Notes from Techno Security 2006
Today I spoke at three Techno Security 2006 events. I started the day discussing enterprise network instrumentation basic and advanced topics. I ended the day on a panel discussion with Russ Rogers, Marcus Ranum, and Johnny Long, moderated by Ron Gula. My wife and daughter and I also shared lunch with Kevin Mandia and Julie Darmstadt, both of whom I worked with at Foundstone.
This was my second Techno Security conference. I want to record a few thoughts from this conference, especially after hearing Marcus speak yesterday and after joining today's panel discussion.
Yesterday Marcus noted that the security industry is just like the diet industry. People who want to lose weight know they should eat less, eat good food, and exercise regularly. Instead, they constantly seek the latest dieting fad, pill, plan, or program -- and wonder why they don't get the results they want!
Marcus spent some time discussing money spent on security. He says we are "spending rocket science dollars but getting faith healer results." He quoted a March 2005 document by Peter Kuper (.pdf) analyzing the security vendor scene. Kuper claims that the 700 companies estimated to exist in 2005 will compete for $16 billion in revenues in 2008. That's an average of $22,857,143 per company -- not enough to sustain most players. When the three "big boys" -- Symantec, Cisco, and McAfee -- are removed, that leaves only $11.5 billion for the remaining 697 companies, or only $16,499,283 per company; that's even worse. Kuper and Marcus believe all security companies are going to end up being owned by Symantec, Cisco, McAfee, or Microsoft, or will go out of business.
Finally, I've been following the SecurityMetrics.org mailing list thread caused by Donn Parker's article and my blog posts. I've discussed the risk equation both in this blog and in my books, so you may wonder why I even mention it if I feel that measuring risk is basically worthless? The answer is simple. The risk equation is like the OSI model. In practical applications, both are worthless. No one runs OSI protocols, but everyone talks about "layer 3," "layer 4," and so on. So, the terms are helpful, but the implementation fails.
(By implementation, I mean no one runs OSI protocols like CLNP. IS-IS might be an exception, although exceptionally rare.) [Note to self: prepare for deluge of posts saying "We run IS-IS!", even though I've never seen it.]
This was my second Techno Security conference. I want to record a few thoughts from this conference, especially after hearing Marcus speak yesterday and after joining today's panel discussion.
Yesterday Marcus noted that the security industry is just like the diet industry. People who want to lose weight know they should eat less, eat good food, and exercise regularly. Instead, they constantly seek the latest dieting fad, pill, plan, or program -- and wonder why they don't get the results they want!
Marcus spent some time discussing money spent on security. He says we are "spending rocket science dollars but getting faith healer results." He quoted a March 2005 document by Peter Kuper (.pdf) analyzing the security vendor scene. Kuper claims that the 700 companies estimated to exist in 2005 will compete for $16 billion in revenues in 2008. That's an average of $22,857,143 per company -- not enough to sustain most players. When the three "big boys" -- Symantec, Cisco, and McAfee -- are removed, that leaves only $11.5 billion for the remaining 697 companies, or only $16,499,283 per company; that's even worse. Kuper and Marcus believe all security companies are going to end up being owned by Symantec, Cisco, McAfee, or Microsoft, or will go out of business.
Finally, I've been following the SecurityMetrics.org mailing list thread caused by Donn Parker's article and my blog posts. I've discussed the risk equation both in this blog and in my books, so you may wonder why I even mention it if I feel that measuring risk is basically worthless? The answer is simple. The risk equation is like the OSI model. In practical applications, both are worthless. No one runs OSI protocols, but everyone talks about "layer 3," "layer 4," and so on. So, the terms are helpful, but the implementation fails.
(By implementation, I mean no one runs OSI protocols like CLNP. IS-IS might be an exception, although exceptionally rare.) [Note to self: prepare for deluge of posts saying "We run IS-IS!", even though I've never seen it.]
Comments
People aren't spending wisely. It could be argued that the Security Industry is similar to the Healthcare Industry. Americans are spending twice as much per person for our healthcare and are on average sicker than British or Canadians because the money isn't being spent on preventing diseases that could be prevented like Type II diabetes. If people set up rings of defense, hardened hosts, configured firewalls properly, secured databases, used strong passwords, encrypted laptops hard drives, etc., a lot of problems could be prevented. But people prefer pills to surgery and popin security appliances to designing the network right in the first place.
One thing that is really bothering me with my job right now is that my position will be changing from defending networks to spying on people's web usage. I could live with it if the appliance was configured correctly, or we were just monitoring for illicit activity, but some of it will likely be used for intimidation of workers. Trading stocks during your lunch break seems acceptable to me, but my company's AUP will likely forbid it. The fact that senior executives will be doing the same with the company stock to maximize their bonuses seems like the same thing and a double standard.