X
More Topics

Can security software keep pace with advanced threats?

The threat landscape has changed dramatically over the last decade. How well are security software companies keeping up with the new challenges?
Adrian Kingsley-Hughes

Adrian Kingsley-Hughes

Yes

or

No

Larry Seltzer

Larry Seltzer

13%
88%

Audience Favored: No (88%)

The moderator has delivered a final verdict.

Opening Statements

Continues to play essential role

Adrian Kingsley-Hughes: There's no doubt that the security landscape has changed dramatically over the past decade, and that threats have evolved from relatively simple viruses and macros designed to cause mayhem buried in documents and files, to advanced threats designed to steal data and carry out corporate sophisticated espionage.

When it comes to security, make one false move and your company can make headlines – in a very bad way. While no amount of security software can compensate for bad judgment by the people behind the keyboard, but it can help the user make informed decisions, and help IT admins to lock down systems and protect the whole infrastructure from attack. But lately there has been concern that security software won't be able to keep up with the advanced threats facing enterprises, especially given the complexity of these threats and the fact that many are customized based on the target.

The problem with this statement is that it's not new – naysayers have been making the claim for years that security software won't be able to keep up with the rapidly changing landscape, and yet keep up with threats it has. And keep up with future threats it will continue to do.

 

A lot more than software

Larry Seltzer: When a Symantec executive declared recently that antivirus was "dead," it was inevitable that he would be misinterpreted. Security software, including antivirus, is an indispensable tool for IT to block advanced threats. It just can't do the job alone.

In an enterprise, all the best security software in the world won't secure your users and data unless the right policies are in place and administrators have the authority to enforce them. Some of these policies can be unpleasant for users, who must be required to use complex passwords and change them frequently, to use two-factor authentication, to log in to corporate resources over and over again.

Best practices, best defined by OWASP in their Top 10 Web Application Security Flaws, can make things hard on administrators and developers too: They have to be careful how they design web pages and access databases, how they handle user passwords, and so much more.

A company that follows these rules and does security right has a lot more than software. It has good IT people and senior management that is committed to giving them what they need to protect the company.

The Rebuttal

  • Great Debate Moderator

    Welcome, readers!

    We'll be getting started promptly at 8am PT / 11am ET. Once the debate begins, this page should refresh automatically each time a new question or answer is posted. Are my debaters standing by?

    ed-bott.jpg

    Posted by Ed Bott

    Ready here.


    adrian-kingsley-hughes-60x45.jpg

    Adrian Kingsley-Hughes

    I am for Yes

    Looking forward to it.


    larry-seltzer-thumb-60x45.jpg

    Larry Seltzer

    I am for No

  • Great Debate Moderator

    OK first question:

    How has the threat landscape changed in the modern era, and how well are security software companies keeping up with those new challenges?

    ed-bott.jpg

    Posted by Ed Bott

    The biggest game changer has been money

    Out are the jokes, the malware that just deleted files for formatted systems, and in is a new breed of malware that is designed specifically for building botnets, for espionage, and for holding data ransom.

    In other words, what's happened is that malware has moved from being the domain of the geeks and tech-heads to that of criminal gangs and rogue – and perhaps not so rogue – states who see digital as a way to make easy money.

    What does this mean in real terms? It means that more resources are being poured into finding resources – something which extends to buying zero day vulnerabilities for various operating systems direct from the hackers who find them in the first place – to researching hacks and vulnerabilities directly.

    adrian-kingsley-hughes-60x45.jpg

    Adrian Kingsley-Hughes

    I am for Yes

    The cutting edge

    The really scary mass-attack worms of ten years ago or more, like Nimda and Sasser, have been dead for a while. They were stopped not by security software as such, but by Microsoft taking security seriously in their products. Back before the security quality of many programs, principally Microsoft's, became acceptable, there really wasn't a way to secure ordinary users who had reasonable access to the Internet.

    Now, with modern software, including security software and intelligent policies for users and administration, you can protect yourself effectively against all but a very sophisticated attack.

    But if you're an important-enough target, a sophisticated attacker can probably still penetrate your network. This is why the cutting edge of security software is for systems that assume you will be attacked, and then monitor internal traffic looking for suspicious activity.

    larry-seltzer-thumb-60x45.jpg

    Larry Seltzer

    I am for No

  • Great Debate Moderator

    Types of software?

