Retro BuffooneryBy Mike Rothman
I’m probably not supposed to do this, as I took the security marketer’s oath to get my first VP Marketing gig. But I’m going to pull the curtain back on some of the wacky stuff vendors do to sell their product/services. Today’s specific tactic is what I’ll dub retro buffoonery, which is when a vendor looks back in time, and states that they could have stopped attack X, Y and Z – if only their products were deployed before the attack.
You see this stuff all the time. Whether it was TJX, Heartland, ZeuS, or now the APT, vendor after vendor builds a marketing program saying they could have stopped or detected the attack. They build very specific timelines and show how their product theoretically defended customers. Note I said ‘theoretically’, because I’ve yet to see a case where a vendor had an actual customer to say “I didn’t get hosed by [Attack X] because I was using [Product Y].”
To illustrate my point, let’s take a look at McAfee’s recent post-mortem on Operation Aurora. Now I’m singling out McAfee here, but there is nothing personal. Every vendor does it. I’ve done it probably a hundred times. If you work for a vendor, you’ve done it too. Rees Johnson, the blogger, did his job and pieced together a somewhat plausible story about how a combination of McAfee products could have been assembled to defend against the Aurora attack.
Basically, if you had all your traffic going through a SSL proxy, had reputation working on every single gateway seeing network traffic, had whitelisting on every single device running code, and a huge research arm that could tell you there was something going on – then you could have detected the attack. Yeah, that doesn’t sound like either an economically feasible or realistic user experience situation – but let’s not split hairs here. And we know plenty of folks were running McAfee, but they don’t seem to have any success stories of actual Aurora detection ahead of the fact to share.
Now to be clear, retro buffoonery tells a good marketing story and allows sales people to make a compelling case to customers for a company’s technology. Even better, by referencing a real attack, it can create enough customer urgency to get a check written. Which is good because security sales reps have those monthly BMW payments to make.
But please understand, this Tuesday Morning Quarterback exercise will not help you protect your environment any better for the next attack.
In the 20 years I’ve been in this business, we have proven to be lousy at predicting the future. How many of you predicted that a 0-day attack against IE6 on XP would constitute 30+ huge and successful attacks over the past 3 months? Probably the same folks who predicted SQL Slammer, TJX-style wireless POS attacks, and Heartland-style network sniffers. Even better, there are always multiple vendors telling stories about how different classes of products stop these attacks. Yet the attacks still happen, so it always gets back to the same thing – in hindsight, you’re sure you could’ve caught the attack. In reality, not so much.
Vendors hope we’ll forget that it’s more than just a signature or a product that actually protects us against these attacks. We also must remember process and people complete the picture. Maybe if you backed up the truck and implemented everything McAfee has to sell you, you could have stopped Aurora. But probably not, because most companies have at least one unsuspecting employee who would have clicked on the wrong thing from the wrong place, and given the attacker a foothold on your network. And remember what persistent means. These folks are targeting you, so they’ll find a way in, regardless of how many cents per share you contribute to the bottom line of your favorite security vendor.
So sorry, Mr. Retro Buffoonery Tuesday Morning Quarterback Always Completing the Pass Because It’s Easy to See in the Rear View Mirror, I don’t buy it. There are too many other things that go wrong to believe a wacky marketing claim that any set of products would stop a determined, well-funded attacker specifically targeting your organization.
But you’ll see plenty of this bravado at the RSA Conference next week. And hopefully you’ll do as I do, and just laugh.