Security Today == Shooting Arrows Through Sunroofs of Cars?

In this Dark Reading post, Peter Tippett, described as the inventor of what is now Norton Anti-virus, suggests that the bulk of InfoSec practices are "…outmoded or outdated concepts that don’t apply to today’s computing

As I read through this piece, I found myself flip-flopping between violent agreement and incredulous eye-rolling from one paragraph to the next, caused somewhat by the overuse of hyperbole in some of his analogies.  This was disappointing, but overall, I enjoyed the piece.

Let’s take a look at Peter’s comments:

For example, today’s security industry focuses way too much time
on vulnerability research, testing, and patching, Tippett suggested.
"Only 3 percent of the vulnerabilities that are discovered are ever
exploited," he said. "Yet there is huge amount of attention given to
vulnerability disclosure, patch management, and so forth."

I’d agree that the "industry" certainly focuses their efforts on these activities, but that’s exactly the mission of the "industry" that he helped create.  We, as consumers of security kit, have perpetuated a supply-driven demand security economy.

There’s a huge amount of attention paid to vulnerabilities, patching and prevention that doesn’t prevent because at this point, that’s all we’ve got.  Until we start focusing on the the root cause rather than the symptoms, this is a cycle we won’t break.  See my post titled "Sacred Cows, Meatloaf, and Solving the Wrong Problems" for an example of what I mean.

Tippett compared vulnerability research with automobile safety
research. "If I sat up in a window of a building, I might find that I
could shoot an arrow through the sunroof of a Ford and kill the
driver," he said. "It isn’t very likely, but it’s possible.

"If I disclose that vulnerability, shouldn’t the automaker put in
some sort of arrow deflection device to patch the problem? And then
other researchers may find similar vulnerabilities in other makes and
models," Tippett continued. "And because it’s potentially fatal to the
driver, I rate it as ‘critical.’ There’s a lot of attention and effort
there, but it isn’t really helping auto safety very much."

What this really means and Peter doesn’t really ever state, is that mitigating vulnerabilities in the absence of threat, impact or probability is a bad thing.  This is why I make such a fuss about managing risk instead of mitigating vulnerabilities.  If there were millions of malicious archers firing arrows through the sunroofs of unsuspecting Ford Escort drivers, then the ‘critical’ rating is relevant given the probability and impact of all those slings and arrows of thine enemies…

Tippett also suggested that many security pros waste time trying
to buy or invent defenses that are 100 percent secure. "If a product
can be cracked, it’s sometimes thrown out and considered useless," he
observed. "But automobile seatbelts only prevent fatalities about 50
percent of the time. Are they worthless? Security products don’t have
to be perfect to be helpful in your defense."

I like his analogy and the point he’s trying to underscore.  What I find in many cases is that the binary evaluation of security efficacy — in products and programs — still exists.  In the absence of measuring the effective impact that something has in effecting one’s risk posture, people revert to a non-gradient scale of 0% or 100% insecure or secure.  Is being "secure" really important or is managing to a level of risk that is acceptable — with or without losses — the really relevant measure of success?   

This concept also applies to security processes, Tippett said.
"There’s a notion out there that if I do certain processes flawlessly,
such as vulnerability patching or updating my antivirus software, that
my organization will be more secure. But studies have shown that there
isn’t necessarily a direct correlation between doing these processes
well and the frequency or infrequency of security incidents.

"You can’t always improve the security of something by doing it
better," Tippett said. "If we made seatbelts out of titanium instead of
nylon, they’d be a lot stronger. But there’s no evidence to suggest
that they’d really help improve passenger safety."

I would like to see these studies.  I think that companies who have rigorous, mature and transparent processes that they execute "flawlessly" may not be more "secure," (a measurement I’d love to see quantified) but are in a much better position to respond and recover when (not if) an event occurs.  Based upon the established corollary that we can’t be 100% "secure" in the first place, we then know we’re going to have incidents.

Being able to recover from them or continue to operate while under duress is more realistic and important in my view.  That’s the point of information survivability.

Security teams need to rethink the way they spend their time,
focusing on efforts that could potentially pay higher security
dividends, Tippett suggested. "For example, only 8 percent of companies
have enabled their routers to do ‘default deny’ on inbound traffic," he
said. "Even fewer do it on outbound traffic. That’s an example of a
simple effort that could pay high dividends if more companies took the
time to do it."

I agree.  Focusing on efforts that eliminate entire classes of problems based upon reducing risk is a more appropriate use of time, money and resources.

Security awareness programs also offer a high
rate of return, Tippett said. "Employee training sometimes gets a bad
rap because it doesn’t alter the behavior of every employee who takes
it," he said. "But if I can reduce the number of security incidents by
30 percent through a $10,000 security awareness program, doesn’t that
make more sense than spending $1 million on an antivirus upgrade that
only reduces incidents by 2 percent?"

