CTO Straight Talk - Issue 2 - 54

For most of its life, the security industry has been plagued by the
fact that it's difficult for buyers to tell the difference between good
and bad products.

Let's start by putting today's security
issues in a historical context. How has
the security industry evolved?

and detection, both of which are imperfect even under

Security is a combination of protection, detection,

Has the introduction of incident
response solutions changed the nature
of the market for security products and

and response. You need protection to defend against
low-focus attacks and to make targeted attacks harder.
You need detection to spot the attackers who inevitably
get through. And you need response to minimize the
damage, restore security, and manage the fallout.
In the 1990s, we focused mostly on protection. A
lot of products were offered that would protect your
computers and networks. By 2000, we realized that
detection needed to be formalized as well, and we saw
many new detection products and services. This decade
is one of response. Over the past few years, we've started
seeing products and services focused on IR [incident
Security teams are incorporating these products and
services into their security portfolios because of three
trends. The first is cloud computing. More of our data is
held in the cloud by other companies, and more of our
networks are outsourced. This makes response more
complicated, because we might not have visibility into
parts of our critical network infrastructures. The second

the best of circumstances. Incident response picks up
the slack.

Security is a mix of people, process, and technology.
What has changed over the years are the ratios.
Protection systems are almost all about technology, with
some assistance from people and process. Detection
requires more-or-less equal proportions of people,
process, and technology. Response is mostly done
by people, with critical assistance from process and
This is new for the security industry. For most of its life,
the security industry has been plagued by the fact that
it's difficult for buyers to tell the difference between
good and bad products. Price is the driver because
there's no good way to test for quality. But because IR
is people-focused in ways protection and detection are
not, better products will do better because buyers will
quickly be able to determine that they're better.

trend is that attacks are getting more sophisticated.

There are new solutions in the current stage of the life

The rise of APT [advanced persistent threat]-targeted

of the security industry, but there are also new types of

attacks for reasons other than simple financial theft-

security threats.

brings with it a new sort of attacker, which requires a

You can characterize attackers along two axes: skill

new threat model.

and focus. Most attacks are low-skill and low-focus-

And the third factor driving the adoption of IR solutions

people using common hacking tools against thousands

is that companies continue to underinvest in protection

of networks worldwide. These low-end attacks include

CTO Straight Talk | 54


Table of Contents for the Digital Edition of CTO Straight Talk - Issue 2


CTO Straight Talk - Issue 2