The biggest security threat - money
This is hardly news, but some chats I had at the recent NetEvents EMEA Press Summit underlined for me that network security will never be rid of its most pernicious vulnerability - budgets.
Security costs money, there’s simply no getting around that. The problem is, while an organisation’s defences are subject to budget constraints and the need - as with any IT infrastructure - to sweat assets, the attackers face no such restrictions.
In the security arms race, the defenders are always hobbled - not necessarily by simple lack of money, but by refresh cycles.
The threats to corporate security evolve constantly. The rise of Advanced Persistent Threats (APTs) is especially worrying for those targeted. Now we’re seeing the increased potential for ‘hacktivism’ with firms being singled out for DDoS assaults. The world of malware sees constant innovation. And now your staff are bringing threats through the corporate defences with their use of social media. It’s a wild ride.
While both the volume and sophistication of threats are on the rise, the defences that firms could deploy to protect themselves are sometimes unavailable - not because security vendors aren’t producing them, but simply because those tasked with security can’t justify the expense of replacing kit that hasn’t reached the end of its life.
In most areas of IT, this isn’t a huge issue. If your employees are using office software that’s one generation old, or are chugging along on slightly less than the latest generation PCs, you might find that their performance is 1.53% below optimum (and good luck with measuring that).
But when it comes to security, the potential cost of not having the best is much higher. It could cost you your business. And change in this area is dictated largely by the bad guys. Not keeping up is risky, though I doubt that there are many firms that do continuous risk assessment weighing the ever-changing threat landscape against the organisation’s current security capabilities.
Speaking to a couple of firewall vendors, the term ‘rip and replace’ came up, umprompted, several times. Of course, this was generally as a result of them telling me that their solutions will make this unnecessary. For example, SourceFire’s vision of the ‘next-generation’ firewall (what ever you want that phrase to mean) is a modular one. The firm is building on its Intrusion Prevention System (IPS) technology: it has already added some degree of applicaiton and user awareness and firewall capabilities are coming next. The idea, the firm says, is that you deploy the capabilities you need at the time and add others as they become necessary. No need for wholesale replacement.
There is another angle to this, however. Some are claiming that our entire approach is wrong. Nir Zuk, founder of Palo Alto Networks, is fond of claiming that - in terms of protection - most of today’s firewalls are about as much use as a length of Cat 5 cable. He presents an energetic case for why we need to scrap our ‘port and protocol’ approach to firewalls and adopt an entirely app-centric model capable of analysing not just which apps someone is using, but what they are doing with them.
It’s fair to say that not everyone is convinced by this argument. Yet even if you agree, there may be not much you can do about it until your firewalls come up for their next refresh — which could be years away. In the meantime, cyber-criminals are coming up with ever more entertaining ways of taking your money or your reputation.
In the past week, Cisco and SonicWall have announced new products or technologies in the next-generation firewall market. The technology to combat today’s threats is out there, the necessary innovations are happening, but many organisations will remain vulnerable simply because they are locked into corporate spending cycles that don’t have the flexibility to respond to the threats.
