The Worrisome State of the Information Security Industry

The information security industry is confused, having noticed that the common practices for addressing IT risks or protecting data often don’t work. Something is afoot in the security community, and that’s a good thing.

This month alone there has been a steady stream of discussions in the blogosphere, expressing concerns such as:

  • Security tools don’t cater to our needs. For instance, Michael Cloppert emphasized the need for more flexible intrusion detection and prevention tools that would allow the organization to cater defensive mechanisms according to their needs. He pointed out that “today’s detection and prevention tools are built by vendors focused on common threats & vulnerabilities using often-closed signature languages, limiting the ability of analysts to leverage intelligence applicable to their threat landscape.”
  • Security vendors misrepresent their products’ capabilities. Too often we read and hear unrealistic promises to meet customers’ compliance requirements (e. g., PCI) or defeat against the threat du jour (e.g., APT). As an example of how products can be misrepresented, take a look at Anton Chuvakin’s list of Top 10 Things Your Log Management Vendor Won’t Tell You.
  • Security professionals preach security to those who already recognize its importance. Too often, we are stuck in our own world, and don’t connect with other colleagues or members of the community. Referring to this practice, Ben Tomhave proclaimed, “It’s time to get outside the echo chamber and meet the real constituents who are, incidentally, also paying your bills/salaries.” Too often, we treat security as a standalone discipline.
  • Security assessments are scoped without reflecting real-world threat scenarios. Vulnerability assessment and penetration projects rarely mimic the actions an actual attacker is likely to take. Val Smith explained that “most companies have a vested interest in having a low quality test: they need to pass for PCI compliance or other business reasons.”

Now I’m getting verklempt! Does anything actually work in the infosec industry?

Update: I made a few recommendations for improving the situation by expanding the information security toolbox.

Updated

About the Author

Lenny Zeltser is a seasoned business and technology leader with extensive information security experience. He builds innovative endpoint defense solutions as VP of Products at Minerva Labs. He also trains incident response and digital forensics professionals at SANS Institute. Lenny frequently speaks at industry events, writes articles and has co-authored books. He has earned the prestigious GIAC Security Expert designation, has an MBA from MIT Sloan and a Computer Science degree from the University of Pennsylvania.

Learn more