Today our invited post is from David Etue, a vendor speaking about FUD in information security marketing. Yes, he has skin in the game and yes, he knows it. But his larger point is that when marketers point FUD at vendors in other markets, intellectual honesty and customer information is the victim.

By David Etue (Twitter: @djetue)

Disclosure: I am a marketing guy - a VP of Products and Markets at Fidelis Security Systems, a network security company addressing problems from cyber defense to DLP. That's my conflict, and now it's disclosed.

Sadly, FUD continues to evolve, and not in a positive way. As Anton Chuvakin has pointed out, FUD's role in security today probably overshadows the role of any other factor we know. However vendor's use of FUD is continually evolving, and has now reached what I determine to be its Third Wave: Fear, Uncertainty and Doubt against other solution categories. In order to understand the third wave, we'll first look back at what I consider the first and second wave.

The First Wave
The "first wave" of FUD is when vendors use fear, uncertainty and doubt to convince (well, scare) an organization to buying their security product. Rather than learning a customer's organization and explaining how the technology, along with people and process, benefits the customer's risk management program, this FUD involved targeted messages to the end user on how they will be hacked, fail an audit, lose their job, etc. if they don't purchase this product.

This first wave of FUD is still omnipresent today, but many consider it misdemeanor-level FUD as it's also the easiest to detect by the end user - it often overlaps with "silver bullet FUD" stating how the product solves both all information security problems, and maybe even world hunger too.

The Second Wave
The "second wave" of FUD targets competitors in the same sub-sector of a given industry; this is FUD-marketing attacking the competition to win the customer bake-off. Again, rather than competing the noble way and articulating how product differentiators affect customers cost of ownership and benefits their risk management program to gain selection, many resort to competitive FUD. There are few different types of second wave FUD:

• Bogus Requirements: This FUD consists of establishing criteria that have NO or LOW material mapping to how the organization would use the product and there for no benefit, yet will eliminate competitive solutions. My personal favorite examples are when organizations require esoteric templates, often compliance related, in the product with NO relevancy to their organization because one vendor has them and convinced them to include it in the specification.
• Bogus Features: I have a product management background so I often refer to these as "test cases", versus "use cases." These are typically extraneous, but can sometimes be intentionally malicious. The extraneous cases consist of creating an event that would never happen in the real world, modifying your product to cover it, and then convincing the end user it matters. A few years ago, I came across a great example of a more malicious example from a data leakage prevention (DLP) vendor, where they had modified their product (whether intentionally or unintentionally) to alert on a Social Security Number ending in "0000", which is not a valid SSN. The vendor then proceeded to provide the end user with a test file of SSN's ending in four zeros, and then claimed to be the only vendor to detect the file "correctly!"

The Third Wave
Unfortunately, we've gone past these to the "third wave" of FUD, where FUD is used to compete for a customer's mind-share versus other solution categories. Rather than using FUD as a compelling event (FUD wave one), or competitive FUD to gain selection (FUD wave two), vendors are now FUDing for mind share before projects even start! A great example of this is Gunter Ollmann of Damballa's blog post, Botnet Prevention with DLP Technologies.

I am pretty familiar with the DLP space, and I'm not aware of many cases of vendors using botnets, or even botnet FUD, as a primary selling point of a DLP solution. However, Gunter goes out of his way to try to make a point that he can't "see a reason for [DLP] existing as a separate security technology anyway."

As an aside, I'd recommend that Gunter choose his FUD more carefully in the future. Much of his "DLP doesn't do botnet" FUD could also be used to argue why a separate botnet appliance (like Damballa) shouldn't exist as a "separate security technology", as he makes a compelling argument that IPS, anti-spam and perimeter Web gateway help stop nodes from being infected over the network; anti-virus best deals with determining "malicious intent of the binary files"; and IP/Domain/URL blocking technologies are effective at blocking command and control.

Why is Gunter focusing Botnet FUD at DLP?
While botnets certainly may play a role in data exfiltration, Damballa's mission of protecting "businesses from bot-driven targeted attacks used for organized, online crime" and DLP's focus on content-aware data security are fairly different. I think the reason is that DLP is currently a funded market category with name-funded projects in the large enterprises that Damballa is interested in selling too.

These same enterprises don't have a named, "botnet detection" project or budget, so the battle for dollars and mind share has begun. He is not alone in this FUD, as many other vendors have joined this third wave of FUD with DLP alone. For example, Lancope announced their DLP solution that is soooooo good that it "not dependent upon packet-level data" (thanks to Rich Mogull of Securosis for calling out this FUD in his blog post Hit the Snooze on Lancope's Data Loss Alarms). There are many more examples across the security landscape.

So, how did we get to this third wave? I have a few ideas.

First, the security buyer is suffering from information overload. If we look across the security product landscape, Gartner has a taxonomy that defines 159 discrete security topics ranging from infrastructure protection to identity & access management to compliance, risk & governance. This overwhelming list of "solutions" is way too many categories for an end user to possibly navigate, let alone have in depth knowledge of how they would benefit their organization's risk management program.

Second, there is very little spending on new security projects, or new IT projects in general. According to the quarterly Citi CIO Survey for the fourth quarter of 2009 (by Richard Gardner and Aswin Shirviakar), the 80:20 rule applies to existing projects and maintenance versus new IT spending: "about 80% of IT spending over the next year is expected to be maintenance." This report also states that "security spending intentions remain high yet just stable." What does this mean? Any of the products within the Gartner 159 security categories which is not yet deployed is fighting for 20% of IT security spending, and the overall pie from which the 20% is derived isn't growing.

Finally, compliance spending continues to drive the majority of the spending in security dollars. The same Citi CIO survey cited before noted that government regulations were a significant driver of spending. As compliance regulations have become more prescriptive, this compliance-spending has become very focused on a small number of traditional (some may call legacy) security controls.

This report also states that "security spending intentions remain high yet just stable," so more and more solutions are fighting for budgets that are flat. Finally, compliance spending continues to drive the majority of the spending in security dollars. The Citi CIO survey also noted that government regulations were a significant driver of spending.

The Payment Card Industry Data Security Standard (PCI DSS) is a great example of this, as, as Josh Corman points out, it only explicitly requires nine security technologies (firewall; IDS; anti-virus; log management; encryption; vulnerability scanning; web application firewalls or application reviews; integrity monitoring; and patch management.) This leaves 150 of 159 Gartner sub-sectors of security - many with technologies solving significant challenges important to enterprises today - not required by compliance.

So, we have a confused buyer not able to keep up with the number of security product categories available, let alone the products within them. They may have little motivation to learn as budget pressures allow for few new projects, especially when 80% of the budget is spent on existing projects and maintenance. Top that off with compliance driving spending to a small number of legacy controls.

This leaves the remaining vendors thinking "If they have one discretionary project left, it MUST come to my project," and makes them incredibly focused on driving the small fraction of remaining budget to their solution. This is no excuse for the use of FUD, but is a sobering view of the state of the information security industry today.

Conclusion
Information security has reached a desperate time and some say desperate times call for desperate measures. However, these desperate measures should be to the benefit of the end user, not any single vendor. I would suggest that the presence of third order FUD is an indicator of the desperation of a solution to find its way in a crowded marketplace. This is a commentary on both the marketplace and the vendors who seek to use it. In a time when we all want to drive FUD down, adding a third wave should not be acceptable.

In the interest of continued disclosure, I remind you, I am a vendor. But am I wrong?

Which examples of third-wave FUD do you have?

This week we've invited Peter Kuper to comment. If you've ever met Peter, you won't be surprised that the topic of this week's post is the crisis amongst innovators. Thanks, Peter!

By Peter Kuper

Google made it entirely impossible for anyone to deny the harsh reality: We are pwned. The call for better security solutions has never been greater – it is headline news not in some geek blog, but the New York Times. We’re finally getting the attention the problem deserves! Any day now we should be seeing money raining down all over security as the brains would be getting endless calls from investors worldwide, the big tech providers creating a buying frenzy to snap up and rush the leading products to market and the new solutions and ideas would line up for long as far as the eye could see.

