A secure future?
A secure future?
In the last issue of IDM, Symantec Australia's managing director John Donovan discussed the current state of affairs in the IT security industry. In the second and concluding part of the interview, Stuart Finlayson hears Donovan's thoughts on how the security market will look in the future, what will shape it, and how enterprises will cope with ever more sophisticated and determined virus attacks.
In the first part of our discussion, the subject of Microsoft, and more pertinently, the software giant's increasing presence in the security applications market, dominated a fair proportion of the discourse. Before moving onto what the security industry can expect to have to defend its customers from in the future, Donovan elaborates a little further on why he feels Microsoft will have an uphill struggle convincing customers to entrust them to safeguard what is predominantly their own applications.
"Symantec owns a company called Security Focus, which discovers and alerts vulnerabilities in software applications and operating systems. Through its security research operations, Security Focus detects about seven vulnerabilities a day in a range of applications, which amounts to around 2500 a year.
"We do that without fear or favour; the question is will Microsoft be equally as vigilant in advising people of vulnerabilities in their own applications if they are doing the research or will they try and keep a lid on it until they have actually got a fix available and they are comfortable with what their anti-virus stuff actually discovers. It's just not a good idea. It's like an auditor also being responsible for providing you with advice on investments."
Whether Donovan considers it to be a good idea or not, Microsoft is certainly talking a good game. But the Symantec Australia chief questions the substance behind the fanfare."When they realise they are significantly behind the rest of the market, Microsoft tends to make big announcement that try and halt what the market is doing. They've done this in personal finance, web browsing, applications management and most areas. In this case it's an announcement about a product they may have out sometime soon."
In terms of its wider security strategy, maybe so, but Microsoft has already signalled its intent to some degree with the introduction of its freely available anti-spyware application. Or has it?
"Giant already had a product on the market [when acquired by Microsoft] so it was quite easy for [Microsoft] to push out a freeware version of their anti-spyware package. They have said that sometime this year or next year they will have their own version of an anti-virus package, but we have spent 25 years building up back-end infrastructures to support the needs of customers to get immediate access to definitions and patches to contain viruses. My biggest concern is that a large number of people will trust the 1.0 version of Microsoft's anti-virus product when it does come about because it just spells danger to me," says Donovan.
Ah yes, the customers. If, as Donovan suggests, Microsoft's attempts to beef up its presence in the security market such an ill-conceived notion, won't the customers ultimately rule with their pockets?
"Microsoft, like any other company in that space-ourselves included-tend to respond to their customer demands, which tend to really shape and drive a company. But I think their foray into providing anti-virus solutions and spyware solutions is not really what their customers are asking from them. I don't think customers have any problem with the quality and value proposition that's given to them by companies such as Symantec. I think it's a case of Microsoft being seen to be doing something a little more concrete but I suspect if they do not have a good experience with their anti-virus product, and there is certainly a danger of that, then there would be no point in them getting further involved in the security applications market."
A matter of trust
Ultimately, says Donovan, security is built around trust. "There is a high degree of customer loyalty built into our relationship with our customer base, which is in excess of 180 million users globally. That represents an extraordinary amount of responsibility from our side to be able to be able to provide security solutions for these people, especially when global attacks such as Bugbear and Blaster are happening. The minute you fail to respond to those attacks in a reasonable timeframe is the minute you lose the loyalty of those customers and they go somewhere else. I think it's a challenge for Microsoft and I think they have severely underestimated the amount of focus and skill that is required to be successful in that market."
But it's not just Microsoft that has had to repair the damage done to its reputation through the exposure of its applications to vulnerabilities. Symantec also recently had to make reparations to its own applications recently after potentially serious vulnerabilities were found-a less than ideal situation when making security software is your bread and butter.
"It's never good, but I think what is meaningful is how quickly you come out with an announcement and how quickly you come out with a fix. I think the minute you try and bury stuff like that is when you lose credibility.
