In search of standards

The lack of interchange standards in the security industry hurts everyone

A few days ago I met with Philippe Courtot, chairman and CEO of Qualys, to discuss an upcoming test of his company’s product. As we talked about the test parameters, he mentioned that he would be able to demonstrate how his product would interface with an IDS (intrusion detection system), but only if we could find one that his product could exchange data with.

Last month, I had a similar conversation with engineers at Symantec about InfoWorld's upcoming test of Symantec Managed Security Services. This time we needed to find a firewall as well as an IDS that was compatible with the Symantec products.

In both discussions, a major theme was the proprietary nature of these security products: They’re really designed to work only with other products from their own company or with a certain limited set of third-party products.

In both cases, the open-source Snort IDS was the only such product that could be counted on to work. Now we’re trying to figure out what to do about the firewalls so we can begin testing at the University of Hawaii’s Advanced Network Computing Lab. Hopefully, we’ll have an answer soon -- and when we figure it out, we’ll let you know.

But that doesn’t really solve your problems. If you’re trying to implement a comprehensive enterprise security system, you must pick products that will do the best job for your company. Unfortunately, those products may not also be the ones that will communicate with the other products in your security environment.

So you have the unenviable choice of selecting solutions that don’t solve your problems as well as they could, or solutions that will be much more complex to manage than they might be. Most likely, you’ll end up with products that will be less effective than you’d like.

Kinda reminds you of the early days of computing, doesn’t it? Remember when there was no floppy disk standard? You might have data on a machine running CP/M and be unable to move it to another machine running the same operating system because the machines didn’t have compatible disk formats. Now we’re finding ourselves unable to exchange our security appliances and software data because they don’t have a common standard. The software interface or the log files of your IDS can’t be used by your security management console, for example.

The sad thing is, there’s no good reason for this massive incompatibility. It happens because the companies that design these products only take into account what they need for their own use. So the IDS or firewall log files are designed to work with the management software that comes with their products, but probably aren't designed to work with anything else.

The answer, of course, is a data interchange standard. I don’t know if there’s anything afoot that would become such a standard; if there is, I haven’t heard about it yet. But there should be. After all, what's so difficult about agreeing to create log files or message formats that simply put like information in the same place?

Yes, I know it’s harder than it seems. And of course, there are any number of complications I haven’t mentioned. But the biggest impediment is the lack of interest on the part of many companies to make open standards -- they lack incentive.

I’ll help provide such incentive by reporting on their openness when I review these products. You can generate incentive by demanding it when you buy.