The reality is the exact opposite – the reality is the entire ecosystem for the innovative ideas to solve this undeniable problem is at a critical state: the money has left the building and likely ain’t coming back anytime soon. Venture Capitalists have run from security as the easy money returns showered on them from the Symantec’s and McAfee’s of the tech world let alone the IPO’s has all but disappeared. At a time when our economy needs the VC’s the most, they’re not willing or able to step up.

The latest data from VentureWire confirms these fears:

• - Venture-backed cyber-security start-ups secured just $626 million…in 2009, less than half the amount they raised in 2005
• Buyers are smaller, as are the targets - acquiring entities are mostly “rollups” meaning amassing a portfolio of technologies just for reselling purposes, not advancing the cause (or roadmaps for that matter)
• E.g., Barracuda Networks “made nine acquisitions since taking $40 million in financing from Sequoia Capital and Francisco Partners in 2006”.
• "There's a lot of great technologies that haven't gotten traction and people can't see how to profit from it, that are forced into a position to sell when normally they wouldn't be looking to (sell)," Dean Drako, CEO Barracuda Networks.

It is a simple cycle: The companies need to sell as the capital to sustain operations has largely evaporated – less sales, less funding leads to more distressed EOLs.

But the slippery (ugly) slope doesn’t end for us poor users there. Even worse, the large security and other technology providers that purchase the private companies with the better technologies are then, in most every case killing off the R&D and product road maps. The overall data shows the undeniable trend: Despite the over 388 deals completed by the top 10 tech companies, including 276 between 2005-2007, R&D levels declined. Where did the R&D go?

Source: Publicly reported data

Public companies acquired are no exception either; IBM paid $1.3 Billion for ISS and what has become of those technologies? More distressing perhaps is that the problem will linger as the VC’s aren’t stepping in to replace the nearly 400 companies wiped off the earth in the past 5 years. The main driver of this is the VC’s are looking at the exit valuations. According to the 451 Group, the returns for technology deals are simply lower.

Cooley Godward’s report captures the reality of VC’s risk aversion. Over the past four years, fewer early stage deals are being completed for later stage investments. Later stage rounds have increased to 39% in 2009 from 33% in 2006 – the gains came from the A rounds (30% in 2009 vs. 37% in 2006) as Series B stayed the same (30%).

Source: Cooley Godward Kronish

Who cares if the VC’s aren’t there?! They weren’t much help anyway some have cried. While that may be true in some cases, the dollars for R&D aren’t coming from the larger companies either. As Goldman Sachs illustrates in the table which follows, IT has historically been the largest R&D spender versus any other industry, yet it dropped by 6% in 2009 and is expected to increase just 3% this year.

And the even harsher reality is that VC’s and public vendors provide the lion’s share of research dollars.

So for now anyway we’re screwed. Of course, eventually the market, as it should, will find an answer. “SuperAngels” is fast becoming a recognized term as wealthy individuals and groups of such step in to fund Series A deals that are harder to fulfill in this environment. Boot-strapping is also returning to vogue which has some very useful residual effects. While growth might be hampered from a lack of resources, running a frugal ship from day one avoids the cash burn trap many startups fall into as well as retain higher ownership of the company. But given the overall saturated state of attack surfaces, something’s got to give if we hope to fight back let alone win, anytime soon.

Its Friday..which can only mean a torpedo of FUD comin' at ya.

Sometimes you read a blog post that really hits home.  This is one of them.  I asked Chris if I could repost it here and he was gracious enough to say 'Hell, yeah.  That's cool' (at this point, I pictured him whipping out the MOFO wallet...).

Chris is an experienced security practitioner by day and co-host of the Exotic Liability podcast by night (well worth a listen, just protect the children ;-)) and informal champion for the non-rock-stars in the infosec community (he wouldn't call himself this as he's too modest on this score).

Anyway, enjoy the post and tell us what you think in the comments.  Thanks Chris!

By Chris Nickerson

“GOD, grant me the serenity to accept people that will not secure their networks, the courage to face them when they blame me for their problems, and the wisdom go out drinkin’ afterwards!”