"When we acquired Security Focus, which came with alerting services, there was a lot of bulletin board action from their users saying that it was going to lose its independence as Symantec would block anything that was critical of its own applications and therefore there would be no value in it anymore, but I think we have proven since we acquired them that whatever we dig up and whatever research is supplied to us, we will get it out there as quickly as possible, whether it concerns one of our own products or a third party product."
Information integrity
Finding a balance between accessibility and security, a process Donovan dubs 'information integrity', is vital in ensuring the smooth and effective running of an enterprise IT system.
"We can do all the monitoring and management of an enterprise's security system and advise them on what needs to be done, but we do not just do that for our own products; our security operations centre will quite happily do it for a Check Point firewall or a Network Associates anti-virus system. It doesn't matter whose products are there. We can manage all of the data and correlate it and turn it into something meaningful so [customers] can get a return on their investment."
While there are other companies that run security operation centres, Donovan maintains that Symantec has a vital advantage in this area.
"It's very costly because you need to have people there managing the data. The edge that we have, through acquisitions, is this correlation and normalisation software, which means that one person monitoring one console, which in turn taps into multiple customer systems, can in fact tap into a substantially larger number of customer systems that any one operator in any other company can do. So we need fewer operators to manage more customers, and because it is such a headcount heavy side of the business, we can run it significantly more efficiently that other companies.
"It is a very cost effective, profitable and really important part of our business because there are plenty of companies out there offering solutions for security, but there are very few companies that can offer the breadth of products, not only in security, but in enterprise administration, and can also do the architectural development, security analysis, implementation and ongoing management."
Zero day on the horizon
Of most concern to companies like Symantec at present is what is known as a flash threat, or zero day attack.
"What happens at the moment is that there is a timeframe between the discovery of a vulnerability in-for example-an operating system or a browser, and the exploitation of that vulnerability. That gap is called the threat window. The threat window used to be around 120 days (Code Red, Nimda), but it has now got shorter and shorter and is now only around five or six days between someone discovering a vulnerability and someone exploiting it.
The concept of a zero day attack is where the person that discovers the vulnerability is also the person that decides to create the exploit (malicious code) for that vulnerability. We haven't seen any major cases at this stage, but it stands to reason that sometime in the near future there will be a hacker that discovers a major vulnerability, creates an exploit for it and then roll it out globally, which means there would be no time to deploy a patch because it has already been exploited.
So the traditional methods of responding to security threats-which is around getting a patch deployed, getting a definition updated and so on-becomes obsolete, so then you need to look at things such as systems resilience, which we are working on now. This means that if you have been attacked before you were able to deploy a patch, you can go back to a previously known good state through your back-ups by resetting the entire network back to that time," reveals Donovan.
An important component in the war against more sophisticated and rapidly-spreading attacks is the availability of good intelligence and the ability to issue early threat alerts."We can advise people when we see something happening before it becomes something big," claims Donovan. "We can advise on suspicious activity based on a set of criteria as to whether it might be a threat to them.
This happened with SQL Slammer when we were able to spot suspicious activity occurring, things happening on various ports and traffic ramping up and we advised them to shut down suspect ports immediately. About three or four hours later we saw the first wave of Slammer hit, but because our customers had already shut down the service, the impact was greatly reduced. So early warning systems is the way to deal with that, but this shrinking of the threat window means that traditional response capabilities are no longer appropriate-you need to look at much more proactive ways of dealing with the threats."
Another menace to IT security that is already gaining traction and is likely to get a whole lot bigger before it is nullified is the phenomenon of botnets-compromised systems that create a launch pad for malicious code deployments; keystroke loggers and other monitoring applications.
But, as Donovan stresses, the human element of IT security is equally important, if not more so, in dealing with new threats. "One of the biggest challenges that we face is education. The technology can only go so far, but to get it to go further you need to educate users on how to use the technology and how to use their applications.
"Another one of the biggest challenges we have with a standard virus attack, particularly an email-borne virus attack, is 'do not open an attachment connected to an email unless you know the purpose of that attachment, regardless of who it's come from.' Now, if everybody followed that, there would be significantly less problems with viruses in the world today."
Related Article: