Network Security "Theater": Just an Expensive Show?

Email Print Digg This Add to del.icio.us

The defense of the network perimeter has been a quest of security professionals for almost two decades now. In times of economic failure, real questions are being asked about the effectiveness of these efforts, especially given the dawn of a new era in mobile computing and the frequency of high dollar losses.

I have deployed, configured and managed just about every kind of point solution and/or all-in-one device in the pursuit of securing the enterprise. As I look back, I can see short-lived successes, but overall, most of these efforts failed.

I’ve also audited hundreds of such deployments and I feel confident saying that more than 90% of those deployments were done is such a way that it would have been better to have nothing at all.

In short, technical solutions of yesterday will not work today.

That’s the message now understood by senior leadership. Why? It’s simple. The old model of the perimeter and all costs associated with it is not yielding the protections claimed by vendors or those who manage and configure the solutions.

We spend thousands of dollars a year per device in maintenance costs yet we’re surprised how easily data breaches occur. Senior management is now wise to the high costs of “protection” and the ease that data is lost. Logically, they are going to start asking the question, “Why are we doing it this way when it costs so much and yields little in the way of real defenses?”

Let’s look at DLP (Data Loss Protection) as an example. Many organizations are putting this solution in place thinking that they will be able to make significant progress in keeping valuable data from leaving the enterprise.

In reality, this is “Security Theater.” It does nothing more than use a static hit list searching for email flowing out through the corporate email system. The new generation of workers coming in from college are extremely tech savvy and understand that when you want to remove data, it can easily be done with a mobile device or any number of things such as an MP3 player (via USB).

At best, you’re going to stop stupid with DLP and nothing more.

My favorite waste of time and money is Anti-virus. Even the name is out of date. Almost every sample of malware I’ve looked at in the past two years has been designed in such a way as to easily avoid detection by “anti-virus” software.

I’ve seen statistics posted that show that AV is about 18% effective as of 2009. My own testing in my lab agrees with this number. A random sample of 100 samples was thrown at major AV products both free and commercial and I was within 3% of the figure.

Again, “Security Theater” is being done here. Organizations toil over trying to be sure that AV software is on every host but at the end of the day, they are lucky to hit the 70% mark in deployment. Given the horrible effectiveness when it is installed, we’re just compounding the waste of resources when dealing with this dinosaur.

We still deploy perimeter firewalls and other devices believing that we’re doing something to protect the enterprise. We now have a new firewall called a WAP (Web Application Firewall). This also falls into the security theater bucket because even with these rebranded devices, XSS attacks and various application exploits are happening faster than the problems are being fixed -- and faster than vendors can rebrand their wares that supposedly protect you.

So what do we do about the old model and wasting money trying to protect it? There are several options out there (for instance, cloud models) but I believe the best way to deal with this is to first accept that there is no such thing as a perimeter anymore.

That mindset must be the first thing to change before we can craft architectures and policies to deal with the new way that data is shared and protected. Once we have accepted that the classic perimeter is dead, we can identify the valuable data, where it lives and how it must be shared. Then and only then can we create a tight wall around just the data we need to protect. It is much easier to protect a small area of your environment than to waste time protecting sections that really don’t require you to do so.

The rest of the environment should be built in such a way to ensure high availability during various hostile conditions. In other words, focus on availability in these sections, not wasting time and energy deploying solutions that do little more than put on a show.