When Your Vendor Is Your Problem

It was identified as using rootkits after the Sony fiasco made us all aware of rootkits' insecurity;

Last week, its Anti-Virus offering was identified as being a security exposure in and of itself. (See Symantec Vulnerability Revealed.)

This all has to be tough because Symantec is the big fish in this pond and is surrounded by traditional competitors like McAfee, and strong emerging competitors like Sana Security, Panda, and Kaspersky Lab. I've been particularly impressed with these emerging products and recently switched from Symantec to Kaspersky. And with all the recent headlines, I have to believe others are making the same kind of painful decisions.

Three interesting dynamics come into play here, none of which have anything to do specifically with Symantec. The first is when you have dominant vendors, like Symantec or Microsoft, it is likely people will look hard at finding ways to bypass the security of their products, both overtly and covertly. The second is news like this often forces us to change our priorities, yet we probably don't realize we are doing it and may make judgment mistakes as a result. And the third is whether all aspects of security for an operating system should primarily reside with the OS provider or a third party.

The downside of dominance

Certainly we have seen this with Microsoft and the ongoing argument surrounding diversity in platforms. The pro argument focuses on the advantages of diversity, which comes down to making comprehensive attacks difficult but avoids the very real exposure of the increased likelihood of successful, targeted attacks. On the mono-culture side, the reverse is true: Targeted attacks will likely be more successful, but the massive malware attacks will have limited impact.

The problem for both Microsoft and Symantec is the big wave attacks will not only target their platforms first, but by their market position they will also receive a higher level of press coverage. Targeted attacks are seldom reported, though reporting rules suggest this may change, and this keeps people focused on the global problems and not on where their data may actually be more exposed.

As always, in choosing a vendor you will have to weigh in a number of positive and negative factors. A dominant vendor has to have a compelling number of advantages, otherwise it wouldn't be dominant. However, you should also consider its products will have a higher probability of being attacked and there will be more who will know how to make use of a given exploit.

Changing priorities

With news like Symantec's recent problem, it's easy to change priorities to address what appears to be a suddenly high, unplanned exposure. However the "squeaky wheel" method of security management, shifting resources from one high profile exposure to another, is seldom successful because you leave yourself increasingly exposed to threats that may be more likely to hit you than the exposure of the hour. This doesn't mean you ignore the threats either, but having a threat matrix where you know both what your exposures are and how critical they may be remains an important way to allocate resources. While you may, and probably will, need to shift resources from time to time you always need to understand the opportunity cost of that shift.

For instance, if you were to shift resources to replace Symantec's offering to address this new threat, those funds and human resources would likely be taken from something else where they might be more smartly deployed. But if you don't know what that opportunity cost is, you won't know you are making a bad decision. And while you may never be caught, the end result will be a less, rather than more, secure firm.

The end goal is to always improve the security of the enterprise. That means every shift of resources should not only be analyzed based on what you are doing but what you won't be able to do as a result of that shift. Only by looking at both sides can you get the information you need to make the smartest decision possible.

Separate OS & security?

With Windows Vista, Microsoft is moving into the OS security business. The advantages of having the platform vendor own all aspects of basic security are self evident and largely have to do with ownership of the problem. This should lead to greater efficiency, as some threats are better dealt with in code and some better dealt with in utility, like a virus checker.

Recall that the buffer overrun class of attack was best handled by modifying both the OS and the processor. In contrast, a virus product would have to be constantly altered to identify and remove the malware. This is the difference between a medicinal cure and making a patient immune to the disease in the first place. One is reactive; the other is proactive, which is generally the best approach.

We've known for some time that heuristic anti-virus products provide a much better solution to viruses than those that use scripts for the same reason: they basically immunize the OS. But because heuristic products don't change, it's easy to imagine them embedded in a given operating system and updated through a patch process along with OS. Script products need constant updates and fall outside of a patch process, so their inclusion in an OS isn't as obvious a development path.

One thing is clear to me, however. The marketing of many of the traditional script-based products relies too heavily on the disclosure of exploits in the OS for me to feel comfortable about the process. To sell their products, this class of company must create a threat in the mind of the buyer, and this is too often done by the public disclosure of unpatched exploits. These disclosures then trigger the creation of viruses in what is a self-fulfilling prophesy of attack, where the very people who are paying for security are the ones hit by the virus because they couldn't update their software fast enough.

I don't like the clear conflict of interest which currently exists in this market, and by putting the responsibility clearly with the product owner this conflict is largely addressed. This doesn't mean that all conflicts are resolved, because the traditional one of quality versus cost and time to market remains a problem with every offering. It simply makes sense that security, for every product, increasingly be the responsibility of the providing vendor and that they be held accountable for it.

— Rob Enderle is President and Founder of Enderle Group . Special to Dark Reading

Organizations mentioned in this article:

Kaspersky Lab

McAfee Inc. (NYSE: MFE)

Microsoft Corp. (Nasdaq: MSFT)

Panda Software

Sana Security Inc.

Symantec Corp. (Nasdaq: SYMC)