“Unreasonable Security Practices,” You Say? It Depends. (Pt. 1)

by Taher Elgamal
Chief Security Officer

Sonny Discini wrote a smart, entertaining piece for EnterpriseITPlanet.com this week titled “4 Unreasonable Security Practices You’re Probably Following.”

But are they really all that unreasonable?

It depends.

About antivirus initiatives, Discini writes, “If you were a police officer and I handed you a bullet-proof vest and told you that it was effective 18 percent of the time or less, how much confidence would you have in the solution?”

First off, it’s not 18 percent.

I think the consensus on this number is more like 30-plus percent. Even so, isn’t 18 percent better than zero percent? Alternatives to antivirus solutions are in their early stages at this point, and these solutions aim to identify behaviors that don’t look proper. But those alternatives haven’t matured yet (not by a long shot), so until those alternatives have matured, I’d say that, if you’re an enterprise, you will still want to get this 30 percent.

“It never actually works right,” Discini writes about the concept of an intrusion detection system, “and you are always messing with it trying to get it right. Your environment is constantly changing, and hence, you will never stop this tuning process.”

That’s absolutely correct. Intrusion detection has never really worked.

Philosophically speaking, antivirus and intrusion detection are similar because they both look for known patterns.

But intrusion detection is such a general thing that you really have to do a lot of professional services work before, in the middle, and after implementing it in order to get the information you want.

If you don’t, you get way too many false positives. I’m talking 100,000 alerts a day. No organization can do anything with that information. So I agree with Discini—it never works well for an enterprise. I’ve seen it work well in government applications, where a whole staff is dedicated to it. The staff recognizes the technologies, works with the technologies, and knows the technologies inside and out. But commercially, it’s not easy to use. It’s a whole other story.

So why is it still sold to enterprises? Two reasons. First, intrusion detection is generally a smaller part of a larger software package, a technology a larger company inherited when it bought an intrusion detection company (the fate of all intrusion detection companies, by the way). The technology is offered as a “value add.” Second, some technologists are simply in love with technology, and they don’t actually recognize the fact that what they’re creating might be difficult for the normal IT guy to run.

In Part 2 of this blog entry, we’ll take a look at the other two security practices Discini believes are unreasonable.

Leave a comment

No comments yet.

Comments RSS TrackBack Identifier URI

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s