    Besides traditional signature-based antivirus software, which types of security products are important today?

    ed-bott.jpg

    Posted by Ed Bott

    I would point to two things:

    Patches: Probably the first line of defense against nasties infiltrating your digital kingdom. Without proper patching, malware can sneak onto a system via the back door. While signature-based antivirus software is good at spotting malware that exploits operating system vulnerabilities, it is possible for zero day threats to walk right past an antivirus scanner.

    Endpoint software: The ability to control what connects to a network, and how, is an important part of the security jigsaw. Preventing certain system from connecting to a network – for example, those that haven't been patched, or are running outdated software, or that don't have an up-to-date virus scanner installed – is an effective way of preventing not only malware but also data theft.

    adrian-kingsley-hughes-60x45.jpg

    Adrian Kingsley-Hughes

    I am for Yes

    My first answer is patch management...

    ...and an aggressive policy of testing and applying patches. Zero-day attacks get a lot of attention, but the overwhelming majority of exploits are for vulnerabilities which have already been patched. The hard part of this is not the software, but the resources and authority to risk downtime and/or work after- hours.

    Privilege management is another critical area where you have to put in work. You can do it with just what Windows provides, but there are systems, such as those from BeyondTrust, which help a large and complicated organization adhere to the principle of least privilege.

    Finally authentication. All the time in real-world cases we see attacks which would have failed had two-factor authentication been in place. It's not necessary or desirable everywhere, but you should seek to employ it wherever possible.

    larry-seltzer-thumb-60x45.jpg

    Larry Seltzer

    I am for No

  • Great Debate Moderator

    Is all security software created equal?

    Is most of it "good enough" or are there big differences?

    ed-bott.jpg

    Posted by Ed Bott

    Pretty much so

    The biggest differences really come down to user interface and usability, rather than the protection the software offers against malware.

    adrian-kingsley-hughes-60x45.jpg

    Adrian Kingsley-Hughes

    I am for Yes

    Some is better than none

    I guess there is a "good enough" in terms of protection, in the sense that the difference between 97% and 98% protection is unlikely to matter as much as other factors, like price and management features. Perhaps more important is that it's usually better to have some protection than none.

    larry-seltzer-thumb-60x45.jpg

    Larry Seltzer

    I am for No

  • Great Debate Moderator

    Third-party tests?

    How much should buyers rely on third-party tests when evaluating security software?

    ed-bott.jpg

    Posted by Ed Bott

    In lieu of testing...

    While you'll come across quite a lot of third-party tests done on consumer grade security software, this isn't the case for the stuff aimed at the enterprise. However, on the plus side, most purveyors of enterprise security software will assist businesses in testing their platform, allowing business users to decide for themselves if the product is what they need.

    adrian-kingsley-hughes-60x45.jpg

    Adrian Kingsley-Hughes

    I am for Yes

    Rarer and less practical

    Third-party testing has become rarer and less practical in recent years, especially from an enterprise perspective. You can find good third-party tests of antivirus engines, and that's important, but it's rare and/or expensive to find tests that also consider enterprise management and deployment issues. Those tests are just too expensive to do. You'll either have to do them yourself or rely on a consultant, and perhaps that's for the best. It's an important decision and best made based on information about your organization and its other plans.

    For less-mainstream products, once again there are few third-party options.

    larry-seltzer-thumb-60x45.jpg

    Larry Seltzer

    I am for No

  • Great Debate Moderator

    Same software?

    Can the same software work for enterprises and small businesses alike?

    ed-bott.jpg

    Posted by Ed Bott

    No

    This is where things get complex. Every business is different, with differing hardware platforms, differing use-case scenarios, all being used in different ways. But the gulf between a small business – say, five to 50 seats – is going to be very different to a business with thousands of seats, all the way from the infrastructure to the number of people who are responsible for keeping the IT running.

    adrian-kingsley-hughes-60x45.jpg

    Adrian Kingsley-Hughes

    I am for Yes

    Not often

    I'm going to define "small business" as very small, definitely under 100 seats. The endpoints aren't necessarily managed and there isn't necessarily a full-time administrator.

