Part 4: Marcus Ranum on the state of information securityDate: Nov 16, 2009
At Information Security Decisions 2009, Marcus Ranum explains the effect vendor consolidation will have on technology integration and the need for feature awareness.
About the speaker:
Marcus Ranum is Chief Security Officer at Tenable Network Security.
View the rest of the presentation:
- Part 1: The history of information security
- Part 2: The late golden age of information security
- Part 3: The realities of compliance
- Part 5: Predictions for the future of information security
Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact firstname.lastname@example.org.
Part 4: Marcus Ranum on the state of information security
Marcus Ranum: Some more technology changes, where does this all wind up going?
The changes in technology as a result of acquisition are going to do some really interesting things as well. And they're not great things, they're just interesting things.
Consolidation drives integration. The premise of consolidation, the reason that these companies buy five different products and glue them together is so that they can glue them together and offer them to you as one very large, expensive product, that does everything. That's what they want to do. Let's get them a bigger slice of the pie and it drives out the smaller players and it consolidates them as a single, very large line item in your budget and that's all very good for the business.
So integration, from the user stand point, from your stand point, integration is nice, right? It means that you've only got one person, one company to deal with, you've only got one technology to field, you only have one thing that you have to read the manuals for and life is good.
Integration drives one-stop shopping and it also drives centralization in your organization of technical focus. So it's not that you have a Firewall guy plus an IDS guy plus a whatever. What do you have? You have the guy who clicks the Turn On the Firewall feature on the CISCO whatever it is and the same guy clicks the Turn On Intrusion detection feature on whatever it was that you bought from CISCO.
Now, here is a problem. One of the things that's always bothered me about that. I don't know what happens when you turn on the click box. I'm a do-it-yourselfer. I actually didn’t really believe how V-8 engines worked until I took one apart when I was a High School student. And so, I like to know what things do inside in order to be able to understand them. I wouldn't install a Firewall that the only thing it did was be a Firewall.
But that's kind of where we are right now. You buy a home router or something like that and you can click the check box that says turn on Firewall. What does it do? It turns on the Firewall. What does that do? I don't know, neither do you and there's probably two guys at the vendor who do know.
Is it that there's a pearl script that some guy wrote that's just says Turn on the Firewall and make them feel good? Or is it actually got some kind of cool engine that looks at your traffic and does something smart with it? Or is it something that moves data back very fast and there's a little blinky smiling face?
You have no idea; neither do I, and what's really scary about this, especially with this highly integrated environment we're moving to, you talk to the guys at the vendor, what are they going to say? I don't know, we got that as part of our acquisition to that Firewall company 5 years ago. But look at the smiley face, it's really good. Make sure you click the checkbox and turn that on.
That's kind of where I think we're headed.
Some extrapolation. If security gets subsumed into being a click feature, Bob the router guy is going to be told to click the security button and that's it. Security also gets to turn into a click feature for the operating system, you know, Windows. You click to Make it Secure button and trust Microsoft, as we always have.
But that's what's going to wind up happening. Turn on the IPS stuff as long as you're turning on the VoIP and, by the way, we just let go three of your employees from the networking group so now Mr. Senior Network Manager, you can do all of that and, by the way, the BGP stuff is pooched, could you fix that by Monday? So that's kind of where that's going.
On the system side, on the platform side, security gets built in as a click feature and system administration as well, which is about time, that should have happened a long time ago. But what's going on with that? You're going to have the systems guys who install the Windows packages or Linux or whatever it is you're using and they're going to click the Make it Secure button and they're not going to understand any better because everyone has less time to actually understand what they're doing but the complexity rate is still mounting. So that's a big problem.
Here's an idea to think about. Patch management and the antivirus are desktop security. That's all you've really got. Of course, I don't particularly like antivirus. I suspect, I haven't really been able to make a good argument for it, but I suspect that if you actually have a good System Administration tool that allows you to do configuration management and you roll patching and blocking certain types of executables from running into your configuration management process, that is desktop security. That certainly is the future.
System Administrators are being expected to do this and Systems Administrators are getting pushed into the very interesting new direction by virtualization and cloud computing and that's making software, making the run time of your environment of your computers, disposable, being able to revert them back to a noon good state, pretty much in any time, makes them disposable.
So, if the system's disposable, at a certain point why do you really care about patching it? Why do you really care about antivirus? You can just simply revert it and push out a new image. That may be where some of this stuff is headed. And, if that's correct, then configuration management kind of eats security and whoever it is responsible for running your configuration management tool, is your desktop security or your System Security Expert.