Miscellaneous Security

Brian J. Truskowski, General Manager of Internet Security Systems (ISS), gave a keynote presentation at RSA 2009. His talk touched on an interesting topic that he referred to as the “5 Key Factors of Complexity.”

He identifies that the key cause of compromise is human nature; the ability that humans are susceptible to social engineering. Instead of focusing on securing systems, Mr. Truskowski argues that we should design systems that are “resistant to human frailty.” He goes on to state, that designing these systems (by reducing complexity) is difficult.

According to Mr. Truskowski, the 5 key factors of complexity and the key to designing these systems are:

1. Threats
2. Compliance
3. Technology
4. Economics
5. Business Needs

Contrary to security, Businesses have to keep focused on all of these factors or they will be unsuccessful. Vendors however, are according to Mr. Truskowski, only focused on one of these factors… Threats. He argues, If an enterprise doesn’t focus on compliance, they are fined. If a business doesn’t focus on business needs, the business can’t change.

“It’s like building the titanic. The ship’s designers optimized around being able to withstand collisions at the sacrifice of maneuverability. There have been many theories over the years over why the Titanic sank, from Brittle steel to sub-standard rivets. But, in reality, it is obvious why the Titanic sank. It couldn’t get out of the way of the iceberg. The Titanic’s designers focused on size, strength, resilience, and luxury but not on maneuverability.”

I think Mr. Truskowski’s talk was the hidden gem at RSA. It is an interesting idea for security vendors to begin focusing on things other than threats. Of course, if the idea gets legs, it will be 10-15 years before any change occurs. It is great to see people thinking holistically about security.

The video/webcast can be seen here: (5 Factors of Complexity starts at 19:49)

What is the word most likely to be heard at a non-technical security conference? If you said, “Managed Services,” “Managed Information technology services,” “Managed Solutions” or some variant of it, then you have been spending too much time at security conferences.

Managed Services is the idea that you take some piece of your company and have someone else do it. Companies typically take something that is expensive for them to do and then outsource it. For instance, most large companies pay an accounting firm, such as a Big 4,  to do their taxes instead of having a dedicated tax department. This of course is an analog managed service, and is sometimes regulated by compliance. Another analog managed service would be a law firm.

The type of managed service this article is referring to is a digital one. The idea that you can pay someone to outsource some piece of your general solution. That could be web hosting services or security services.

Although managed services is not a new idea, it is gaining snow-ball style momentum. There are, of course, companies who have built their entire model on Managed Services such as Savvis and Akamai. More recently, larger companies are jumping on the band wagon to also offer managed solutions. These companies include, AT&T, BT, and an unlikely candidate Amazon with their S3 cloud/EC2.

So, if you want to make sure your company can play with the big boys, make sure you have a managed service solution.

Note: Totally off topic from the Buzzword itself is the site, www.managedsoultion.com. They cashed in on the buzzword and actually named the company after the buzzword. I am going to start making a note on each buzzword to see if any other companies have done the same. Great Marketing!

From a security perspective, companies want simple solutions. As I walked the RSA expo floor a few weeks ago, this became very apparent.

Vendors were pitching products that were among other things, “in the cloud”, “self-maintained”, and “auto-updated.” It seems that companies are looking for simple solutions for complex problems. (Duh?)

As I walked around the exposition floor, I began to chuckle, realizing that there were more people in the Moscone center than there are attackers in the world. More money gets pumped into security products than actual money gets stolen. What an amazing idea.

Now, imagine I have a product that you can:

1. Plug into your network or computer.
2. Requires no “maintenance”.
3. Will prevent your network/computer from being attacked.
4. Alert you after it has successfully prevented the attack.

This was essentially every product that was being offered at RSA.

My two-cents: No product or grouping of products will prevent an attack. You can do some preventative measures, however, if an attacker wants to get you, they will.

Good Luck!