Banks, Government Agencies, Ecommerce and Large Enterprises have a heightened state of concern about their organization's state of cyber insecurity

We all know that malware is on the rise, but this year, customer attitudes at RSA 2009 were much more focused, enlightened and informed. In previous years, it seemed like security breaches were few, or it was 'someone else's issue'. This year, the message is very clear, PC or end-point security is simply not good enough. 'Pain' is now evident and real, and many huge corporations consider the costs and inconvenience of changing security vendors, to be a small price to pay for improved security. Several, CIO's of large corporations and many CISO's were at their 'wits end' and under immense pressure from the CEO or executive boards.

RSA 2009 Thoughts and Rants

This year I accompanied the Prevx 'A' team experts to the RSA 2009 show. The show is a spectacle in itself and a fantastic opportunity to network, chat with prospective customers, check out and be checked out by one's competitors and of course a great opportunity to party. Most of all though it is a pretty good measure of the security sector's pulse. Here are some of the observations and thoughts I had during discussions at the show.

Frustration is growing that while the effectiveness of cyber security declined massively in 2008 the major security vendors felt no pain

I was told by senior staff of many major corporations and government agencies, that they are fire-fighting cyber intrusions on a frequent basis, and frustration is building about the soaring revenues and profits of their protectors in the security sector.

In order for cyber security to radically improve - we need an unequivocal measure, maybe a cyber security score card could work?

Forget static, historical sample virus testing, these are highly misleading, often amounting to pure signature tests. Many products would catch these samples if seen dropped or in execution on a live system. What is needed are real world metrics, based on real world breached customer data. What if we had a register drawn from cyber attacks indexed by the mix of security measures which were breached. By making these simple statistics available to business and government agencies, it would help all organizations understand the threats which might breach their own defenses. Also weaknesses of any specific security product would very quickly be evident, putting massive pressure on the security vendor to 'up their game'.

We recently had to report a breach which we had discovered in a mid sized bank. Their CISO, quite reasonably, asked what else could/should he have done? After all, they had bought and applied products from a major security vendor, their systems were properly patched and configured. Interestingly, the breach was by a Zeus Trojan. One of the most significant challenges in cyber security today is the poor efficacy of endpoint/PC security products. Unfortunately, the threats that endpoint/PC security products miss are the very things you really need to keep out, like Zeus, MBR Rootkits etc - the serious threats.

Admittedly, no single vendor is able to provide total protection but some products are appallingly bad. We have a goal to make our own products as secure as we possibly can while maintaining interoperability with 30 other mainstream security products allowing customers to adopt a 'defense in depth' approach. When I mentioned this to a major financial institution at RSA 2009 they strongly countered by saying there was little point in retaining their current end-point protection (from one of the top vendors) because it was so bad. I pondered how one of the very largest security vendors could allow such a huge customer with tens of thousands of end-points to reach such depths of despair. One customer alone like this should be sufficient incentive for any vendor to take radical steps to improve their technology.

RSA 2009 Keynote speeches:-Marketing hype sounds impressive but products don't match the hype

The marketing messages at RSA 2009 were interesting. Nice to hear the major vendor keynote speakers focus on centralized intelligence, data correlation, end-points as sensors, and the use of cloud based concepts for service delivery. Prevx has actually been doing this for three years now. But for the major vendors these phrases are little more than marketing hype there is little in their product line up to back it up.

At RSA 2009, we demonstrated that one of the top consumer security products, supposedly harnessing the concepts of centralized intelligence, totally failed to detect the CutWail rootkit while raising serious concerns about 2 tracking cookies. This is ridiculous but sums up one of the key issues. Publicly quoted cyber security companies are more accountable for revenue and profit growth than they are for detecting serious threats. And if detecting tracking cookies drives sales then - well it is job done! They must think, why bother with serious rootkits, when tracking cookies and other 'low hanging fruit' will get the customer to pony up the $. And unless someone else uncovers the rootkit the customer will be happy - what your AV doesn't detect won't worry you; well not until it's too late. Another publicly quoted vendor's senior staff even said their company was quite content as long as they were in the top three for malware detection. Aim for third and you might not make the top ten!!!

Rootkits and low incidence malware (the domain of serious threats like ZEUS, Tigger and others) are the weak spot of today's end-point/PC security products. With detection levels less than 25% for many products.

The future of cyber security is a World away from the AV download model

Prevx processes data relating to around 250,000 new unique executable objects every single day. This information is correlated, and centrally processed in real time taking account of billions of cyber threat events. It is a World away from the conventional AV model of centralized sample analysis and signature file downloads/updates. It is much more like OLTP. Unlike the conventional AV model our approach thrives on increasing malware volumes.

The World needs Cyber Security heroes, not forecasts of worsening storms to come

There is no silver bullet, but surely the security industry can do better than a 'C' grade in cyber security technology. At RSA 2009, one US Department of Homeland Security employee rated current end-point security 5 out of 10 - at best! So, let's all try harder! These are serious issues that will require profits to be sacrificed if they are to be adequately addressed.

RSA 2009 left me more concerned about cyber security products and vendors, than cyber security threats!