There was a great level of discourse around Rich’s FireStarter on Monday: There is No Market for Security Innovation. Check out the comments to get a good feel for the polarization of folks on both sides of the discussion.
There were also a number of folks who posted their own perspectives, ranging from Will Gragido at Cassandra Security, Adam Shostack on the New School blog, to the hardest working man in showbiz, Alex Hutton at Verizon Business. All these folks made a number of great points.
But part of me thinks we are missing the forest for the trees here. The FireStarter was really about new markets and the fact that it’s very very hard for innovative technology to cross the chasm unless it’s explicitly mandated by a compliance regulation. I strongly believe that, and we’ve seen numerous examples over the past few years.
But part of Alex’s post dragged me back to my Pragmatic philosophy, when he started talking about how “innovation” isn’t really just constrained to a new shiny widget that goes into a 19” rack (or a hypervisor). It can be new uses for stuff you already have. Or working the politics of the system a bit better internally by getting face time with business leaders.
I don’t really call these tactics innovation, but I’m splitting hairs here. My point, which I tweeted, is “Regardless of innovation in security, most of the world doesn’t use they stuff they already have. IMO that is the real problem.”
Again, within this echo chamber most of us have our act together, certainly relative to the rest of the world. And we are passionate about this stuff, like Charlie Miller fuzzing all sorts of stuff to find 0-day attacks, while his kids are surfing on the Macs.
So we get all excited about Pwn2Own and other very advanced stuff, which may or may not ever become weaponized. We forget the rest of the world is security Neanderthal man. So part of this entire discussion about innovation seems kind of silly to me, since most of the world can’t use the tools they already have.
Reader interactions
6 Replies to “Security Innovation Redux: Missing the Forest for the Trees”
Rich,
From Afterbytes – Ranum’s post today:
“If we’re going to have systems that work better (and are more secure) we need a complete re-invention of how we do system administration, how operating systems guarantee process separation, how run-time environments are managed and controlled, and…eventually someone is going to crack the problems I described above…”
Since Trustifier does those things and more, I will continue to believe that we offer value and present our case, especially in light of your firestarter post and discussion, and in time I will be proven either right or wrong. 🙂
Rob- we get it, Trustifier will solve all our problems.
@Haroon nails it.
If a solution is or can’t be used, well it probably isn’t much of a solution.
@Smithwill,
“The lists of all the bad stuff one should keep out of their network is well over 50,000,000 and growing…it
@haroon, I’m not saying security research isn’t important. Not at all. You are exactly right that research gives us 2-5 years to get ready for the next wave of attacks. The problem is 10 years isn’t enough for a lot of organizations that have no ability to defend against script kiddies. The vast majority doesn’t even know the basics.
I also don’t think it’s a matter that the stuff isn’t good enough yet. It’s that there is very little incentive for part-time security folks (who wear lots of other hats) to get it right. If they are breached, they are screwed, but that’s the case whether the do the job right or not. These types do the bare minimum and probably incorrectly.
Could products be better and easier to use? Of course, and they need to continue improving and being rolled into delivery models where the sophistication can be done by outside parties (MSSPs and ASPs). But we aren’t there yet. Not even close.
Hi Mike..
i agree.. kinda..
It’s clear that the gap between Pwn2Own/BlackHat-Cutting-Edge and the average home/corp user is great, but i dont think that its a good idea to skip the innovation discussion “because the public are not using the stuff they have anyway”.
I think that if they are not using the stuff they have, then there is a good chance that the stuff they have isn’t good enough yet.. Innovation is needed to fix that, and when it does, the optimist in me hopes that adoption will follow..
I think here about the early 90’s when “do you have a firewall?” was not such a ridiculous question, and many firewalls were found to be configured as expensive routers. They were rough around the edges.. We could have accepted a lack of innovation since most people were not using their firewalls anyway, but eventually the innovation and requirement intersected..
(of course there are many examples of innovations that were not adopted despite them being good on paper and opposing examples of ideas that generally suck but still bloom as multi billion dollar businesses)
People sometimes bemoan the problem of the gap between BlackHat/CanSec attacks and “the average corporate”, but i think history has shown (phrase used to mean: “i have not checked this empirically but it seems right”) that the attacks discussed at confs give you a 2 to 5 year head-start..
When all you are trying to do to avoid the bear, is run faster than the other guy.. the head-start counts for a lot..
@haroonmeer
To innovate is to do something new. Is new better? Well, if measured in actual results, new, from a network security standpoint, is not better. At face value, in spite of all the latest-greatest acronym-laden mash-up-techno-consolidated solutions, “Houston, we still have problems!”
Threats are everywhere. The lists of all the bad stuff one should keep out of their network is well over 50,000,000 and growing. From a practical standpoint, it’s absolutely insane to believe that ANYONE or ANY TECHNOLOGY can defend against the sheer volume and variety of security issues. So, will innovation help solve these problems? Perhaps, IF, and only IF, people sort of backward-innovate by embracing simplicity as the solution to managing and security their network.
Adding more gear doesn’t work. Bleeding-edge doesn’t work. Patented Technology is just a fancy way of saying “we paid a patent attorney lots of cash to draft this document that claims we do something in a very unique way….and now have a defensible position which makes our investors some investment recourse.” Patenting is over-rated. In fact patenting can be dangerous. Do some research into the GMO (genetically-modified Organism) crap that Monsanto, Dow, Bayer and Dupont have done in their efforts to spread genetically-engineered seed around the world. This is a “food security” issue that should concern everyone, meat eater, vegan and common folk alike. I digress.
Back to the new discussion. Rather than focus on new, why not address what’s better? One can find an excellent old car with low mileage that looks and runs greats. In many ways it’s better than new. You don’t take the depreciation hit. The big maintenance stuff may have already been done. It’s also much easier and cheaper to work on than the “new one.” In many ways older IS better. In matters of old-fashioned network management, if one must expound about innovation, how about let’s get back to viewing the network in its purest undiluted form: the packet. The humble packet shuns all these high-brow security affects. Who needs a log aggregation and correlation system when you can track and rank your flows? Outlayers practically just right out at you sans all the fancy, might I even say “innovative” appliance crap which pukes-out a godawfully complex data table. Now, I’m not neccessarily dissing SIEM boxes in particular, though their complexities and pricing are ludicrous, I just think one can over-innovate to the point of innovation-constipation which is characterized by a network so crammed full of technology that no executive management information can ever be squeezed from it. All one gets is “Trust me. We’re covered!” from the geeks.
Short of getting a definitive IT/business status report , management can keep on innovating to their own peril. Sans real-world bottom-line (SHOW ME) results, if you don’t manage the network and how it’s used, all the innovation in the world won’t save your business. In simpler terms, what’s old is new again. Managing the network and users, versus throwing more innovate gear at the problem, will yield all sorts of new, and much more desirable results.