent on a compliance mandate and no more.

Amrit Williams: Let’s test, and I know that recently you did a podcast with a set of folks who look at PCI, this was moderated by Bill Brenner from CSO Online. I know it’s going to be both on CSO Online and Martin McKeay and Bridge Mobile’s NetSec Podcast. It’s interesting, because I have taken a rather harsh tone with PCI. I don’t know if I have ever really sat down and described what my issues are. I think they can really be summed up in two ways.

One is, I completely agree with you around the imposition and the thought that everyone basically sucks and need to be brought up to this very basic level, and PCI is a very basic level of information security. And I think that really discredits a lot of the information security programs and the information security professionals that want to look at how they can implement all these other compensating controls or controls that are not even part of the spectrum of what PCI mandates against new threats that aren’t being discussed.

The other issue I have, and again, I think that PCI is one direction, and people are trying to take that direction, and I give those folks credit who have tried to better the PCI program in general, and those folks who advocate for it, I think that they do believe they are doing the right thing and I don’t begrudge them for that.

The other issue I have is that, again, we are in a free market, we are a capitalist society, we tend to shy away from regulations, if we can. This is one area where we seem to completely embrace regulation. That doesn’t make sense to me, because we are actually, through this economic dynamic that we are seeing, as you described, we are forcing conditions through regulations that become unnatural, and basically make it very difficult for information security to evolve.

(00:15:07)

I don’t fully understand how on one hand we can advocate for regulatory compliance initiatives for information security; and I have seen several of these people advocate against regulations and other aspects of our lives. So it seems to be misplaced, the way that we want to regulate one side of this idea, not the other.

Josh Corman: Well, you and I have had some great conversations about this, and I would like to do so maybe on our future podcast. The nature of this particular debate, the great PCI debate that you referred to with Bill Brenner, was I gave a speech, my baby speech at The 451 Group Client Event and Bill Brenner was sitting in the audience, and I said, you know, in the great ecosystem of security, most of the spending, would it have anything to do with regulated card holder data or not, most of the spending, most of the innovation, most of the vendor activity, most of the VC shifting, is all basically moving backwards to some fairly legacy controls because of the economic conditions.

So I have often compared PCI, jokingly, to the devil, I said PCI is the devil, in an IANS event. That was a joke, but what isn’t a joke is, I started realizing a very solid comparison to the No Child Left Behind Act. That’s really what spurred a lot of volatile reactions. I think it came — the article came out saying Josh compares it to the No Child Left Behind Act. Well, basically I am saying, we meant to raise the bar, and for some we have, but for others we have lowered it. We meant to make it a starting point, but it has become the finish line. We meant to set the floor, but we have actually set the ceiling. We are suppose to make the smart kids dumber, we made — I mean, we are suppose to make the dumb kids smarter, we have made the smart kids dumber. So it’s a lot of good consistent metaphor there with the No Child Left Behind, and in fact, I will be writing about that very soon.

The debate was that Anton Chuvakin, who has written a book on PCI, even Ben Rothke retorted and retaliated. Mike Dahn and Martin McKeay jumped on as well. I mean, these guys have done a lot of very noble and good work to try to help raise the bar for the retailers and the people who take card transactions that were doing nothing.

So if on a bell curve, some people are negligent and doing nothing, and on the other end of the bell curve, people are doing an excellent risk management program, like a lot of the clients I had. There’s all sorts of points in between. My suggestion wasn’t to do the debate we have all had a thousand times and pick on PCI. I am saying, look, PCI has raised the bar for the negligence, but its also had unintended consequences on everyone else, and its had a negative impact on some.

We haven’t actually improved security overall, in fact, year to year, the breaches go up and up and up, and show no signs of slowing. It’s more a matter of, I am seeing, when I talk to my clients at The 451 or my partners when I was at IBM, or the buyers in financial services and pharmaceutical, in areas that don’t even take credit cards, what I am seeing is all the money is going to compliance mandates. Therefore, the vendors swallowed the money, therefore the vendors are not providing advanced threat prevention. They are doing pretty reports, compliance dashboards.

