Media hype is like old soliders - it never dies - it just fades away. In the case of network security vendors though they are still reminiscing about wars from 5 years ago and hoping that customers will continue to buy their faded-out war stories.
You've all probably noticed that the media hype from vendors like McAfee is still about anti-virus and outside-in attacks (the title of their home page reads "Antivirus software and intrusion prevention solutions"). McAfee is now trying to pawn off threat analysis as a revolutionary new methodology for Security risk management.
I wonder how many people really trust McAfee to do a threat analysis and recommend a competing product or better yet, recommend a series of changes in manual procedures - like strict qualification of small vendors and business partners.
Our research suggests that the inside-out threats are a much larger financial risk to organisations than network security.
According to the 2006 Australian CERT report, the average loss related to viruses, worms and trojans in 2005 was just under
AU$30,000 per organisation in Australia. In comparison, and from the same report, the largest average financial losses reported from extrusion of data were as follows:
- Theft or breach of proprietary or confidential information (over AU$2 million on average);
- Computer facilitated financial fraud (over AU$100,000 on average);
- Telecommunications fraud (over AU$60,000 on average);
- Theft of laptop, handheld device or other hardware (over AU$45,000 on average).
The common denominator to ALL of these attacks is that they are almost all inside-out threats - whether it was collusion between an employee and criminal or whether it as fraud committed by a contractor - such figures indicate the financial risks that all organisations face by failing to protect their information assets.
Most organisations are still slogging through the vendor hype instead of making the effort to reveal the real costs and risks that result from inadequate business processes, unsecure software or shoddy deployments.
One of the best and most practical ways to improve internal ability to do threat analysis is to define and track metrics such as employee attrition, file transfer traffic and delivery performance on software development projects. More employees leaving may indicate vulnerabilities, spikes in FTP traffic in mid-month are a suspicious event and late software is always buggy software and buggy software is insecure software.
Skip the external hype.
Start with some practical threat analysis inside your company - you can
download a free threat analysis tool now and start improving your understanding of the operational risk of information today.
I strongly recommend doing this BEFORE you consider extrusion prevention technology from companies like Fidelis Security, Vontu or Reconnex - you will find that instead of overspending and underprotecting (which is what will definitely happen if you buy a proxy-based extrusion prevention product from WebSense) you will focus the vendor on your top risk threats - not their "best practice" templates.
