[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Where is security industry gng??

To: Geoff Shively <gshively@xxxxxxxx>
Subject: Re: [Full-Disclosure] Where is security industry gng??
From: Barry Fitzgerald <bkfsec@xxxxxxxxxxxxxxxx>
Date: Tue, 14 Sep 2004 09:38:44 -0400

Geoff Shively wrote:

Think about it this way, security was once focused on simple solutions to solve problems (network architecture with security in mind, device/OS hardening, etc).
Let us recap the history of the industry so that I can set the stage for
where I think it is headed.
In the last 5-7 years the security problem has grown complex and sheer
number of threats have skyrocketed, which brought to life an industry of
complex solutions to a combat a complex problem. IMHO, the wrong way to
deal with the problem.

Well, I'm not going to decry IDS -- IDS can be a very useful portion of a network security plan.

The problem with IDS was always that people perceived IDS as being a magic box that automatically and exclusively detects intrusions. Anyone who's ever worked with an IDS knows that that couldn't be further from the truth. However, that does not invalidate the data from the IDS. A properly tuned IDS can be very useful.

Having said that, you're entirely right. There needs to be a renewed focus on host-based security and hardening.

I liken it to this physical analogy (don't you love them? :) ):

Let's say that you have a stove that is necessary for business and on some types of this model of stove, there's a bad part that continually causes the thing to burst into flames and burn your business to the ground. A solution is needed, right? Well, there's two solutions: fix the part or build a high-tech fire suppressing system. Prediction: most businesses will go with the fire suppression system.

To people like us, the answer is obvious: fix the bloody part and the fires will stop occurring!

But to people who don't know any better or who have a vested interest in the use of that part, the fire suppression system is new, high-tech, brag-worthy, and solves the problem to their satisfaction. It doesn't matter that it's not the right answer. It doesn't matter that it doesn't actually solve the problem. It's shiny and highly visible.

We could probably advocate the right solution until the end of the day, but the sad fact of the matter is that it probably wouldn't matter in the end.

So, where is the security industry going? Well, who wants to buy a fire suppression system? :)

-Barry

p.s. Another physical anaology: browsing the web with IE is like doing a brothel tour of amsterdam without a condom. I love using that one. :)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- Re: [Full-Disclosure] Where is security industry gng??
  - From: Frank Knobbe

References:
- RE: [Full-Disclosure] Where is security industry gng??
  - From: Geoff Shively

Prev by Date: [Full-Disclosure] drag and drop bug internet explorer
Next by Date: Re: [Full-Disclosure] AV companies better hire good lawyers soon.
Previous by thread: RE: [Full-Disclosure] Where is security industry gng??
Next by thread: Re: [Full-Disclosure] Where is security industry gng??
Index(es):
- Date
- Thread