-A.P.Delchi

I am over it! I am over all of the BS. I am over all of the compliance posturing. I am over all of the “NEW AGE” High tech hipster ways to get a hold on a problem that is created “FOR THE PEOPLE BY THE PEOPLE.” I am over “We can’t.” I am over the cutting of the security budget to the bone. I am over having to use FUD to get attention. (Which is nothing more than promoting the stereotype of security professionals being cry baby premadonna’s.) I am over having to try and use corporate politics, back handed practice and overall impossible tactics just to create “something to REACT to.” I am just plain sick and tired of the loss of money, the incessant security breach headlines, the constant increase of security theater, and the train wreck life of a typical security posture.

Have you ever felt this way? Do you feel this way now? Are you “too tired” or “powerless” with regards to the security battle? Do you feel “under control, hands tied, and have an overall lack of drive.” Do you see a pattern?

./Big_Giant_Breath

These are the signs you would see in a person with an extreme addiction. Yep! Change the words and context around just a little bit and you have a classic addict. Its hard to choke down. I get it. It’s not conventional… I know. But, it’s real.

As with the history of alcohol and drug abuse, there have been decades of quick fixes. There has been millions of “get fixed quick” type programs. There have been high tech treatments and “silver bullet” pills that cure this horrible disease but none of them was/is a real solution. The reason for this is that fighting an addiction takes a lifetime of practice and will only end when you die. Until then, you will have to take it one day at a time and step by step. Around every corner will be a reason to slip back into your “old ways.” Sound familiar yet?

With all of these factors above sharing a frightening parallel and a quite common theme I think there is something to learn. I started thinking about this quite a long time ago when I was first exposed to the 12 step program. I was studying conjoint family therapy with the hopes that it would seriously up my Social Engineering game. I was taking the cross training approach to my career. I wanted to get into all of the classes, books, seminars and groups that were focused on “fixing” the bad behaviors of humans. I figured that by learning the fix I would better learn how to break them. Holy $h1T was I surprised. Here I am, sitting in the room, playing my role and absorbing as much as I could when it hit me. I am really screwed up. ( I know, shocking.. haha) Seriously though… I was able to identify things in my life what were superpower road blocks. Things that were so serious that I was sitting in the room, on the verge of tears and feeling completely helpless. A man named Stephen Young, who was teaching this class, came over to me and knew I was in a bad way. He knew this because under my supercool H4x0r exterior I was falling apart. He read my psychosomatic posture, he analyzed my every move and breath, he even was taking my pulse and temperature. This extraordinary man came up to me and put me on the spot. With his relentless pursuit of the truth and his unreasonable stance for my resolve he broke me in half. He exposed me. It took a long time. To me it felt like an eternity but in the end I opened up like a box that didn’t install the patch for MS08-067. From my session in this class I learned about something very important in my life. I learned the difference between being HELPLESS and being POWERLESS. On the surface this may be a no brainer or it may look like the 2 words can be interchanged. Underneath the hood of the human experience, this is one of the tipping points of eternal happiness. I won’t go into detail on the many facets of how humans treat themselves based on their perception of the situation or the vast and complex punishments we invoke on ourselves. You are a human, you have done it…. Like it or not… we all do. It is a common thread in our psychological makeup. Due to that fact, we all have a struggle with these powerless and helpless concepts. To set the record straight in the most raw definition of the words:

Powerless: Without POWER

This feeling comes with an overwhelming feeling of being weak. When we are powerless we do not have control. We are not the driver and we have no way to decide whether the car is going to crash into the wall or not. The brakes are out, the steering wheel is broken, and all the doors are locking you in. You are not without help or a solution, but you just have no real choice on what comes next (this concept took about 3 years for me to really get, so if it is confusing in this short burst… you are not alone!) When the car hits the wall… there is no reason to be mad… it was out of your control. What freedom. No reason to beat yourself up…. It was simply out of your hands at that very moment.

