Sit Back and React, 2005-05-19
As the security industry moves more mainstream, it's becoming stagnant due to a lack of vision. Who will lead the charge?
“
"The only reason why no one is fundamentally trying to change the vision is simple short-sightedness. Why help solve problems that span other niches when it might mean you lose market share in your current niche?"
”
Over the last two years, some people would argue the security industry has been busy. Yet despite Microsoft getting their security house in order, Apple resurrecting their OS fortunes and starting a data-distribution business, and Sun and Novell trying to use Linux to stave off complete irrelevance, the basic eco-system of the computer security world has changed very little. I believe the only big change is that John Q. Public is a little more aware of threats from hackers (according to the sensational media sense of that term).
This stagnancy of the industry has occurred after a period of time when new classes of vulnerabilities and methods of exploiting those vulnerabilities were being regularly released and discussed, where newer and faster spreading worms were unleashed every 4-6 months, and antivirus companies came to the realization that it wasn't enough just to focus on file-infector viruses. But the dearth of novel attacks or new security strategies over the last 24 months has now created a deafening silence.
Some will argue that spyware and adware are the new big threat, but do most professionals believe that they are any more than just really annoying? Sure they CAN steal information, but are these really in the same league as the discovery of widespread methods of heap-based buffer overflow exploitation, for example, or the Code Red worm? Bot networks get a lot of press nowadays, and there is no denying that they certainly can do damage, but is the solution to bot networks going to involve a fundamental shift in the notion of how we defend computers? Sure there are still big, bad vulnerabilities in widely deployed applications, and those need to be fixed. Absolutely we can build better heap and stack overflow protections. Certainly we need to watch out for new attack vectors, better masking of attacks, and so on. But these are all implementation problems that we have largely already found solutions for.
We seem to have settled into a period of, "polishing billiard balls, all the corners are rounded off and it's simple refinement now." Does this mean that we are safe now, that we have all the problems figured out and we just need to implement those solutions? I don't think that's the case at all.
Why aren't we working feverishly to make the world safer in a proactive sense? By this I don't mean the refinement process I mentioned earlier. Why don't we work to build solutions that can actually help protect data from being compromised? Let's automate data workflow through an organization and identify when anomalies occur. We have sensitive information being stolen, faxed and lost on a regular basis, and we in the security industry always seem to be throwing up our hands and saying, "It's a policy or people problem!"
A co-worker and I were talking, and he pointed out that the Unix way of doing things, stuff like access controls, privilege separation, and tool design hasn't changed significantly in the last 15 years. In his view, this indicated that the problems that remain are either too difficult to solve, or are just intractable. My belief is a little different. Current computing, including OS design, is an abstraction that allows us to interact with data with the view of a single copy of that data. This abstraction hasn't evolved with the widespread use of networks. We have created these additional layers of abstraction to deal with data (folders, files, objects, resource forks), but they are straining under the load of our ever more connected world. This is where the true security problem is right now. Who is going to lead the charge to a solution?
I believe the solution is going to come as the large, established, general IT players merge further with the security industry players. Those of us with an interest in the Unix way should start asking why we don't have a Unix way of moving forward.
Why doesn't Novell use their leadership and skills in directory management to find solutions allowing all data in an enterprise to be identified and tracked? This would enable us to automatically identify a workflow of information, and note when anomalies occur. Why doesn't Red Hat or Sun show significant innovation in simplifying and improving the "thinner client" networking for an organization? Is there really a need for a 3 GHz computer to create PowerPoint presentations, read email, and send faxes? Why isn't Apple using some of their vaunted UI design skills to redefine how people interact with the security of their home computers?
Is this the chicken-and-egg scenario? I am sure the knowledgeable among the audience will point out that this approach is the egg, and we need the chicken (the consumer?) to demand it first. This seems like a justification for a lack of vision to me. I believe that a broad vision with strong execution can make the decision for the chickens much easier.
The only reason why no one is fundamentally trying to change the vision is simple short-sightedness. Why help solve problems that span other niches when it might mean you lose market share in your current niche? Or if you have a consulting arm, there is always lots of money to be made in prolonging the existing problems and solutions.
What we need is to change how we interact with data, and unfortunately, this can only occur with leadership from the big guys. Microsoft is interested only insomuch as any change allows them to maintain or improve their dominance, and the Unix world is too busy squabbling amongst themselves to provide a solution. The security industry isn't a fringe industry anymore. And as happened in the database world, we are being consumed and integrated into the general computing infrastructure. Novell had the guts to create a directory service database first (and arguably still better); the same needs to happen for data security. So, who leads the charge?
