I have been writing articles about information security for public consumption for about 6 or 7 years now, and I have no idea if from an outside view I generate coherent viewpoints or am constantly contradicting myself. I know some mornings I wake up and want bacon and eggs, other mornings I want granola - but I always want a lot of coffee either way, so I am probably somewhere in the middle. In any case, I have been trying to think through comprehensive models for enterprise security technologies, and as I develop these ideas I want to throw them out to the public and see how they resonate. I don't have that comprehensive model today, just a few pieces.
Like most security practitioners, I am an advocate of a layered security model, or a defense in depth. This recognizes the fact that every security technology has its weak points and imperfections. By layering heterogeneous technologies, we reduce our statistical likelihood of a successful attack. A defense in depth also means that we should be able to defend against attacks, detect attacks that occur and even tolerate successful attacks. What the firewall misses, the content inspection system should catch; when a host is successfully compromised, the customer files are encrypted so the attack can be tolerated - there are a lot of examples to be made.
The questions we really haven't answered as an industry is, which layers of security are the most effective at which part of an enterprise - network infrastructure, host systems, desktops, handhelds, etc? We don't know the answer to this, so we have a kitchen sink approach. We try to apply everything: firewalls, anti-virus, intrusion detection, intrusion prevention, encryption, etc., at every layer. I believe that at some point we will look back at this as somewhat silly, but I think we are stuck with this for the time being because we don't understand what works, and what works the best is a moving target.
What I conclude out of this is that security is drastically I/O bound at this point and this might be the biggest technical weakness of a defense in depth. Chief Security Officers must take more risks than they would like to because security measures must be transparent to the enterprise and not impede performance. Security really hasn't seen much benefit from Moore's Law yet, and this is an area we need to focus on for the next few years. We need to offload a lot of the security we do today into the chips themselves.
There are a lot of security appliances out there, some of them quite good. But you look under the covers and many of these are PCs without monitors - they are trying to simplify management but are making only modest improvements in "speeds and feeds". Even the performance junkies in the security world are several steps behind the networking technologies.
The computer chips need to step up. There is an enormous amount of computations that could be applied on data streams to better analyze the purpose of the packets and identify security threats. As signature databases continue to grow for viruses, worms, vulnerabilities, etc., I fear we will need to choose to monitor less of our digital world and take on even more risk if we don't solve this problem. For example, if you look at the network layer of our enterprises, we started our with shared Ethernet hubs, then we added silicon with switching capabilities, then we added Quality of Service capabilities and so on. This was made possible by Moore's Law - more sophisticated, higher performing, low cost computer chips. It should be feasible that security chips implemented inline with networks can analyze millions of attack scenarios for a single packet and block or forward traffic without latency. I am not saying that this model will obviate the need for desktop security - desktops have the same problems with performance and will benefit from silicon innovations as well.
I am not an electrical engineer, I don't know who is going to solve this problem and I have purposely left out any company names. In the long run, will silicon-based solutions solve our security problems? I actually think that we cannot solve security in the long run, we can only move the bar around and provide brief respites from the innovative adversaries. But when we figure out how to unleash silicon for the purpose of information protection, I believe the scales will tilt towards the good guys for a while.
CSOinformer is edited by Jim Reavis, founder of SecurityPortal and longtime industry analyst. This monthly newsletter is targeted at people who must take a strategic, multi-year view of the information security industry, and we promise insights you will not find anywhere else.
CSOinformer is a service of Reavis Consulting Group, and is published on the second Tuesday of each month.