Security Vendors: mostly awful.
I hate to admit it, but they are.
Security technology is still stuck somewhere around 1997 – stateful packet inspection firewalls and frottabytes of logs that no-one can get meaningful data out of.
OK, there are some steps in the right direction. Palo Alto networks have a firewall that almost understands the concept of a user. Cisco have tried to implement network admission control but haven’t really made it work yet. Actiance (formerly FaceTime) actually understand the concept of a web application and that not all port 80/443 traffic is equal. SIEM platforms are fantastic at opening the firehose of log data, but I’ve not seen one that actually has enough intelligence to tell you when you have a problem. And the same for DLP and Web Application Firewalls. Nothing newer, easier to use and less intrusive has come along to identify a user since the password or OTP token.
And we, as security professionals are expected to maintain this ever growing “tower of Babel” of different technologies whilst somehow finding time to be security consultants to a business that just wants to not think about security (however important the CEO says it is).
We don’t help ourselves, either. The rest of the IT industry is charging towards de-perimiterized networks, cloud computing, and consumerization and we’re busily wittering on about the latest security standard de jour rather than actually developing new technologies to protect the businesses we claim to serve. I’ve read exactly two security standards in fifteen years that actually offer any real value: PCI DSS and the new ISSA SME security standard (and that’s guilty of being the only security standard that’s too short!)
We need a serious shake up. We need ways to automatically provision tiered network access based on host assessment policies. We need something that combines the best of breed WAF, DLP, application filtering intelligence with powerful, user aware firewall policies into a log analysis platform that can give me alerts like “Fred Smith attempted to download a list of 1,245 credit cards to his non-company iPad at 14:32, and here’s the ZIP archive of all the evidence”. Not “PCI policy violation for client 10.2.3.4” somewhere in a gazillion other messages.
I want the system to tell me “hey, this new server on the network has a SQL database full of credit card numbers. Do you want to move it to the PCI zone and encrypt the PANs in the database (Yes/No)?”
And finally, we need to do all of this at a price per user that makes it a no-brainer to implement, not the maximum we think we can stick the client for, based on some artful TCO model which, if you actually analysed it, would tell you the TCO of your IT environment is about a thousand times greater than the GDP of a small nation.