The Next Web has posted what amounts to an advertisement masquerading as an article about how the cyber security industry is a billion dollar scam. The author claims cyber security vendors are purposely selling outdated technology it knows to be ineffective at preventing cyber attacks. First, the author sets the stage by claiming the the current model is broken (emphasis added):
According to Price Waterhouse Coopers, the total number of security incidents has increased 66 percent year-over-year since 2009. In 2014, there were 117,339 incoming attacks a day, an increase of 48 percent over the year before, accompanied by a rise in financial losses. Not only are these attacks more frequent and expensive, but they are also happening on a larger scale – 77 million records stolen from JPMorgan, 80 million records stolen from Anthem, Target, Home Depot, Sony, and the list goes on.
The connection between more cybercrime and more spending is clear. What is not clear is that more spending on security technology has actually done anything to curb the crime. Most of the security products out there use 20th century technology against 21st century foes, and they are obviously failing.
The author follows this by discussing how cyber security vendors are primarily selling products based on antiquated anti-virus technology rather than newer types of unproven solutions possibly more capable of preventing successful attacks (emphasis added):
Tools from mainstream security vendors are primarily based on an outdated, antivirus approach that relies on having prior knowledge of an attack. Threats are detected by comparing a program’s software to known malware in a virus dictionary. If a piece of code matches an entry in the dictionary, this raises the red flag.
Most of the security products available on the market are just a half-step better than old antivirus products. This method fails today because it only works if an attack has been seen before. Modern cybercriminals[sic] are more sophisticated than that. We are no longer looking at kids in a dorm room coming up with annoying little hacks.
While I will not disagree that there is a lot of outdated technology on the market today, that does not mean it is entirely ineffectual. The modern cyber attacker is generally backed by a well funded crime syndicate, or at worst a nation state, and are very good at what they do. Their level of sophistication requires organizations to use advanced cyber defenses to protect their crown jewels. This is well understood by every cyber security professional.
Next, the author rants about how there is this unwritten treaty – whereby treaty he means collusion – between the security vendors and the hackers, leveraging fear, uncertainty, and doubt to force organizations to spend a lot of money on useless technology (emphasis added):
The companies that make these products sell them for millions of dollars, knowing that they won’t work. Then when they fail, the vendors ask for millions more dollars to tell their clients why they failed. It is a racket. Without the “robbers,” the “cops” have no business; the more breaches occur, the more money the cybersecurity companies make.
Why hasn’t this Unholy Alliance between hackers and cybersecurity vendors received more attention? And why do organizations keep buying their products? One factor is secrecy – the security industry is not transparent in an alleged effort to protect security, and this means that these inadequate products continue to sell and continue to fail. Marketing is another factor. It’s not the best product that wins, but the best marketed product.
So now we are starting to get to the heart of the authors issue: organizations continue to spend money with the same vendors who previously sold them products that were ostensibly inadequate in preventing a breach. What the author fails to even remotely address is the complex nature of the problem, and more importantly, that buying expensive technology is not going to be one hundred percent effective in preventing every cyber attack. There will never be a time when this will be true.
Preventing successful cyber attacks requires a multi-faceted approach, combining technology, highly trained cyber security personnel, and an educated workforce, among other things. If an organization believes buying a security tool will solve all their security needs then they are sadly mistaken, and likely did not ask the right questions.
The author seems to take issue with marketing as well, and I can sympathize with this position. There are two particular security vendors – Palo Alto Network and FireEye – who spend a lot of time, money, and effort on marketing their known inferior products. There are plenty better technologies being sold today but as a result of their marketing campaigns, organizations believe they need to buy tools from these companies to stay protected.
Nothing could be further from the truth.
But here is the kicker – the part where we finally understand the context for this essentially pointless, baseless rant of an advertisement purporting to be an actual well researched, well written article (emphasis added):
In order to be effective, security software can’t rely on prior knowledge. It has to somehow figure out what is happening without looking at a list, because that list is inevitably going to be stale and incomplete. A better approach is to use Big Data and machine learning, which make it possible to identify patterns and predict discrepancies in real-time based on actual circumstances, not old or useless information.
The major security vendors are not taking this approach because it is in their best interest to keep the breaches happening. For this, they are just as culpable as the hackers themselves. In addition to developing new, better approaches for preventing attacks, startups also have an opportunity to realign the goals of the security industry to put customers’ best interest at the core.
I do not even have to address the sheer stupidity of the baseless claim that the major security vendors are not taking the approach the author outlines because there is some ostensible conspiracy to keep the industry status quo so the old guard can continue to generate revenue. Saying the vendors are the problem is to claim handgun manufacturers are at fault when an adversary shows up to a fight with a tank. The author seems to have no problem telling lies of his own so long as they suit his narrative.
Finally, the big data and machine learning comment is really the crux of this advertisement: at the bottom of the article, the author is listed as John Prisco, the CEO of Triumfant Security. Guess what types of cyber security products Triumfant makes? From their very own about page (emphasis added):
Our advanced analytics and intelligent, precision-based technology enable us to detect, analyze and immediately resolve attacks that bypass traditional, signature-based defenses.
Self-learning and continuously evolving, Triumfant’s endpoint protection technologies pick up where others leave off – effectively closing the gaps left by firewall, antivirus, sandbox technologies and Intrusion Prevention Systems. Triumfant not only captures data and detects malicious activity in real time, but it also verifies, contains, investigates, remediates and prevents future attacks.
So basically, this entire article was one big tear-down of the existing cyber security industry to make some claim that his company produces superior technology. The author basically calls into question both the ethics of those in the cyber security industry, and then claims there is a big conspiracy between the actors and vendors. His solution is for the world to stop using the technology from his competitors and to start using the very technology his company is known for creating. But because his company does not have a large marketing budget, they are losing out to the likes of PAN, FireEye, Fortinet, and other cyber security vendors who are knowingly selling ineffective tools.
Shame on The Next Web for publishing this in such a way it looks like an actual article rather than framing it for what it is: a well written advertisement purporting to be an actual well researched article on the state of overspending in the cyber security industry.
Shame on the author, CEO John Prisco of Triumfant, for his claims of collusion, and claiming the cyber security industry knowingly selling defective products, when I guarantee he knows otherwise. Rather, he uses this ruse as a red herring to better position his company’s technology.
Here’s a protip for John: if your machine learning, data analytics, and predictive analysis are that good then why dont you actually demonstrate how well these tools are at detecting and preventing cyber attacks? Do not use TNW to bash the very industry your company is apart of only to try and sell the next best security product. Let your technology speak for itself and show its effectiveness and reliability. Once you do that, then the industry will take you seriously.
I should point out that I agree – machine learning and predictive analysis is where the industry needs to go and where it is currently headed. However, no company has yet to realize the potential of these ideas and produce usable, reliable technology truly capable of meeting the marketing rhetoric. We need better AI for this to happen, and we are close, but it is still a few years out before we will really have an effective tool of this nature.
Until then, companies like Triumfant should work on improving and perfecting their imperfect technology rather than penning pointless drivel like this article. The industry respects results not rhetoric.
Disclaimer: I work for Intel Security, one of those companies John Prisco claims to be knowingly selling defective tools, and one in that conspiracy circle of hackers and cyber security vendors he accuses exists.