[BreachExchange] Why security vendors should put their money where their mouth is

[Audrey McNeil]

http://www.scmagazineuk.com/why-security-vendors-should-
put-their-money-where-their-mouth-is/article/567205/

While every year in recent memory is labelled, “Year of the hack,” 2016 is
arguably becoming the “Year of Ransomware” – all anyone has to do is skim
headlines, glance at the alarming infection rates and review the collective
financial losses that are now in the hundreds of millions quarterly.
Microsoft, the BBC, and hundreds, if not thousands more individuals and
organisations have all been victims in the past 12 months. The situation is
serious and almost every expert in the field expects things to get far
worse.

No doubt using previously paid ransoms as research and development dollars,
each new malware variant is more powerful than its predecessor, using
increasingly clever techniques to fool traditional antivirus solutions or
network-based sandboxes. Ransomware is a full-blown cyber-crime epidemic,
with organisations desperate to deploy better protection and anxious to
find something that works in the fight to reduce business disruption, data
loss, and financial risk. This isn't just some alarmist rhetoric, this is
happening every day now as we read the flood of reports coming in.


The unfortunate reality is that security vendors will undeservedly sing the
praises of their products, which may have worked decently against the
static threats of the past. Yet, if – and when – the product fails, you –
the customer – are on your own. No guarantees. No warranties. No return
policies. Sold like a ‘going out of business' sale. Customers have had
enough of these hollow marketing claims and, as a result, the security
industry is suffering from a credibility crisis. We all feel it. We have
for a while now. We just didn't know what to do about it.

What can we do about it?

Security guarantees – or guaranteeing security – is almost a taboo subject
in the security industry. It's our dark secret that even the vendors
themselves don't know if their own products really work or not in the field
– or how well. Go ahead, ask a vendor for their product's field performance
data and see how they react. They won't want to talk about that. Mostly
because they either don't have supporting data, or the data they do have is
embarrassing. So instead they'll be quick to offer a ‘staged' product demo
specifically designed to show well and gloss over any security gaps.

Security sceptics, apologists really, are quick to point out that nothing
is 100 percent secure. To be fair, they're technically correct – everything
can be hacked or bypassed – but they are also completely missing the point.
When you buy a new flat screen TV, a new car, a new computer, or anything
similar, none of the manufacturers will claim they won't break or break
down. Yet, somehow they are able to guarantee or provide warrantees as
standard industry practice. In fact, customers expect it. If they, and
every other major industry in the modern world can do it, the security
industry can, too. We just haven't tried yet and it's way past time that we
did.

According to Wired, the global cyber-security market was valued at US$ 3.5
billion (£2.8 billion) in 2004; by 2015 it was US$ 78 billion (£63
billion), with projections estimating it to be worth US$ 120 billion (£97.5
billion) by 2017. Yet, despite this, I recently conducted a Twitter survey
asking whether respondents had discussed security guarantees with their
vendors and found 21 percent had, and that another 21 percent were planning
to. However, 33 percent of respondents were confused or found the idea
completely novel, suggesting that more education of the benefits of
security guarantees is needed. Altogether, the concept is catching on.
Vendors are beginning to listen to customers who want financial assurance,
customer who want their vendors to have skin in the game.

In other news, nearly a dozen security vendors have privately shared with
me that they are actively working to create security guarantees of their
own, and are partnering with cyber-insurers to safely cover the liability.
This is a fantastic match. Differentiation for security vendors is key, and
customer peace of mind is the name of the game. Whilst still in their
infancy, security guarantees are gaining industry acceptance, and this
industry is now on the edge of a major shift where security vendors could
one day be culturally expected to back up their claims. Imagine that!

What about cyber-insurance?

Back to ransomware: Most IT professionals are already well aware that the
traditional anti-malware products don't protect at all well against
targeted modern threats. As a point of market reference, because the
threats are this big, this real, the 328-year-old Lloyd's insurance market
has found itself moving away from more traditional threats such as fires
and terror attacks to focus on underwriting cyber-risks.

Ransomware is now a major factor in insurance policies and claims, with
Graeme Newman at CFC Underwriting noting that it is a major factor in 90
percent of his clients' claims. Having worked through many ‘terms-of-use'
tomes used by vendors to relinquish responsibility, Newman can understand
why organisations would consider paying ransom demands. And when victims do
pay, often because they've no choice if they want to get their business
back up and running, it only strengthens and emboldens the bad guys.

How can we be protected?

Cyber-attacks are smarter and stealthier than ever before when it comes to
evading detection – one recent example found malware which knew whether it
was being opened on a test or virtual machine instead of a real machine and
subsequently failed to execute, making it look like the machine was clean.
Put simply, this is malware that includes anti-forensics capability. We've
seen this before. We'll see it again.

Today's malware strains typically target the endpoint, with evidence
showing that these continue to be one of the ‘weakest links' in security.
Far too many companies are relying on out-dated technology to keep them
safe – and they're not.

Cyber-security requires valuable resources and capital to purchase and
deploy – shouldn't they alone be enough to protect against the threat of
ransomware attacks without having to spend extra on insurance? I obviously
think so. There is too much at stake and security vendors have gotten a
pass for too long. It's time for security vendors to put their money where
their mouth is. Do yourself and the entire industry a huge favour, start
asking them to do so. Get them thinking.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161104/6e84e9b0/attachment.html>