Helpless: Without HELP

Now, we really gotta dig in to where that puts us mentally. When you do not have power, you feel weak. You feel like you can not take on something alone. You feel abandoned and in a state where all is lost. The confusion here commonly comes from the target of your abandoned feeling. In you mind it means that you are alone and not equipped to handle the job. You don’t have the manpower to overcome the odds at hand. In reality you are abandoned. Not by other people. You abandon yourself. You punish yourself by making all these crazy meanings that you extrapolate from mounds of “evidence” to support your claim. You are not without friends. You are not without HELP. You are not alone at all. Your perception is your jail and its security controls are unable to be compromised (after all… you built em ;).

I know, I know you are saying..“ Geez hippie… hug a tree or something….” But this is an important thing to understand with relevance to InfoSec. Take those definitions above and apply them to your daily life. Apply them to your job. Apply them to all of the frustration that you had agreed with in the beginning of this post.

What did you find?

Well, because we are all humans, and because we all have a TON in common. We are all likely to experience the same feelings at some point or another. Maybe for you this is not the time.. Maybe this is the one… Regardless, it is a part of life. We have all been happy or sad, or indifferent. For this simple trend, we all have had common issues.

This brings us back to our fuzzy little InfoSec lives. The revolving world of compliance drives companies to scope and de scope assets like fashion trends. They inspire a momentary response which is more motivated by negative incent than anything else. Now, I am not saying compliance is bad or useless or whatever you make it. I am saying that the feeling that causes action still leaves you in that helpless state. It never addresses the human anchored problem that we all face. It never addresses the helpless feeling which overwhelms so much of the industry. Compliance has created amazing action and movement in InfoSec but it usually doesn’t provide a wholistic and cultural human change. It is kind of like taking an alcoholic and saying “Well, we will consider you recovered if you don’t drink Vodka any more. All of the other alcohol isn’t IN SCOPE.” This is just an insane statement but it is how I see many compliance programs dealt with. For this reason I started thinking about how addicts are treated. Sure, there are pills, programs, and fixes all over. There are Detox centers that claim to “Get you clean,” but all the successful ones have a common thread. They have a common goal and a common roadmap to get there.

This roadmap is called the “12 Step” program. It has stood the test of time as a repeatable and trend able mechanism for recovery. As I looked at the steps in depth from many perspectives I realized that this may be a good place for us to start our own recovery. We have a million ways to lock down an organization. We have more to implement and even more technologies to support it. What we don’t have is a real way to get started. We don’t own our own recovery, we usually act like it is forced upon us. Because of the lack of ownership, it allows us to “cheat” in our own program. It allows us to blame a scapegoat (whether that’s compliance or an infosec savvy employee). There is always someone else to blame and at the root of it, it is the reason we have rarely succeeded with our insecurity “recovery.”

Taking all of that into account, I decided to modify the steps just slightly to see if they would work to aid in our business recovery efforts. After a long hard look (and a few flights) I wanted to present this back out to the community to see what we could do with it.

12 Steps (of insecurity recovery)

1. We admitted we were powerless over security – that our environments had become unmanageable.

2. Came to believe that a power greater than ourselves could restore us to being secure

3. Made a decision to turn our will and our lives over to the care of best practice as we understand them.

4. Made a searching and fearless inventory of our environments and its assets, both information and physical.

5. Admitted to ourselves and those assisting us in our recovery the exact natures of our wrongs

6. Were entirely ready to have an independent assessment of our environment and accept the recommendations suggested to remove the flaws identified.

7. Humbly ask for help remediating our flaws.

8. Made a list of all the persons we ignored and became willing to make amends to them all

9. Made direct amends to such people wherever possible, except when to do so would injure the brand or the company.

10. Continue to take corporate inventory and when we were find flaws promptly admitted it

11. Sought through policy, process and procedure to improve our conscious understanding of best practices as we understand them and only for knowledge of his will for us and the power to carry that out

12. Having had a corporate awakening as the result of these steps, we tried to carry this message to other organizations and to practice these principles in all our affairs

I know that there is no silver bullet. There is no magic diet pill that will make me thin, healthy, and perfect. There are some things we can do about it. There are things we can accept in life and leverage the experience to live a life that is extraordinary. The quick fixes are rarely responsible for major breakthroughs.

