What's most telling about the security community's long list of complaints is how little it has changed over the years. Tools that don't fit our needs, vendors that overpromise, spending divorced from risk, and assessments that ignore real attackers were worth worrying about then and still are now.
This is my original 2011 snapshot of the security industry's worries, drawn from the blogs of the day. I've left them largely intact, because they've aged unnervingly well.
The cybersecurity industry is confused, having noticed that the common practices for addressing IT risks or protecting data often don’t work. Something is afoot in the security community, and that’s a good thing.
Voices across the security community have long expressed concerns such as:
-
Security tools don’t cater to our needs. For instance, Michael Cloppert emphasized the need for more flexible intrusion detection and prevention tools that would allow the organization to cater defensive mechanisms according to their needs. He pointed out that “today’s detection and prevention tools are built by vendors focused on common threats & vulnerabilities using often-closed signature languages, limiting the ability of analysts to leverage intelligence applicable to their threat landscape.”
-
Security vendors misrepresent their products’ capabilities. Too often we read and hear unrealistic promises to meet customers’ compliance requirements (e.g., PCI) or defeat the threat du jour (e.g., APT). As an example of how products can be misrepresented, take a look at Anton Chuvakin’s list of Top 10 Things Your Log Management Vendor Won’t Tell You. We make our own convenient claims, too, when we describe our defenses to users and customers.
-
Security professionals preach security to those who already recognize its importance. Too often, we are stuck in our own world, and don’t connect with other colleagues or members of the community. Referring to this practice, Ben Tomhave proclaimed, “It’s time to get outside the echo chamber and meet the real constituents who are, incidentally, also paying your bills/salaries.” Too often, we treat security as a standalone discipline.
-
Security spending is allocated without regard for risks or business needs. Gunnar Peterson observed that organizations tend to focus funds on infrastructure security items, rather than other security domains, because infrastructure “happens to be the historical background and hobby interest of the majority of technical people in the industry.” Jeremiah Grossman concurred, highlighting the need for increased focus on application security.
-
Organizations are stuck in the Plan-Do-Check-Act cycle of bureaucratic security programs without measurable improvements. Ray Pompon referred to this as the Hamster Wheel of Pain, “because the process can be endless and ineffective if implemented sloppily.” Alex Hutton observed that “just because you can codify a standard or practice doesn’t mean that this practice is sane.”
-
Security assessments are scoped without reflecting real-world threat scenarios. Vulnerability assessment and penetration projects rarely mimic the actions an actual attacker is likely to take. Val Smith explained that “most companies have a vested interest in having a low quality test: they need to pass for PCI compliance or other business reasons.”
Now I’m getting verklempt! Does anything actually work in the infosec industry? When the gloom gets to be too much, I’ve also made a point of saying something nice about it.
