[ISN] Q&A: ISS exec on security threat prevention

InfoSec News isn at c4i.org
Mon Dec 6 04:27:22 EST 2004


http://www.computerworld.com/securitytopics/security/story/0,10801,98047,00.html

By Jaikumar Vijayan 
DECEMBER 03, 2004 
COMPUTERWORLD

Security architectures that are designed solely to react to threats
instead of preventing them in the first place are doomed to fail in a
world of fast-evolving and self-propagating threats, says Tom Noonan,
CEO of Atlanta-based Internet Security Systems Inc.

What do you see as some of the big trends in the security market?

This whole notion of reaction in terms of how our systems have been
built is running out of steam. Preemption is going to be a very, very
fundamental theme in the direction which security is taking. The
concept of preemption basically addresses the question of why not
avoid a threat or detect it and prevent it rather than react to it. If
you look at the traditional security model, all of our technologies
have been built as an ad hoc response to a new threat. Fifteen years
ago, the only threat was floppy-transported viruses, so the solution
was PC-based antivirus. When the threat became unauthorized access, we
built firewalls; when it was spam, we built antispam; when it became
spyware, we built antispyware tools; and when it is malicious content,
we built content security tools. This entire industry has been built
in an ad hoc, reactive manner. The technologies that lie underneath
are all signature-based, and you cannot have a signature until you
have an active threat. That was fine in a disconnected world.


When you mention "signature-based technologies," are you referring
specifically to antivirus tools?

I'm talking about a signature that uniquely identifies a threat by
name. Most intrusion-detection systems, most antivirus products, spam,
spyware and content-security systems effectively work this way.


So how does being preemptive help?

Today, time and again, you see the devastating and pervasive impact of
highly effective, self-propagating viruses and worms because the vast
majority of businesses are dependent on multiple layers of reactive
technology. Businesses are suffering daily from this reactive model.
They have added every layer of protection they can, and they are still
being compromised. The highly effective, self-propagating nature of
Internet threats today forces companies into a reactive posture, and
that is inefficient. The threat has scaled the control systems that
are in place.


When you talk about being more proactive, it's not only technology we
are talking about, right?

We are talking about technology and also about architecture. We are
already seeing a pretty dramatic shift in security architectures on
the Net. We are talking about management, which is very, very
different in a preemptive world. We are talking about a dramatically
different economic model in terms of the cost structure and clearly we
are talking about different processes internally.


What shift are you seeing in security architectures?

A move away from point products toward platforms. The disaggregated,
multiple layers are going away because the responsibility for making
all that stuff work together has been thrust upon the unknowing IT
department. The reality is that a whole bunch of acquired products
marketed under the same brand, or the same bunch of products marketed
under different brands, have never been built as a system or as a
platform for security -- only as independent point capabilities to
detect a threat.


You also mentioned a shift in security economics.

Since 2001, security budgets have been increasing on an average of 15%
to 20% a year. That is totally unsustainable. No aspect of your cost
structure can possibly sustain that kind of growth rate in a
competitive global economic environment. CEOs and CFOs are forcing
CIOs to be more efficient, not just with capital purchases but with
the cost of labor itself. The economic shift in moving toward a
platform is pretty significant. Platforms are built to be
enterprisewide, meaning they are built and integrated to operate as
one system from a vendor.


What kind of products or services are you delivering to help your
customers address these trends?

If you look at our company, most people recognize us as the inventor
of intrusion-detection systems and vulnerability-detection systems.
>From the start, the vision of this company was to build what we call
the universal protection agent. We believed that threats would evolve,
as would vulnerabilities, and they would continually change. Building
any system that was threat-specific was fundamentally wrong to the
long-term scale model. So this whole concept of preemption really
began years ago with our vision of building a highly scalable
enterprise system that could detect, analyze and prevent any kind of
threats against vulnerable pieces of the infrastructure. Instead of
focusing primarily on the threat, we are focusing on the
vulnerabilities. Because we understand that vulnerability, we can
protect against it.






More information about the ISN mailing list