Basically, the bad guys continue to innovate, and we have kind of given up on them because the auditor is scarier than the attacker, and you know the next stage is going to be that the investors stop investing in the good threat prevention stuff, like you were referring to.

Are they going to invest in an anti-botnet? Are they going to invest in a network forensic tool? Are they going to invest in advanced persistent threat things or anti-fraud? Maybe eventually, but in such a space that moves so quickly and changes so often, information asymmetry has a pronounced impact on this sector, more so than it does on which iPhone or smartphone am I going to buy. That kind of thing, supply and demand is pretty direct and there’s no life or death, there’s no massive financial losses. And this one it’s pretty unrealistic that the average security buyer at a retail chain is going to know what the Russian mafia is going to be doing next week.

But because of these successive layout levels of information asymmetry, we are wildly sub-optimized. The VCs are taking a bath on markets like Mac. Some promising data with really applicable technologies are struggling in a bad economy. The legacy guys continue to resell things we don’t really need, because it’s grandfathered in on a PCI budget.

What I really want to do is map these factors out, such that we can be more aware, more explicit, and then give some pretty decent and actionable guidelines to each constituent on how we can try to get on a more convergent path, instead of a divergent path, because right now we are mandating wooden shields and sticks, whereas our adversaries have very advanced weaponry.

(00:19:56)

Amrit Williams: Yeah, I don’t disagree. Okay. Well, let me switch gears just a little bit, Josh, because I do want to get you back on and others to talk about how we deal with some of the regulatory compliance pressures that organizations deal with, and how we sort of change that dynamics, so organizations can look at some of the more innovative technologies that are out there to deal with security threats, as opposed to just the ones that are mandated by compliance, which are difficult to change.

What does the future look like for this year and next in terms of The 451 Group research that you are driving? I mean, I know that the security derivatives is one piece of the coin, can you talk a little bit about some of the ideas and thoughts you are going to be adding to that foundation?

Josh Corman: Yes, I think people act in their own rationale self-interest and they act in the economic interest. Most of my subscribers are — there is huge chunk, since we really focus, not on being the consensus of the masses, I mean different analyst firms have different value propositions, I think The 451 has been more about intellectual honesty or focus on innovators and investors. So it tends to be the newer technologies and the investment community.

So I am really writing theories of these reports; the information asymmetry was one concept to establish, we are doing about three or four more of those that will stand on their own, but I am going to stitch them together to really paint what is the ecosystem of information security, economically. Who are the constituents? So I am going to be codifying essentially the infrastructure vendors as a constituent, the large incumbent security vendors who respond to threat, the threat landscape, the smaller VC based startups that try to fill in the gaps and those incumbents, the VCs who fund them in a regulatory environment.

So by painting them, showing the dynamics where it’s working well, where it’s not working well, then I hope to have a more accurate world view and give, again, actionable and reasonable suggestions to each constituent.

So the bottom line is, the information asymmetry hurts everybody in the long run. It stifles innovation. It forces people to spend on things that have a very low return on investment. The VCs aren’t getting a good return on their investments. If we let things progress as they are, everyone stands to lose. If we improve the information and the caliber, and we have a more accurate world view, people will still act in their own rationale self-interest, but we are going to have a much higher caliber result, from better — a more realistic world view, and I think we don’t really have that today.

Amrit Williams: I completely agree, and I really look forward to the research. Josh, I really want to thank you and appreciate your conversation today, and I look forward to having you back as well.

Those of you looking for more information from Josh, you can find him at, Josh Corman is again the Research Director for the Enterprise Security Practice at The 451 Group. Josh does not have a blog and just completely refuses to build one, don’t know why. But you can find him on Twitter, if you search Josh Corman.

Josh, thank you very much for joining me, I really appreciate it.

Josh Corman: Thanks Amrit.

Amrit Williams: Take care.

Announcer: You have just listened to Beyond the Perimeter, sponsored by BigFix Inc. Views expressed on this Podcast are the personal opinions of Podcast participants and do not reflect official positions of their employers or BigFix.

Thanks for listening.