    With many products, large parts of the program are the same for the enterprise version down to the consumer version. Anti-malware engines are this way. But for an enterprise they need to behave very differently: to obtain updates from an enterprise proxy server rather than directly to the vendor over the Internet; to deploy through network-based deployment solutions, potentially with zero-touch by the administrator; to implement policies set by the administrator based on the organization's directory; and to report events centrally.

    Consumer and very small business products have to be designed to be as easy to use as possible or their support burden becomes too great for the vendor. Enterprises need more power and flexibility.

    larry-seltzer-thumb-60x45.jpg

    Larry Seltzer

    I am for No

  • Great Debate Moderator

    How important is security software versus security policy?


    ed-bott.jpg

    Posted by Ed Bott

    They go hand-in-hand

    The bottom line is that one isn't really effective without the other. It's a bit like asking what part of a bridge is the most important, the deck or the cables? Without both, neither can do their work.

    The same is true here. The two things go hand-in-hand, and any company that thinks it can choose one over the other is playing with fire.

     

    adrian-kingsley-hughes-60x45.jpg

    Adrian Kingsley-Hughes

    I am for Yes

    Both important, but one is harder

    Security software is nothing without good security policy and administration. On the other hand, good policy and administration aren't enough without good software.

    Sometimes the line between one and the other can be difficult to draw, because security software implements security policy. But even if software is involved, it's policy that says (for example) that your password must have no dictionary words and be at least 10 characters long.

    With good policy, users and servers will be much less likely to be hacked. If they are hacked, the consequences will be less severe and the problem will be discovered sooner. But software is especially good at noticing unusual circumstances which may or may not be malicious, like client connections from Brazil or a spike in mobile traffic.

    So in the end, they're both important. It's probably harder to implement good policy than good software.

    larry-seltzer-thumb-60x45.jpg

    Larry Seltzer

    I am for No

  • Great Debate Moderator

    Are businesses paying too much attention to desktop security...

    ...and not enough to securing their networks?

    ed-bott.jpg

    Posted by Ed Bott

    Holistic approach needed

    I'm sure some are, while others are going the other way and spending masses on securing their networks but allowing anything and everything to connect to said network.

    I think the issue here has more to do with the fact that desktop vulnerabilities get a lot more media attention that network vulnerabilities do – hence the whole Windows vs. Mac vs. Linux debate – when in fact it is far better to look at the ecosystem as a whole, and see the desktop for what it is, which is a part of that ecosystem.

    By taking a more holistic approach, companies are better able to protect their digital empire because they see it in its entirety, as opposed to just seeing parts of it.

     

    adrian-kingsley-hughes-60x45.jpg

    Adrian Kingsley-Hughes

    I am for Yes

    Failures and best practices

    I don't know enough about how much money or attention is spent on each, but there's plenty of literature and guidelines on each. Client security software is much more mature and competitive because there's a consumer market that can subsidize development and marketing of business products.

    But especially in the web era, a large percentage of threats come in through weaknesses in servers and networks. We know that many organizations don't follow best practice guidelines for these servers and that exploits through SQL injection and other such techniques are still fairly common.

    But client exploits are still common as well. I'm struck by Cisco's description the recently ascendant Cryptowall ransomware: It infects through vulnerabilities in Java, Silverlight and Flash, all of which have been patched for about a year or two. Any exploits are purely a failure of policy.

    larry-seltzer-thumb-60x45.jpg

    Larry Seltzer

    I am for No

  • Great Debate Moderator

    Can a business just throw away desktop security software?


    ed-bott.jpg

    Posted by Ed Bott

    Begging for trouble

    They can, just in the same way they can get rid of door locks and decide not to insure anything. But any company doing this is asking – no, begging – for trouble.


    What businesses should do is install desktop security, and then let that quietly do its job in the background.

     

    adrian-kingsley-hughes-60x45.jpg

    Adrian Kingsley-Hughes

    I am for Yes

    Good heavens no!

    Please everyone, the question was probably rhetorical, don't even joke about this!

    There are too many things that end users can do to a desktop system on even the best-protected network to leave the clients unprotected. This suggestion is the flip-side of the equally absurd "deperimeterization" fad of a few years ago, the idea of which was to put all the protection on the client. Defense-in-depth is always a good strategy in infosec.

    larry-seltzer-thumb-60x45.jpg

    Larry Seltzer

    I am for No

  • Great Debate Moderator

    Virtualization?

