We’re Not in Kansas Anymore
Last week the tech press marked yet another week of security capitulation, with reports of widespread unpatched Oracle databases and the acknowledgement that a cyber attack had recently blacked out at least one city outside of the US. It has become even more apparent that our private and public sector IT leadership and vendor community has become increasingly comfortable with security as a reaction to events rather than as a means to shape them.
If you followed popular blogs about the Oracle CPU issue you would have seen all the telltale signs of the coming fall (and I don’t mean calendar year 4th quarter). I blogged about the ORACLE SECURITY PARADOX last week and explained how the interests in play were leading us to database security jeopardy. While this most recent Oracle CPU and the recognition of the “patch fatigue” issue brings attention to vulnerable, unpatched Oracle databases, I also pointed out that a broader and even more disturbing dynamic is at work.
The proliferation of unpatched and vulnerable data center servers includes a multitude of embedded and legacy systems running custom applications that are critical to 24/7 operations in multiple key industries including health care and energy production. These systems are perilously behind the times when it comes to security and yet are increasingly exposed to the public-facing network.
This week Computerworld also published “Apocalypse Soon” and the following early paragraph should raise a few eyebrows:
Indeed the threat is “urgent and real,” says The Business Roundtable, an association of CEOs of large U.S. companies. The Washington-based public policy advocacy group says there is a 10% to %20 chance of a “breakdown” of the critical information infrastructure” in the next ten years, brought on by “malicious code, coding error, natural disasters, [or] attacks by terrorists and other adversaries.
While the report included a very broad range of threatening scenarios (including natural disasters) it wasn’t coincidental that malicious code was the first item mentioned by Computerworld. Our malaise has become so acute that the recent acknowledgement of a hacked blackout becomes just another headline.
This recent power hack is just another sign of a dying status quo of old technologies, complacency and confusion that is nurtured by an ever-growing stream of service revenue, outsourcing and faulty tech industry leadership still bent on squeezing every dollar of revenue out of every past investment. It is time for the netsec industry to think ahead instead of trying to hold back innovation.
How many “acceptable” intrusion prevention system reviews contain the caveats that they worked against less than 50% of test attacks? Most emphasize their sophisticated (false alarm) management capabilities versus any enhanced detection/prevention. I’ve blogged before about this in Security3.0. These older packet inspection architectures need to be upgraded.
Last week a security executive joined the chorus of large public company trade interviews about why it’s important not to buy best of breed security “point products”. Me thinks he doth protest too much. Why would a senior executive of a public security company waste precious leadership ink in leading tech journals fighting innovation and private companies?
I think there is a simple answer: they’re losing business to innovation and think wheeling out an exec to lead the charge against it is a smart marketing move. Hardly. This is a problem deeper than a media message or the tired benevolent security bureaucracy metaphor that often manifests itself in times of turmoil.
Yet the security problem is bigger than innovative private companies and the security industry needs to wake up from its slumber and innovate. It’s simply too late for proclamations.
THE BIG BANG THEORY
As a culture we’ve become so enamored with the power of convenient access that we’ve leapfrogged ourselves into a new era of convenience, vulnerability and complacency. Our de facto “plan”: we will react to breaches with half-hearted steps until a defining event frightens us into overreaction. I’ve heard this repeatedly when out meeting with IT pros from high profile companies: “I get budget when things go wrong.”
Yet the very convenience that is driving us to new heights in productivity is building out a kind of backplane (or ether) that allows for the unprecedented theft, transport and concealment of data and resources. Today as more unpatched databases and embedded systems are connected to the Internet, hackers are becoming more sophisticated and more financially motivated.
The Yin/Yang dialectic between teenage desktop attack and security vendor innovation that got us to where we are today is transforming into an arms race between tired, low layer, hardware-centric IPS architectures and increasingly innovative cybercriminal gangs. The mounting spam in your inbox is only the tip of an iceberg of innovation mutating in real time around static exploit signature spam defenses. The spam button on my Yahoo mail is an outright joke as it protects me from the last spam coming again to my inbox.
This shift from fame to fortune seeker is manifesting itself in numerous ways. We’re seeing mushrooming bot activity and new and higher projections of how many servers around the world have been compromised. We’re seeing the rise of more sophisticated attacks, including SQL injection, cross-site scripting and polymorphic attacks designed to evade the traditional security products that were highly effective against known exploit signatures and unusual anomalous traffic and behaviors.
It is readily apparent that the malicious hacker community is innovating faster than the security industry. They understand the growing market opportunity created by increasing network access to unpatched databases and embedded systems. And they are innovating on multiple levels, from core technology and tools to online markets for stolen information.
THE TREND IS THE CYBERCRIMINAL’S FRIEND
As the web of convenience reaches deeper into the data center and core databases; as security pros spend more time simply keeping up with the operational requirements of older, static security technologies; and as enterprises invest more in compensatory operational expenses (service revenue) or to upgrade hardware to keep up in the packet inspection race… network attacks are becoming increasingly complex, increasingly sophisticated and increasingly successful.
We are setting ourselves up with the preconditions of a big bang that risks the core of our trusted web economy and the emerging global meritocracy that fuels our engine of innovation and commerce. It has the potential to be fast, decisive and mysterious, all at the same time. Our drive to convenience is great for consumers. It is perhaps just as great for cybercriminals. Their next opportunity for enrichment may be sitting in your data center, behind layers of half measures and stacks of security service invoices. The following is ICANNs Stephen Crocker’s advice for what CIOs should say to their CEOs, also from Computerworld:
“Boss, we need to take care of ourselves, but we also need to organize into a powerful user group and bring some pressure on [vendors] so that the network is fundamentally safer tomorrow than it is today.”
The message is clear, security vendors need to rethink their architectures for accuracy, availability and performance. They need to get beyond packet inspection and exploit signature matching and avoid the temptation to invest solely in alarm management. They need to start at the data center perimeter versus play out their legacy strengths with desktops. They need to step upstack and embrace innovation. If they don’t do it, their customers will; and exec trade ink about point products will be pointless.
Disclosure: I’m the VP Marketing for Blue Lane Technologies, a winner of the 2007 InfoWorld Technology of the Year for security, Best of Interop 2007 in security and the AO 100 Top Private Company award for 2006 and 2007. Blue Lane is also a 2007 Best of VMworld Finalist in data protection. I’ve been a marketing executive at Juniper Networks, Redline Networks, IntruVert Networks and ShoreTel. I’ve been an Always On blogger/columnist since 2004.