The Worrisome State of the Information Security Industry

The security industry faces fundamental problems: tools don't cater to our needs, vendors misrepresent capabilities, professionals preach to the choir rather than connecting with colleagues, spending ignores business risks, programs are stuck in bureaucratic cycles, and assessments don't reflect real attack scenarios.

The information security industry is confused, having noticed that the common practices for addressing IT risks or protecting data often don’t work. Something is afoot in the security community, and that’s a good thing.

This month alone there has been a steady stream of discussions in the blogosphere, expressing concerns such as:

• Security tools don’t cater to our needs. For instance, Michael Cloppert emphasized the need for more flexible intrusion detection and prevention tools that would allow the organization to cater defensive mechanisms according to their needs. He pointed out that “today’s detection and prevention tools are built by vendors focused on common threats & vulnerabilities using often-closed signature languages, limiting the ability of analysts to leverage intelligence applicable to their threat landscape.”

• Security vendors misrepresent their products’ capabilities. Too often we read and hear unrealistic promises to meet customers’ compliance requirements (e. g., PCI) or defeat against the threat du jour (e.g., APT). As an example of how products can be misrepresented, take a look at Anton Chuvakin’s list of Top 10 Things Your Log Management Vendor Won’t Tell You.

• Security professionals preach security to those who already recognize its importance. Too often, we are stuck in our own world, and don’t connect with other colleagues or members of the community. Referring to this practice, Ben Tomhave proclaimed, “It’s time to get outside the echo chamber and meet the real constituents who are, incidentally, also paying your bills/salaries.” Too often, we treat security as a standalone discipline.

• Security spending is allocated without regard for risks or business needs. Gunnar Peterson observed that organizations tend to focus funds on infrastructure security items, rather than other security domains, because infrastructure “happens to be the historical background and hobby interest of the majority of technical people in the industry.” Jeremiah Grossman concurred, highlighting the need for increased focus on application security.

• Organizations are stuck in the Plan-Do-Check-Act cycle of bureaucratic security programs without measurable improvements. Ray Pompon referred to this as the Hamster Wheel of Pain, “because the process can be endless and ineffective if implemented sloppily.” Alex Hutton observed that “just because you can codify a standard or practice doesn’t mean that this practice is sane.”

• Security assessments are scoped without reflecting real-world threat scenarios. Vulnerability assessment and penetration projects rarely mimic the actions an actual attacker is likely to take. Val Smith explained that “most companies have a vested interest in having a low quality test: they need to pass for PCI compliance or other business reasons.”

Now I’m getting verklempt! Does anything actually work in the infosec industry?

Update: I made a few recommendations for improving the situation by expanding the information security toolbox.