Security futurists shun perimeter, anti-virus systems

Speakers at Source Boston 2008 conference contend that enterprise should look to outsourcing and grid computing to protect against increasingly sophisticated hacker attacks

Outsourcing, grid computing, and hacker professionalism are trends that cannot be stopped, and the sum total of those factors will have a dramatic effect on the way businesses attempt to protect their IT system in the future, researchers and analysts agree.

The intersection of groundbreaking new IT architecture and previously unparalleled levels of professionalism among writers of malware attacks will result in an increasingly challenging electronic business environment, according to speakers at the ongoing Source Boston 2008 conference.

And while such estimations are sometimes characterized as fearmongering set in motion by an IT security industry dependent on the presence of new attacks to keep its coffers full, the assembled experts appeared to suggest as many answers as they proposed potential problems that need to be solved.

Each technological step forward should present its own array of security challenges and create new opportunities that force companies to continue to reassess their defenses, the presenters said.

Even mature IT trends such as outsourcing are having a significant impact on the changing manner in which businesses address security today.

"The reality is that we will be outsourcing some security functions," said Rich Mogull, an industry analyst with Securosis. "Organizations need to both take advantage [of outsourcing] where it makes sense and integrate outsourced security opportunities. At the same time, companies can't transfer all of their risk by handing off responsibilities to someone else; just because someone is handling your credit card information, customers won't let you off the hook if something goes wrong."

Companies will increasingly apply a mix of on-premise IT defenses and "in the cloud" security services to maximize their ability to thwart attacks and to adjust their protection to account for other outsourced operations, the analyst said.

"Companies will have a mix of outsourcing and in-sourcing," said Mogull. "For security, especially for things like firewall management, outsourcing absolutely makes sense. You'll also have companies outsourcing workstation systems management, and eventually they will outsource anti-virus management as well."

And just as attackers have leveraged the potential of grid computing via botnet systems that some experts estimate to be as powerful as the world's largest supercomputers, the IT security industry must likewise tap into distributed processing power to better protect customers, the presenters said.

With the bad guys already getting deep into grid computing, it will be crucial to fight firepower with firepower, they said.

"Companies will be distributing security [capabilities] to help figure out ahead of time where anomalous things are occurring; technologies will take advantage of distributed [sensors], virtualization, and grid computing to garner data using the herd mentality," said Chris Hoff, chief architect of security innovation at Unisys. "When you think about infrastructure in 10 years, instead of thinking about where virtualization gets us in terms of consolidation, [think] about distributing [security] processes to pools of memory and computing power."

Based on those major trends and other new paradigms, including virtualization, SaaS (software as a service), and SOA, companies will also have to consider new ways to address the issue of maintaining less concrete perimeters for their networks and IT systems.

As evidence that major security vendors already understand this emerging shift, the experts highlighted the fact that more than 20 such companies immediately signed on to help support new systems-defense tools from virtualization market leader VMWare, even though the technology being pitched is still under development.

"The concept of re-perimeterization will involve taking the [existing] perimeter and making it stronger, condensing it in places, and adding all sorts of little internal perimeters," said Mogull. "It's not that the perimeter will disappear soon, but it will consolidate. Companies don't have a choice about this; with remote workers and virtualization, this is already happening today."

However, perhaps the biggest shift in IT security is one that is already transpiring around information protection, as companies shift their primary focus away from systems defense to safeguarding their valuable data.

Both experts are endorsing an approach they have labeled as the "info-centric lifecycle," through which companies will create mechanisms to secure data from the time it is created until the time it is destroyed, with different tools and policies involved for protecting information in every phase of its existence.

In another Source conference session, Yankee Group analyst Andrew Jaquith set forth the strategy he feels that anti-virus vendors must adopt to make their products more effective at stopping today's increasingly complex and customized malware attacks.

With malware authors already creating so many variants of their attacks, the result has been the equivalent of a denial-of-service assault leveled at anti-virus research labs, which can't possibly hope to write signatures fast enough to keep up with all the new threats, the expert said.

To help address the problem, the analyst contends that anti-virus providers need to move beyond the current defense model that emphasizes attack prevention and push their products and services further into attack detection and response.

So many threats are evading the traditional preventative approach used today that the transition must be made rapidly, with vendors moving to adopt their own in-the-cloud hosted anti-malware capabilities for identifying and reacting to attacks more quickly. More emphasis should also be placed on sharing information between anti-virus providers, the analyst said.

The continued adoption of a "herd" model among anti-virus systems that employs threat profiling on widely distributed end-point devices to gather information on new attacks, and central repositories of such data maintained by the vendors, will be another crucial element of future defense mechanisms, said Jaquith.

"Where we need to go from an industry perspective is to de-emphasize prevention, versus some of these other elements; vendors need to discover telemetry and [examine] applications running our machines and use that information to build better software, compared to the top-down, no-feedback model we have today," Jaquith said. "The current situation isn't working; malware defenses are not keeping pace and threat profiles are a lot different; the top-down model is a weak link."