Nod.  That was the point of the portfolio evaluation process I gave in my disruptive innovation presentation:

24. Provide Transparency in portfolio effectiveness

I didn’t invent this graph, but it’s one of my favorite ways of
visualizing my investment portfolio by measuring in three dimensions:
business impact, security impact and monetized investment.  All of
these definitions are subjective within your organization (as well as
how you might measure them.)

The Y-axis represents the "security impact" that the solution
provides.  The X-axis represents the "business impact" that the
solution provides while the size of the dot represents the capex/opex
investment made in the solution.

Each of the dots represents a specific solution in the portfolio.

If you have a solution that is a large dot toward the bottom-left of
the graph, one has to question the reason for continued investment
since it provides little in the way of perceived security and business
value with high cost.   On the flipside, if a solution is represented
by a small dot in the upper-right, the bang for the buck is high as is
the impact it has on the organization.

The goal would be to get as many of your investments in your
portfolio from the bottom-left to the top-right with the smallest dots

This transparency and the process by which the portfolio is assessed
is delivered as an output of the strategic innovation framework which
is really comprised of part art and part science.

All in all, a good read from someone who helped create the monster and is now calling it ugly…


  1. February 7th, 2008 at 18:09 | #1

    "I'd agree that the "industry" certainly focuses their efforts on these activities, but that's exactly the mission of the "industry" that he helped create. "
    how does inventing an anti-virus product make him responsible (in whole or in part) for the vulnerability-centric segment of the security industry that he's criticizing in the quote you selected?
    in fact, where does he criticize the segment of the security industry he had the most direct influence on?

  2. February 7th, 2008 at 18:41 | #2

    Let's see…he helps bring to market the technology behind one of the "solutions" in the industry that has become (in his words) "outmoded or outdated concepts that don't apply to today's computing environments" and then conveniently leaves it out of his description of the cesspool of "vulnerability-centric segment[s] of the industry."
    So here's my point: he *didn't* criticize the AV market, which has contributed just as much to this mess as the people writing vulnerable code have. He should have.
    Anyone who puts 1 and 1 together can clearly see why. Perhaps I should have been more literal.
    Kettle. Pot.
    Still an interesting read.

  3. February 8th, 2008 at 02:43 | #3

    Does AS stand for Application Security? Anti-Spyware? Something else?

  4. February 8th, 2008 at 05:18 | #4

    You mean the graph? It's Anti-spam. *** HOWEVER *** I forgot to mention that all those dots are arbitrary and random for the sake of illustration and exceptionally subjective when you use this concept in an enterprise.
    If you want to see a discussion regarding this very thing, take a look over here at Shrdlu's blog discussing just this very thing:
    Hope I didn't confuse you or get you riled up for nothing 😉

  5. February 8th, 2008 at 06:25 | #5

    "So here's my point: he *didn't* criticize the AV market, which has contributed just as much to this mess as the people writing vulnerable code have. He should have."
    the av industry isn't comparable to the vulnerability industry in this context… as you yourself stated (in bold):
    "mitigating vulnerabilities in the absence of threat, impact or probability is a bad thing"
    however, the anti-virus industry has always been dealing with real threats… they weren't making malware in the labs hoping to create it first before the bad guys magically created identical malware, the av industry was always dealing with things created by real, (arguably) intelligent attackers to act as their malicious surrogates…
    dealing with the machinations of actual attacks is not in the same league as vulnerability hunting when it comes to wasting resources…

  6. February 8th, 2008 at 07:07 | #6

    You're entitled to your opinion and your continued love affair with AV is noted. Whether you think my example is relevant or not within this context is, well, irrelevant (to me.)
    If we didn't have vulnerable code, we wouldn't have needed AV as the stop-gap crutch that it's become. Perhaps I just don't comprehend the definition of "relevant" but that's as good as this country boy can get.
    AV isn't exactly hitting it out of the park given today's threat vectors and attacks, so cherishing the days of yore when men were men and viri were simple is all we have left, I suppose…
    Frankly, arguing about the relevancy and efficacy of AV in today's climate is a boring debate.

  7. February 8th, 2008 at 07:11 | #7

    I hate car analogies for computing in general and this one is particularly egregious.
    "You can't always improve the security of something by doing it better," Tippett said. "If we made seatbelts out of titanium instead of nylon, they'd be a lot stronger. But there's no evidence to suggest that they'd really help improve passenger safety."
    Yes, you are right, a titanium seatbelt would probably not improve passenger safety. But stronger doesn't always mean better and there is a big difference between the two. Seat belts are in fact a great example of where better is not based on strength but on other metrics like coverage. What has improved passenger safety is things like mandatory shoulder belts for all passengers. Similarly, there's a reason that small children use five-point harnesses. If you're going claim that better doesn't improve security, you could at least come up with a less lame example.