The tech won’t save us. The regulations will never be good enough. The cloud won’t be the silver lining.

Sorry to say it, but security is hard work. It takes blood, sweat, tears and good ole fashion work to make headway. We can use the fads and toss around millions of dollars on a quick fix, or we can just get to work. Do you want to put in the work to admit you have a problem or do you want to continue blaming someone else for the problems? There is a way out. You have help. All you have to do, is take “The first step.”

This week, head hacker Dale Pearson digs into an area that we infosec guys and gals often give lip service too, but all too often fail to properly address.  Cheers mate!

By Dale Pearson

I have a problem; well maybe it’s more of an addiction. I just love gadgets and technology, if it beeps and has lots of flashing lights I just have to have it. I am sure a lot of you share my affliction - we are like magpies - we all like new shiny kit arriving at the door. Ok, so it’s a personal problem, but it’s a problem that exists in organisations also, and it’s a real problem.

In the world of business, organisations are constantly reminded of the threats and risks that exist, and the steps they need to take to reduce and eradicate these so called threats. So how do organisations spend their security budget? Well they spend a lot of money on little boxes that sit in huge racks, with lots of flashing lights and the occasional beeps. Sounds like heaven right. With all this firewalls, IDS, AV and filtering technology we have nothing to worry about, the virtual gates are tightly locked. 

It doesn’t stop there though; we need policies, procedure and governance to, so we have to spend a little money here as well. We need to tick those regulatory and legislative compliance tick boxes so we can get the nice certificate on the wall, and assure our customers that we are secure because we are compliant. The purse strings are tightening a little now, but we are jumping aboard the risk management framework train now, and this is a big deal, so we need some money for this. So now we are on the circular line of risk procrastination and unrealistic checklists, but it all sounds good and sets the right image to the outside world. 

Now there really is no money left in the kitty, but we need to carry out penetration testing and user awareness to keep our certificates on the wall. So we employ a team of penetration testers to run a vulnerability assessment on a small portion of our infrastructure. Now for user awareness training, a simple presentation we can rinse and repeat each year on the Intranet should do the job.

So lets quickly recap. 50% of the budget spent on infrastructure, 25% spent on compliance maintenance, 20% spent on risk management, 4% spent on penetration testing, and 1% on user awareness. Money well spent, and a secure environment has been achieved. Free publicity on the TV, Radio and the Newspapers when millions of customers records left the building via portable storage and boxes of paper….. priceless.

Companies say they take security seriously, and they know people are the weakest link, and they have training in place to cover this risk. I say FUD. They should hang their head in shame.

Here me when I say, you have personnel problems. I am not saying forget about all the shiny toys and flashing lights, but remember and invest if your wetware to. People are the weakest link. Humans are programmed to be helpful, not to question, challenge or be suspicious. We need to empower our personnel; they need to be regularly reminded of the risks, and the forms they take. They need procedures to follow to mitigate risks, reward them for following processes and challenging the unknown. This can't be done on the cheap with a presentation knocked up one weekend.

Just ask yourself how much the information that walks out the door is worth or when users give full access to the network via a Facebook application, or when offered the chance to win an iPod, and calculate how much you should really be investing in real awareness and education. Obviously the other components are important, we just need to readjust the allocation of funding to ensure adequate coverage for all area of vulnerability. Awareness and education needs to hit home at a personal level, and it needs to be realistic, effective, constantly maintained and reinforced. Security is everyone’s responsibility.

It’s not that simple I hear you cry. In order to get funds we need buy-in, we need to demonstrate ROI, and besides nothing has ever walked out our front door, we would have known.  If this is the case I encourage you to find the budget at least once for a no holes bared full on social engineering assessment, and I am confident you will be shocked at the results, and if done properly you should be on your way to starting your journey that gets the buy-in and the required ointment to your personnel problems.

There is no magic red pill that will cure the rash that is human stupidity, but through regularly monitoring and constant treatment, we can reduce the inflammation to an acceptable level, and allow us to go outside and face the world.