LAS VEGAS -- Yahoo handles traffic from more than 800 million unique users each month and runs tens of thousands...
of Web servers. Yet according to the company's CISO, the security industry isn't building products that effectively support the scale and system diversity present at such a large-scale Web property.
Speaking at Black Hat USA 2014, Yahoo's Alex Stamos, who earlier this year founded the RSA Conference alternative TrustyCon, said that security vendors have become too focused on "shoving more features" into a single box while ignoring the basic features, bandwidth and processing power that companies like Yahoo need to secure their users and data.
That trend has led to what Stamos called "super smart pizza boxes," or single-task security appliances that sometimes can only handle traffic from a single front-end server out of thousands in the company's environment because they manage all sorts of security intelligence on board.
Stamos pointed specifically to a product like Palo Alto Networks Inc.'s PA-7050, the most expensive option in the vendor's line of next-generation firewalls. While noting that he personally thinks the PA-7050 is good for what it is, Stamos said that its maximum throughput with all security features turned on is only 100 Gbps, meaning Yahoo would need to purchase hundreds of them just to provide security services for traffic coming from one of the company's network switches. That kind of security architecture, he added, is completely impractical for a high-traffic Web property like Yahoo, and is akin to a city placing a police officer on every street corner.
Meanwhile, Stamos said Yahoo's security team is constantly trying to discern which of the millions of users who sign up for the company's various services are legitimate and which are looking to commit fraudulent activity, a situation he compared to a mall full of post-apocalyptic survivors facing an onslaught of zombies.
"There [are] 850 million people a month running at our mall, and we need to know who is a zombie and who is a person that we want to join our society," said Stamos. "It's a very difficult problem to solve."
Enterprise security products: Value vs. vaporware
Companies often struggle to find enterprise security products that offer ROI, Stamos noted. He mentioned an unnamed enterprise software security company that tried to sell the Sunnyvale, Calif.-based company a product that manipulates the Window kernel to determine whether an "advanced APT attacker," as the vendor described it, had infiltrated a Windows box.
According to Stamos, not only did the product introduce an unacceptable level of platform instability into Yahoo's architecture but it also completely ignored the Mac- and Linux-based systems running in the same environment.
Too often, Stamos said, enterprise security companies overlook the system diversity inherent in enterprise environments of all sizes; many of these environments include Windows alternatives and orphaned legacy systems that are critical to operations and must be secured.
While Stamos made clear what he doesn't need from security vendors, he also clarified what he would like to see more of: namely, "dumb" sensors that could send data back to actual humans who can then review it for anomalies and investigate a situation further if warranted. Stamos pointed to the largely successful banking industry's security model, where suspicious transfers are flagged and reviewed by a bank employee who is then able to lock an account until they the account holder can be contacted.
Stamos shared a lengthy list of security technologies he hopes to see from enterprise security companies in the near future, including a freemium key management equivalent to MySQL, ARM servers with lightweight remote attestation and OpenSSL with a remote handshake capability.
Noting that Yahoo is a customer of HackerOne, Stamos said he would also like to see bug bounty programs add some form of automatic verification so that companies don't have to independently assess each vulnerability submitted to them -- a move that would broaden the appeal of bug bounty program outsourcing organizations without large, dedicated security teams.
Most importantly, Stamos said that the security industry needs to move past its excuses for not exploring new types of protections out of fear that sophisticated attackers -- like those from government organizations like the NSA or the People's Liberation Army of China -- will break them. Such criticisms ignore the reality that an overwhelming majority of users won't be subjected to such attacks, but will be targeted by the sort of rudimentary phishing attacks that plague users of Yahoo's email service.
Stamos, who announced that end-to-end PGP encryption is coming to Yahoo email users in 2015, concluded by imploring the security industry to turn its attention toward protecting "normal" users rather than taking the default attitude that they will simply undo any and all security measures.
"The thing I hate the most is we can't keep users safe because they're dumb. If we're building systems that our 25% user can't use, we are failing," said Stamos. "Yes, it's true that a normal user will type their password into anything. That just means we have to get rid of passwords.
"Post Snowden, we have a strand of nihilism that's keeping us from focusing on what's real," Stamos added. "It's about understanding the actual threats that your users face. We need to loosen up some of our restrictions as an industry."
Expert Josh Sokol explains how use security analytics to improve enterprise security.
Learn how to determine the ideal IDS throughput for a new implementation.