- Let’s try to avoid a security strategy that relies on a placebo effect.
- Assuming the worst is a good way to start the new year.
The Wall Street Journal ran an interesting article this week called “Why placebos work wonders.” It seems there is much more to the “placebo effect” than simply tricking someone into thinking they are getting a “real” drug. Research has shown that it doesn’t seem to matter whether patients know they are getting “real” treatment or a sugar pill. The body can benefit. I used to think about the placebo effect when I would take my very old dog in for acupuncture treatments. I assume that if they worked for him (and they did) then there must be more to acupuncture than just a placebo effect. Dogs need “real” treatments, while humans can benefit from both “real” and “fake” treatments. Some of the check box security products that enterprises spend their money on seem like fake treatments. This might be ok, if computers and networks were more like humans and less like dogs.
I have a friend in the alarm business. The kind you put in your home to go off if someone tries to break in. I asked him about installing one once and he said “let me just give you some of my company stickers. They are a great deterrent.” In other words, in the physical world, just the awareness (by criminals) of security protections is enough to deter crime. But do the burglars decide to go get real day jobs? Of course not – they just go look for houses without security systems. And so homes unprotected by security systems or dogs are the low hanging fruit of the burglar class. And because the population of burglars is relatively small, their work is relatively time intensive, and there is a cost if they are caught breaking into houses. This keeps houses with security systems and dogs pretty well protected. If only computers and networks were more like houses and hackers were more like burglars.
Unfortunately, this is not the world we live in. We live in a world where IT security systems need to really work. There is no placebo benefit associated with IT security. There is also no benefit in hanging a sign that says “Protected by Vendor X.” No corporate network in the world is going to be left untested by hackers. (I don’t think I need to catalog the growth in malware, the sophistication of recent threats, the prominence of state sponsored and agenda driven hackers with skills, resources and patience.) This is the world we live in. A couple of days ago Mikko Hypponen, the chief research officer at F-Secure tweeted this to his 24,000 or so followers: “Q: How many of the Fortune 500 are compromised? A: 500”. At first blush, I thought it was the kind of statement that would start one of those endless Twitter wars, but as far as I can tell, no one (including me) argued the point. This is reality and this is the hard truth that vendors need to deliver to customers. Not by screaming APT and pointing toward a back catalog of well past peak threat products, but by thinking more about the big picture of network and system visibility. Vendors need to get serious about risk management and data-centric protection schemes. And they need to address remediation. I think the market needs a do over. Assume your customers’ networks/systems are compromised. Now what? And one more thing: Happy New Year.