Breaking the zero-day habit

* Ryan Naraine is traveling.Guest editorial by Mike Rothman Given that this blog is called "Zero Day," I think it's fitting that I'm calling for most security professionals to ignore most of what comes out of the security research community.
Written by Ryan Naraine, Contributor

* Ryan Naraine is traveling.

Guest editorial by Mike Rothman

Breaking the zero-day habit
Given that this blog is called "Zero Day," I think it's fitting that I'm calling for most security professionals to ignore most of what comes out of the security research community. To be clear, I have only the utmost respect for folks that do security research. I think what they do is critical to the long-term improvement of the security environment.

But I think that security professionals can spend their time more effectively by NOT chasing after the latest exploit, vulnerability or other attention-grabbing issue. Very small minorities of security folks actually have adequate defenses in place right now. The majority still has a lot of blocking and tackling to complete before they should be worried about the latest and greatest exploits.

Just take Dan Kaminsky's DNS attack as a recent example. We’ve known about that for 4 months. And a significant number of servers are still exposed. These folks can’t even get to the stuff they know will kill them – to chase after an unknown, unqualified exploit is counter-productive.

[ SEE: Is there no end to the AutoRun madness? ]

Most security professionals will drop everything to respond to some out-of-cycle patch, regardless of whether they are seeing attacks or not. We continue to gloss over the difference between a vulnerability and a risk. Of course, a vulnerability is theory. Risks are reality. Security professionals need to live in the world of risk.

The media doesn't like that answer. They are driven by page views (sorry, but that's the monetization model moving forward), which are driven by meaty news. BusinessWire doesn't like that answer either. How will they replace the revenue from all of those press releases announcing defenses against the latest zero day attack?

No one has any interest in telling the market to check the configurations of their Internet facing devices. It's not really sexy and doesn’t generate a lot of page views. But it’s exactly what most security professionals should focus on.

[ SEE: ‘Dumbing down’ the security profession ]

The sad truth is that a true zero day attack will own us all. The best we can do is to pay attention enough to clean up the mess, and you don’t need the press – or even a savvy security researcher – to tell you when you’ve been owned.

So what should replace all the time you now spend following some of the cool mailing lists and blogs? Start more effectively monitoring your networks, servers, and databases. That’s right; start looking for anomalies from the typical behavior. All zero day attacks will leave a trail.

I have this mantra called “React Faster.” I don’t think there is any way to reliably get ahead of the next attack. We’ve failed miserably in predicting much of anything through time. Thus, the focus should be on figuring out whether you have a real problem. That represents real risk and needs to be dealt with.

You’ll be able to take action when you need to, since the researchers will still be out there doing their thing and providing great information about the attack. Amazingly enough, most researchers aren’t in it for the press clips. They thrive on doing the right thing. I doubt they’ll mind that you never visit or call anymore.

Neither will your significant other; now that you’ve got a bit more time to work on that “honey do” list.

* Mike Rothman is senior vice president of strategy at eIQnetworks and author of The Pragmatic CSO. He is also the chief blogger at Security Incite.

Editorial standards