It’s that time of year again, when New Year’s prognostications give way to a similar level of noise about what to look for at the RSA Conference. There are always recurring themes to the latter. There is always much talk of the latest attack, or class of attack, that will drive where security should go. Incident headlines largely divide the M.O. between attack industrialization at one end of the spectrum, and the more dedicated adversary at the other, with recent twists now including a “smoking gun” assertion regarding China.
Just as prevalent at RSA are the many claims from a host of vendors about the latest can’t-do-without tool or widget that will solve all our unsolvable security problems (problems that often serve us equally well as FUD fuel, by the way). Security is always a fairly noisy market, with never any shortage of opportunity to chase a buck when attacks remain so prevalent – and successful.
But what all this noise reveals is a serious and longstanding fragmentation of the IT security industry. Competition can be a good thing, when disruptors challenge incumbents and keep everyone’s game sharp. But what the security market often shouts louder than anything is just how little real integration exists among security tools.
Not that this is all that unique to security, certainly. But the nature of security concerns today demands better coordination of insight with response. Prevention may be pointless if tactics are blind to current realities or simply outmoded. Threat and vulnerability awareness must be complemented by strengthening of the security posture in ways that will make a real difference. Those responsible for security strategy must know where they can best place their bets.
The adversary often knows these gaps better than we do. The so-called “hybrid” attacks of a decade ago that combined vulnerability discovery with exploit and self-propagation payloads heralded what have today become highly efficient attack toolsets. Complex attacks often combine social engineering with malware communicated via multiple channels, hosted by endpoints and servers alike. The more dedicated adversary, meanwhile, predicates success on stealth and the ability to obscure malicious activity under the guise of normal behavior.
This would seem to call for a more coordinated approach to defense – and yet, vendors in silos trample merrily all over each other, proclaiming that their approach is better than that of others, with seemingly little regard for the consequences. The result? “Poor integration among security tools” was one of the top two frustrations with security technologies reported in our 2012 survey of 200 enterprises worldwide.*
There are, however, some key areas in which integration is beginning to play a role in product evolution:
- Mobility can be expected to be a hot topic at RSA this year. Already within the mobile management market, mobile device management (the management of device policy) and mobile application management (app isolation and control) have come together in some vendor offerings, while mobile management itself seems poised to align with existing approaches to enterprise endpoint management. Network Access Control (NAC), for example, has already pioneered concepts of pre-admission device assessment and isolation of network traffic. The alignment of NAC with mobile management is already evident in partnerships such as ForeScout’s with AirWatch, Fiberlink, MobileIron and others. But there is one aspect of mobile security that I have yet to see much discussed, yet which could hardly be more important to mobile security strategy…and it’s an aspect of the following:
- Security intelligence was one of the more overheated topics at RSA last year, with the term “Big Data” being flashed like a high-stakes gambler’s cash. But as I have described at some length, there are some very good reasons for this trend. Alleviating the blindness that has long beset security strategists is just one aspect of data-driven security’s promise. Defense technologies that integrate insight and analysis directly into their functionality are another provocative example, such as RSA’s recent acquisition of Silver Tail Systems, and Juniper’s of Mykonos. As data-driven tactics become more evident, I expect the integration of intelligence into defense to continue to play a larger role in shaping more effective security technologies – including some examples not yet prevalent, but which, I believe, will be.
- Consider, for example, the risk posed by a plethora of apps for today’s mobile devices. Device control and app segregation can do much to mitigate mobile risks and insulate enterprise resources, but the threats posed by promiscuous or poorly behaving apps themselves is already a big concern given the thousands of apps available in the consumer market. Researchers have already demonstrated how potentially malicious apps can get through trusted app stores. Developing mobile app reputation intelligence on a scale at par with the sheer numbers of mobile apps would be no small matter for anyone willing to take it on – but in the future, it could be a valuable complement to be integrated with the mobile security offerings you’re likely to see at RSA next week. You can expect your preferred mobile security and management vendors to be taking a close look at companies such as Appthority who have made some inroads in this direction.
- Intelligence is already a primary factor for one of today’s poster children for integrated security tactics: so-called “advanced threat defense,” which will be much in evidence on the RSA show floor. FireEye may have been a pioneer here, but the approach has become embraced by nearly any vendor that today includes the word “fire” in a brand, as well as by some who don’t. This approach correlates activity monitoring with intelligence such as malware recognition or interaction with known malicious sources, complemented with the ability to monitor, isolate or block activity in some cases. Because complex threats often leverage a combination of techniques, (phishing to gain an initial foothold, for example, followed by the surreptitious download of malware or other attack tools, often via compromised websites), these “advanced” defenses often feature coverage for multiple avenues of attack, across email, web or enterprise content repositories (where threats may often be stored unawares as a result of such attacks).
These examples are promising, but they still do not address the many challenges of weaving a coherent strategy out of a plethora of many parts. There are some initiatives seeking to tackle this challenge head-on:
- SCAP, the set of specifications that make up the Security Content Automation Protocol, has been advanced in government as a means to get security tools to play well with others. The effort is ambitious, since it embraces a number of specifications for defining how security tools interact with each other, which must be kept current with both technologies and threats. Vendors often resisted, not least because developing to SCAP specifications often meant duplicating development costs when existing formats were already in place. But there are some in the private sector such as Ed Bellis, now CEO of Risk I/O, who have seen the promise of SCAP pay off in real benefits, while federal mandates have helped to drive adoption. Largely because of the latter, you can expect to see at least a few announcements at RSA that speak to the adoption of SCAP in government.
- “Software-defined” technology – Software-Defined Networks (SDN) and the Software-Defined Data Center – may herald the future of such trends, offering greater flexibility for security as well as for network management. Some vendors such as Juniper, have placed significant bets on this promise, aligning with a focus on complex or large-scale enterprise and service provider environments which often make extensive use of virtualization. The potential of such trends for offering security a systematic way to define policy throughout an infrastructure is tantalizing, but it is still early in terms of on-the-street products. Regardless, this is a concept I expect to see making more of an appearance at RSA this year.
Despite such initiatives, examples of real integration today are far too isolated and rarer than they should be. Will vendors at RSA be talking up the values of an integrated approach, or how they interoperate with other techniques? Heck, I’d be thrilled if they would at least talk more publicly about cooperating with each other in sharing intelligence about the threats to the industry as a whole. Am I overly optimistic that security toolset integration will ever become more evident? Probably. But that doesn’t mean the need doesn’t exist.
Gunnar Peterson has offered some excellent advice for RSA attendees: keep an eye open not so much for the latest bells, whistles and hype, but rather for how products and services will actually fit in your organization. To this I would add, be on the lookout for vendor trends toward real product integration – and don’t be shy about pressuring your suppliers to do a better job, both in integrating their own products as well as in working with others, to solve the larger problems we all face.
*At 43% of all respondents, poor integration among security tools was nearly tied with the most frequently reported frustration, “too difficult to distinguish which security actions are working, and which are not” (46%).