    Does virtualization offer any hope for the future of security software?

    ed-bott.jpg

    Posted by Ed Bott

    No magic bullet

    There's no doubt that virtualization has – and will – bring greater levels of security to systems, but it is not the magic bullet that some claim it will be. While virtualization does bring with it security measures such as system isolation, going beyond the basics needs skill, experience, and resources.
    Another area where virtualization may aid security is in isolating certain applications from the system as a whole – for example, a browser.

    Again, remember that nothing in this world is foolproof – they keep making better and better fools – so a defense-in-depth computing approach is better than putting all your eggs in one basket.

    adrian-kingsley-hughes-60x45.jpg

    Adrian Kingsley-Hughes

    I am for Yes

    Absolutely

    And it's already used that way. Hypervisors are the right place to pub as much security function as possible, as they are protected from (if not completely impervious to) malicious action in the VM. As described in this VMWare document, virtualization provides a certain amount of security automatically, just by separating systems, but it also allows for special protection of kernel modules. There are anti-malware products that operate at the hypervisor level.

    It also allows for sophisticated virtualization of networking between virtual systems. VLANs are useful in separating traffic flows that don't need to be on a shared segment without having to separate them physically.

    It's all very powerful, but it's not automatic. It requires sophisticated administration.

    larry-seltzer-thumb-60x45.jpg

    Larry Seltzer

    I am for No

  • Great Debate Moderator

    If an individual is smart and careful...

    ...can they safely go without any security software?

    ed-bott.jpg

    Posted by Ed Bott

    Think smoke alarms

    My grandparents never had a smoke detector, and they never burned to death in their sleep. But I have smoke detectors fitted because it's a small price to pay to protect my family and myself.

    This is how I view security software. A switched-on individual could probably get away without running security software if they patched their system and took care as to what they did and what they installed. But outside of some weird bragging fetish or being able to free up a few extra megahertz of power from a system, seriously, why bother?

    The downsides of running security software are small, while the upsides are huge. And if someone doesn't want to spend money on it then there are many free alternatives available.

     

    adrian-kingsley-hughes-60x45.jpg

    Adrian Kingsley-Hughes

    I am for Yes

    Probably...

    I hesitate to say this in public, but the answer is "probably." When you say "without any security software" I'm going to assume you mean "beyond what is provided by the operating system". Even the smartest, most careful individual can get infected by malicious code in an advertising iframe on a legitimate site, but unless it's a really serious zero-day, the impact can be mitigated.

    I've done this myself for brief periods. I run antimalware on all my desktops, but in fact the antimalware hasn't blocked anything in years, because I'm careful. It's also possible that I've been exploited by malware that got past my antivirus and other measures, but I don't think so. Even so, I run antivirus because I don't want to have to kick myself for getting exploited because I didn't.

    larry-seltzer-thumb-60x45.jpg

    Larry Seltzer

    I am for No

  • Great Debate Moderator

    What about BYOD?

    In recent years we've seen a dramatic increase in BYOD devices, tablets, and smartphones. Is the security software industry keeping up with those post-PC devices?

    ed-bott.jpg

    Posted by Ed Bott

    Ahead of the game

    I think that security companies are ahead of the game when it comes to post-PC devices. Countless security products exist for the various platforms at a time when malware is still – thankfully – rather thin on the ground. That said, the biggest job facing endpoint software when it comes to post-PC devices is not keeping devices free from malware, but preventing devices that have been jailbroken or rooted, or those devices that haven't been patched, from connecting to the corporate network.

    Another task that endpoint solutions are good for is recovering or remotely wiping lost and stolen devices, which, given how small and portable modern tablets and smartphones are, is a far bigger problem facing business that have adopted BYOD than malware currently is.

    adrian-kingsley-hughes-60x45.jpg

    Adrian Kingsley-Hughes

    I am for Yes

    Mobile security problem is theoretical

    The security problem from these devices, at least in terms of malware, remains a theoretical one, in spite of the potential for malware and vulnerability exploit being clear. Even so, mobile is an interesting demonstration of the convergence of policy and software in security.

    The EMM (Enterprise Mobility Management) business is big and growing like nuts. Over the last year or so, there has been a small wave of acquisitions of EMM companies by larger software companies (e.g. IBM buying Fiberlink, VMWare buys AirWatch, Good buys Boxtone) because everyone knows it's important. They're not just about security, they're about all network management.

