Ever notice how everything in InfoSec is sold “as is”? No guarantees, no warrantees, no return policies. For some reason in InfoSec, providing customers with a form of financial coverage for their investment is seen as gimmicky, but the tides and times are changing. This talk discusses use cases on why guarantees are a must have and how guarantees benefit customers as well as InfoSec as a whole.
Ever notice how everything in the information security industry is sold “as is”? No guarantees, no warrantees, no return policies. This provides little peace of mind that any of the billions that are spent every year on security products and services will deliver as advertised. In other words, there is no way of ensuring that what customers purchase truly protects them from getting hacked, breached, or defrauded. And when these security products fail – and I do mean when – customers are left to deal with the mess on their own, letting the vendors completely off the hook. This does not seem fair to me, so I can only imagine how a customer might feel in such a case. What’s worse, any time someone mentions the idea of a security guaranty or warranty, the standard retort is “perfect security is impossible,” “we provide defense-in-depth,” or some other dismissive and ultimately unaccountable response.
Window of exposure is defined as the number of days an application has one or more serious vulnerabilities open during a given time period. We categorize window of exposure as:
Always Vulnerable: A site falls in this category if it is vulnerable on every single day of the year.
Frequently Vulnerable: A site is called frequently vulnerable if it is vulnerable for 271-364 days a year.
Regularly Vulnerable: A regularly vulnerable site is vulnerable for 151-270 days a year.
Occasionally Vulnerable: An occasionally vulnerable application is vulnerable for 31-150 days a year.
Rarely Vulnerable: A rarely vulnerable application is vulnerable for less than 30 days a year.
Our analysis shows that 55% of the Retail Trade sites, 50% of Health Care and Social Assistance sites, and 25% of Finance and Insurance sites are always vulnerable. Similarly, only 16% of the Retail Trade sites, 18% of Health Care and Social Assistance sites, and 25% of Finance and Insurance sites are rarely vulnerable.
Conversely, Educational Services is the best performing industry with the highest percentage of rarely vulnerable sites (40%). Arts, Entertainment, and Recreation is the next best industry with 39% of sites in rarely vulnerable category.
1: Nothing is ever 100% secure, just like no every-day product is 100% reliable. However, this hasn’t prevented many industries including automotive, electronics, exercise equipment and thousands of others from offering product guarantees. If a product is defective, simply return it for a replacement or get your money back. What’s different about information security is vendors have lacked product performance data, which is essential to offer guarantees. With product performance data, even if its unable to provide 100% security, offering guarantees is possible to offer.
2: There are always new vulnerabilities being disclosed, new attack techniques, and the new tactics employed by our adversaries. However, if a security vendor has sufficient actuarial data about the performance their product (today), it’s contractually possible to specify exactly what a security guarantee covers and disclaim excessively risky events and unknowns. This is precisely what other industries do. When new vulnerabilities, techniques, and tactics become understood and defensible, those can be guaranteed as well.
3: In the hay day of home-brew firewalls, intrusion detection systems, and other security products, security vendors didn’t have access to the data their products generated. This is no longer the case. Today we’re in the era of the cloud, managed services, and products routinely phoning home for updates, which all provide real-time access to an ample supply of performance data. Modern security vendors have access to the data they need to provide guarantees should they choose to.
4: Determining the layer of defense that failed requires at a minimum some degree of system logging, ideally forensically secure logging. If an organization is unable to determine what transpired during given security event, that problem must be solved first. For organizations capable of performing effective forensic investigations, identifying the gap in the defense or the product that failed, is entirely possible.
5: Like any guarantee, the vendor decides what type of costs they’ll cover in the event the product does not perform as expected. With respect to a breach, often guarantees and cyber-security insurance cover hard costs associated with downtime, legal feels, incident response, credit monitoring, fines, and so on.
6: This represents a unique opportunity for security vendors to differentiate from their competitors and an opportunity for customer to demand more effective products.