  8. February 8th, 2008 at 09:42 | #8

    "You're entitled to your opinion and your continued love affair with AV is noted."
    that's an interesting attempt at colouring the discussion…
    "If we didn't have vulnerable code, we wouldn't have needed AV"
    this is a fallacy that i have tried to combat for a long time… no vulnerable code is involved in boot sector viruses, no vulnerable code is involved in renaming to pammystits.exe, etc…
    "as the stop-gap crutch that it's become."
    this is an interesting qualification to add in light of your apparent agreement with peter tippett on the matter of binary evaluation of efficacy…
    "AV isn't exactly hitting it out of the park given today's threat vectors and attacks"
    this is a rather ambiguous statement… define "hitting it out of the park"…
    "so cherishing the days of yore when men were men and viri were simple is all we have left, I suppose…"
    cherishing the days when men were simple? i could, i suppose, say something to colour the discussion at this point but suffice to say viri is the plural of vir (man)…
    "Frankly, arguing about the relevancy and efficacy of AV in today's climate is a boring debate."
    then why bring it up (by way of casting aspersions on peter tippett's past contributions) in the first place?

  9. February 8th, 2008 at 10:02 | #9

    I think you should reconsider your career choice. Have you thought about becoming a lumberjack?
    You sure as hell miss the forest for the trees in between all that brush clearing you're doing.
    Thanks, but no thanks.
    I've made my points. Feel free to disagree. You won't break my heart.
    Better yet, please just read MCWResearch's blog entry on the subject:

  10. A lumberjack, leapin
    February 9th, 2008 at 17:59 | #10

    Hey, we don't want him!

  11. February 10th, 2008 at 10:06 | #11

    Kurt has decided that I'm not interested in "open debate" and followed-up with responses to LV's and MCW's posts as suggested.
    I sent him a comment suggesting why I don't feel particularly motivated to continue in a game of "you're wrong pong" in comments.
    I'm willing to discuss the pros and cons of any subject with anyone, and as you can see, I do so regarding Tippet's thoughts above. I just hit limits on how many times I can just be dismissed as being ignorant and wrong by someone.
    'nuff said.

  12. February 11th, 2008 at 05:56 | #12

    when i countered what i felt were factually incorrect assertions, i provided supporting arguments (ex. examples of malware that require no vulnerable code, connecting malware to actual attacks, etc.) – that was an attempt to persuade, not dismiss… i was only dismissive in response to your own displays of condescension…

  13. February 11th, 2008 at 06:29 | #13

    I don't subscribe to your interpretation of these events. I apologize if my comments were disrespectful, but your approach is abrasive. Not to say that mine isn't, but I simply itch everytime I see a comment from you.
    I answered your first series of questions which your followed on to suggest were "aspersions" against Peter Tippet. Why you feel the need to defend him, I won't understand.
    You continue to defend "anti-virus" as a relevant solution to today's problems. It is simply not, in my opinion.
    Further, you described on your own blog that anti-virus is "…an archaic term for anti-malware" and I agree. However, you attack my arguments against ANTI-VIRUS as though I said "ANTI-MALWARE" which I did not.
    Go back and re-read that post. Re-read why I am critical of Tippet's inclusion of many other "outdated" security solutions and not anti-virus. It's disingenuous and self-serving.
    Also, I wasn't dismissing your comments, but rather your approach. Again, what I said was "Frankly, arguing about the relevancy and efficacy of AV in today's climate is a boring debate." <– That's right, I said AV. Not Anti-malware.
    I just don't like your approach, Kurt. Plain and simple. I'm not going to apologize for that. I'm also not going to spend my time or waste electrons "debating" with someone that I don't feel is really interested in discussion.
    I decided to end it because it's a stalemate.
    You mentioned that the only reason you even commented wasn't to debate the issue but rather: "…had you not felt the need to get those minor digs in in the first place i likely wouldn't have commented… that was the only thing i was responding to…"
    I wasn't "getting digs in," Kurt. I was merely opining on my assessment of AV today. AV has contributed in the past, but it's largely irrelevant today, as is obvious given AV companies and their evolution.
    We're talking past each other here and it's an inefficient use of energy.
    Let's move on.

  14. February 11th, 2008 at 11:39 | #14

    I'm fashionably late to this, but I posted on my site about this article.
    Of course, I think you can improve security by doing something better. A security guard being better at scrutinizing IDs can improve security over the guard who just questions the people who look lost or like a hobo. (Did he not know Bob was fired yesterday over a tense argument, and is packing a gun this morning as he smiles his way past George the friendly guard?)

  1. No trackbacks yet.