    EMM products are all about implementing policy. They allow administrators to define a set of rules for clients to follow, as well as to push software to clients. The software is critical, but it's all about empowering administrators to take action.

    larry-seltzer-thumb-60x45.jpg

    Larry Seltzer

    I am for No

  • Great Debate Moderator

    OK, final question: Is this a Windows-only problem?

    Would businesses be more secure if they switched to different platforms?

    ed-bott.jpg

    Posted by Ed Bott

    Cybercriminals follow the money

    It's only seen as a Windows problem because of the dominance that Windows has in the computing world. Yes, companies might be safer if they ran OS X or Linux, but if everyone took that idea and ran with it, then the cybercriminals would follow the money and go after these platforms.

    Remember, zealotry over your chosen platform does nothing to protect you from someone who wants what you have!

    Again, it's better to stop thinking about the minutia of the system and take a more holistic approach, and adding defences as appropriate at all levels.

     

    adrian-kingsley-hughes-60x45.jpg

    Adrian Kingsley-Hughes

    I am for Yes

    Attackers follow certain patterns

    None of the alternative systems (with the arguable exception of iOS) is inherently any more secure than Windows, but in the real world there are certain patterns attackers follow. No matter how blatant and wide-open the vulnerabilities on the Mac are, attackers don't seem all that interested in writing Mac-specific attacks.

    I don't have numbers, but I think it's fair to say that at the server level, *NIX servers are compromised at least as much as Windows servers, probably more. Certainly in terms of published vulnerabilities, the average Windows Server (of at least the 2008 generation) is more secure than the average Linux server.

    larry-seltzer-thumb-60x45.jpg

    Larry Seltzer

    I am for No

  • Great Debate Moderator

    That's a wrap

    Adrian and Larry, thanks for a great debate. Please submit your closing arguments by Wednesday morning. I will deliver my verdict on Thursday.

    Readers: Please cast your vote -- and feel free to add a comment below...

    ed-bott.jpg

    Posted by Ed Bott

Closing Statements

Security pros have our backs

adrian-kingsley-hughes.jpg

Adrian Kingsley-Hughes

OK, we've talked a lot about digital security here, but let's come back to where we started: Can security software keep pace with advanced threats?

I believe it can. Sure, having a security policy is important, as is endpoint security and educating users about safe and unsafe practices (something we used to call "practice safe sectors" back in the day). However, at the end of the day, the security industry is populated by clever folks who've been in this industry for decades, and not only do these folks know the digital threat landscape like the back of their hand, they're also right there at the frontline and they see what's coming before the rest of us have to deal with it.

Security pros have had our backs for decades, and I trust them to have out backs for the foreseeable future.

Sure, feel free to think that you're cleverer then the folks behind security software, but in my opinion you take the approach at your peril. Hubris is a dangerous attitude to have when it comes to security, because when things go wrong, they go wrong in a big way, and fast!

 

You can't program common sense

larry-seltzer-thumb.jpg

Larry Seltzer

It's always impressive how smart software can get, but I suspect they'll be planting tomatoes on the moon before it gets smarter than humans.

A big reason for this is that nobody knows how to program common sense. Human attackers can and will learn how to get around the capabilities of software and an alert and diligent human will always be better able to adapt to changes in circumstance than security software.

The other big reason, as I have said, is that people resist the policies that are necessary in order for software to do its job. When convenience is a higher priority than security, no security software can do its job.

A great deal of time and money has been put into making consumer/small business security turnkey, i.e. so that the software could replace people. It's good, but any determined attacker can get around it with some effort. Usually, and ironically, they do this by tricking a human. Humans are smarter than software, but they can still be pretty stupid.

No easy answer

ed-bott-150x105.jpg

Ed Bott

Both debaters did an excellent job of trying to make sense of a complex, rapidly shifting landscape. Adrian Kingsley-Hughes argues, persuasively, that security software developers are an essential first line of defense against advanced threats. Larry Seltzer argues, equally persuasively, that the bad guys will always have an edge and even the most diligent administrator should plan for the proper response when a network attack is successful.

Because both arguments are convincing, I declare this debate a tie.

 

 

Editorial standards