Jump to content
Soviet.ie | Sóivéid.ie
Sign in to follow this  

Security Snake Oil for Sale

Recommended Posts

Traditional security systems aren't doing much to help us manage risk, but we keep buying them. Is it the vendors' fault or ours? And are there better ideas we should explore?


Earlier this summer, Cisco bought Sourcefire, a company that makes network security software and hardware based on the Snort intrusion detection system, for $2.7 billion dollars. That's a lot of money to pay for a technology that has well-known problems (lots of noise and operational demands, not much protection). So why make the purchase? Because Cisco and other vendors know that people will keep buying security gear regardless of its effectiveness. Is that our fault or theirs?


Over the past year or so, a series of articles discussed the flaws in many categories of security products. Articles from Bruce Schneier and SANS proclaimed the utter failure of antivirus and host-based intrusion detection systems. Then there was the study from Imperva attacking the effectiveness of AV, which became a cause celebre among security vendors.


Even with intrusion detection systems, the signature model seems to be a losing battle, with armies of analysts toiling away to keep up with the bad guys while we wait for promises of big data to save the day. IDS is a loud, cranky thing, constantly crying for attention, like a newborn infant. It's hard to find demonstrable ROI with the level of effort required for implementation and maintenance.


However, despite all the problems with IDS, anti-virus and other security products, they still help you hit an audit checkbox. It's part of the compliance game, where everyone pretends that meeting a set of pre-defined requirements is an effective way to address risk. It's not, but it provides a mechanism for everyone to say, "We're doing something about security, and here's the checkmark to prove it."

Unfortunately, the ability to identify and address actual risks is getting harder. It's not just trying to find a needle in a haystack. It's like trying to find a needle in a million haystacks. It's the Black Swan event discussed by Nassim Taleb, but thousands of them.


So we throw more computational power at the problem, but all we end up with is more data than we can manage with discussions about how to analyze said data in a way that will actually help us predict attacks in real time. The problem here isn't the signal-to-noise-ratio of false positives, but the false negatives that insidiously degrade the security of our organizations.


Maybe the problem isn't that we don't collect enough data, but that we aren't discerning enough regarding the data we amass. Gerd Gigerenzer, an expert in the field of smart heuristics and bounded rationality, offers a different perspective.



Full article:




Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this