Over time, the value we get from a piece of software generally increases. The software matures. There are more features and, hopefully, fewer bugs. More importantly, we simply use it better. It’s fully deployed. We’ve figured out where and why to use it in our organization. Once we’ve been in production for a couple of years, it’s like any other relationship. We may look wistfully at some green grass on the other side of the fence every now and then, but we’re happy with the devil we know.
Not so for security software. We often buy a point product that addresses a specific threat that we’re concerned about. After a few months of shopping we find exactly the thing we’re looking for. We test it and it’s perfect. It absolutely lowers our exposure against the threat. We deploy it and other than some bugs and deployment challenges, it’s great. But then something happens. Unlike other forms of software, security software doesn’t get better with age. It’s not wine, it’s vinegar.
The software hasn’t changed; it’s the world around it. Hackers are in the business of finding a way around your defenses. Put up a fence, they dig under it. Dig a moat, they build a raft. It’s a cat and mouse effect.
I’ve had customers ask me, “Can you do me a favor? This great thing you just sold me, can you stop selling it? Once everyone has it, it’ll be useless.”
The issue is very clear with signature-based security today. Once there’s a signature, the hackers obfuscate the attack and move on, thus making a new signature. Signature-based defenses find themselves crushed between two market forces. One, there are so many new attacks that maintaining signature databases becomes a more expensive process with each passing day. Two, signatures are less and less useful as hackers simply make new ones up. Net, these products are charging more to deliver less.
This is all well and good as observations go, but what do we do about it? Unfortunately, from a tactical perspective, not much. When you find yourself in a war of escalation with an adversary, it’s challenging. They bring a knife. You bring a knife. They show up with a gun, you get a gun. Bazooka’s today? All righty then, bazookas it is. Certainly not the best long-term strategy, but there’s no sense bringing a knife to a bazooka fight.
On many levels, we’re best served staying agile, and bringing the best defenses to bear as fast as we can. Let’s get our bazookas ready before the bad guys show up with them.
Knowing that it’s a war of escalation can help us make better strategic decisions though. As we evaluate each new defense, it pays to consider the potential longevity of the tool. Some tools, like patch management, provide good long-term value. They solve a fundamental problem that won’t go away soon. Other tools are purpose built to stop a specific attack. These will likely be less useful over time.
Let’s compare three strategies:
1. Aggressive - Buy cutting edge tools as soon as they are available.
Well covered against new attacks, but it’s expensive, both in dollars and the operational costs of deploying new technologies constantly.
2. Conservative - Focus on fundamentals like patch management but stay away from cutting edge products.
Inexpensive, but vulnerable to new attack vectors.
3. Slow Follower - Wait until new technologies are out for a year or two and prove themselves.
This is mostly downside to me. You’re still buying the same tools, so you’re spending the same amount in the end as the aggressive strategy. You’re just buying them later in their lifecycle, so they’re inherently less useful. And you’re exposed to the attack vector during your lag period, which is probably during the height of its popularity with hackers.
Obviously, no company’s strategy can be summed up in one word. My recommendation is to start with fundamentals and always look first to solutions that will still be useful in years to come. Make decisions on cutting edge products sparingly but be prepared to do it early to get the best value.