7: Like all other products we purchase, guarantees only covers intended use. For example in the case of cars, to keep the guarantee, it’s often required to get the vehicle properly serviced according to maintenance schedule. Another example is electronics guarantees, which may not cover water damage. Security vendors can specify exactly how their product is meant to be used for its effectiveness to be guaranteed.
8: Products with a guarantee do tend to cost more than those sold AS-IS. Someone may purchase an ultra-cheap computer on eBay, without a guarantee, but they’ll have to take their chances with how long it might last. Or, someone can buy a new computer at Dell.com, which may cost more, but the peace of mind could be worth it. The option they prefer is their choice. It’s also quite common for consumers pay even more for extended warrantees on various products including cars and electronics, and many industries have found doing so to be highly profitable.
9: Every business encounters obstacles when competing in a market. For example, to do business with large organizations, they may require vendors to have general business liability insurance, a minimum amount of cash in the bank, physically located in a given country, and more. These are generally viewed as a cost of doing business. If and when organizations require security vendors to offer product guarantees, that’s just one more thing an organization must offer in order to play in the market. The customer is always right.
1: Nothing is ever 100% secure, just like no every-day product is 100% reliable. However, this hasn’t prevented many industries including automotive, electronics, exercise equipment and thousands of others from offering product guarantees. If a product is defective, simply return it for a replacement or get your money back. What’s different about information security is vendors have lacked product performance data, which is essential to offer guarantees. With product performance data, even if its unable to provide 100% security, offering guarantees is possible to offer.
2: There are always new vulnerabilities being disclosed, new attack techniques, and the new tactics employed by our adversaries. However, if a security vendor has sufficient actuarial data about the performance their product (today), it’s contractually possible to specify exactly what a security guarantee covers and disclaim excessively risky events and unknowns. This is precisely what other industries do. When new vulnerabilities, techniques, and tactics become understood and defensible, those can be guaranteed as well.
3: In the hay day of home-brew firewalls, intrusion detection systems, and other security products, security vendors didn’t have access to the data their products generated. This is no longer the case. Today we’re in the era of the cloud, managed services, and products routinely phoning home for updates, which all provide real-time access to an ample supply of performance data. Modern security vendors have access to the data they need to provide guarantees should they choose to.
4: Determining the layer of defense that failed requires at a minimum some degree of system logging, ideally forensically secure logging. If an organization is unable to determine what transpired during given security event, that problem must be solved first. For organizations capable of performing effective forensic investigations, identifying the gap in the defense or the product that failed, is entirely possible.
5: Like any guarantee, the vendor decides what type of costs they’ll cover in the event the product does not perform as expected. With respect to a breach, often guarantees and cyber-security insurance cover hard costs associated with downtime, legal feels, incident response, credit monitoring, fines, and so on.
6: This represents a unique opportunity for security vendors to differentiate from their competitors and an opportunity for customer to demand more effective products.
7: Like all other products we purchase, guarantees only covers intended use. For example in the case of cars, to keep the guarantee, it’s often required to get the vehicle properly serviced according to maintenance schedule. Another example is electronics guarantees, which may not cover water damage. Security vendors can specify exactly how their product is meant to be used for its effectiveness to be guaranteed.
Gartner
Forecast Overview: Information Security, Worldwide, 2014 Update
Published: 25 June 2014
1) We're leaving 1/3rd of the money on the table. Imagine if I could say
that I can increase your revenue by 1/3rd. If your board figures out that
they're loosing this much money because you can't get your stats in order
they're not going to be pleased. The insurance industry is taking money
from our industry, and that means less security spend, less jobs, less
innovation, less growth and less security.
2) The insurance industry is on a path to grow faster than us by leaps and
bounds. Their power and influence will easily dwarf ours if we don't act
soon. We're ceding control of our industry to the insurance industry - do
we want them to dictate/mandate spend? Do we really want a new regulatory
body we have to comply with? The growth seems like a graph too. Show
ours increasing by 7% or whatever and theirs increasing by 67%. If
they're growing that much faster than us, we need to demonstrate how much
faster and give them the ominous feeling that we're being gutted from the
inside.