Security companies peddling snake oil

snake oilThe CEO of a security company has accused his fellow competitors of peddling snake oil to clients and lifted the lid on how they are doing it.

Paul Vixie, CEO, Farsight Security said that as security breaches increasingly make headlines, thousands of Internet security companies are chasing tens of billions of dollars in potential revenue and are doing by telling porkies to clients..

“We are alarmed at the kind of subversive untruths that vendor “spin doctors” are using to draw well-intentioned customers to their doors. Constructive criticism is sometimes necessarily harsh, and some might find the following just that, harsh. But we think it’s important that organizations take a “buyers beware” approach to securing their business,” Vixie said.

The best trick uses is to communicate information graphically, especially using colour animation.

“Buyers, being human, are visual creatures, and they inevitably feel greater, although misplaced understanding when value propositions are presented in pictorial form. Because quarter-on-quarter and same-quarter-next-year revenue growth is the main indicator of commercial health, there’s an understandable tendency to show potential customers an “attack map,” he said,

“Attack maps show the world with attacks as some kind of missile, launched from a country of origin, landing on a victim,” Vixie said.

It sends a message that the customer is under attack from state-sponsored criminals, or just plain old “foreigners”, and your prospective vendor can track these attacks as easily as NORAD can track incoming ballistic missiles.

The marketing message is: If you buy from us, we will tell you where the attacks are coming from, so that you can defend yourself. Or, even better, if you buy from us, we can defend you in real-time, using our cool tool.

The only problem is that they can’t.

In the cloud most of the time vendors have absolutely no clue as to where an attack is really originating from. They cannot neatly distinguish benign user behaviour from attack behaviour. Vendors don’t have instant knowledge and visibility when an attack occurs, Vixie said.

“The latest statistics say it usually takes around 200 days to discover an espionage intrusion.”

To make matters worse. Most “attack maps” don’t show actual “attacks” They are populated by event data which is beautifully animated yet unfiltered, unverified, non-prioritized event data that while visually compelling is worthless from a security perspective.

“In the worse and more common case, [customers] will make decisions based on this garbage, either prioritizing resources or spending where they aren’t needed against where they are needed, or learning a false sense of security, or, just as likely, a false sense of insecurity,” Vixie said.

The only beneficiaries from the resulting wrong-think will be shareholders and employees of the garbage-spewing security vendor, and of course, the bad guys, who as it turns out will have even less to worry about as they go about their work attacking, Vixie said.