Industry Trends

Putting An End To Security Snake Oil

By Chris Dawson | March 16, 2015

Imagine it’s the late 19th century. Modern medicine is in its infancy. Folk cures, snake oil, and patent medicines are still being peddled to naive consumers and a nascent market for legitimate pharmaceuticals struggles to balance profit and genuine benefit for patients. A desperate public, struggling with diseases like tuberculosis and polio needed real medicine but settled for whatever miracle cure they could find (or what early marketers told them would work).

Then, in 1906, Congress passed the Food and Drugs Act, giving new powers to the US Bureau of Chemistry, the agency that would eventually become the FDA. Suddenly, medications had to comply with standards for purity and formulations, the groundwork was laid for rigorous clinical trials, and marketing became more about truth and science instead of inflated claims and potential profits.

While few would argue that the FDA as we know it today is perfect, consumers and doctors alike can generally assume that approved and regulated medications meet high standards for effectiveness and safety.

When it comes to information security, though, we don’t have regulatory bodies that can provide the same level of assurance for the safety of our data or the effectiveness of our security solutions. Instead, we have data sheets. Data sheets are marketing materials that security vendors publish touting the abilities of their hardware and software to detect threats and keep the bad guys at bay. Imagine if you needed to decide which cholesterol drug to take based solely on advertising from various pharmaceutical companies. At the same time, imagine if there was no oversight on that advertising. It would be a dangerous and risky proposition.

Obviously, there are no higher stakes than our health. But in security, the stakes are still remarkably high. Companies reputations are on the line, customers’ credit and identities are at risk, and costs from a data breach can quickly rise into the millions of dollars. Smaller companies can easily be put out of business by one well-timed attack on their networks.

Fortunately, absent an agency like the FDA to verify the ability of solutions to keep our data and networks safe, independent third parties have emerged to put security hardware and software to the test. One organization that has really stepped up to fill this gap is NSS Labs. They have been testing security solutions from every major vendor for years and making the results of the tests available to IT decision makers who can use the data to decide which hardware best meets their needs.

This week NSS Labs opened the virtual doors on their Cyber Advanced Warning System (CAWS). As Nicole Perlroth explained in a New York Times blog post,

“NSS Labs...has developed a testing service that will allow corporations to see how vendors stack up, including which real threats their products are blocking, and which they are not. That kind of basic benchmarking is long overdue in an industry crowded with security firms that love to claim their products catch all the threats their competitors do not.”

The service is easy for users but incredibly sophisticated on the back end. As NSS Labs explains, the system is not focused directly on the countless bits of malware and wide range of threats floating around on the Internet, but rather on exploits - the particular means by which hackers can get into an organization’s network and wreak havoc. For example, users can profile versions of software, operating systems, and specific security hardware in use in their organization and then receive near real-time information on whether the combination is vulnerable to attack. NSS Labs uses real data from BaitNet, a test environment that obscures itself from hackers but that can comprehensively and safely evaluate threats and vulnerabilities with incredible speed and precision.

CAWS benefits businesses in several ways but the most important are:

  1. 1. Increased situational awareness - It answers the question, “Are my current systems vulnerable to real threats in the wild right now?” This allows businesses to address those holes before they fall victim to an attack.
  2. 2. Evaluating security solutions in the context of their needs - In this case, it answers the question, “Which security solutions best protect my network based on the software and operating systems I have in place?”

This is absolutely essential information for businesses as they look to proactively protect their networks and as they purchase new security hardware.

As security becomes the top concern for organizations operating in an increasingly unsafe environment and handling more sensitive data than ever before, tools like NSS Labs CAWS are the only way for businesses to sort out the security snake oil from reliable protection. And since no security solution is 100% effective all the time, the Cyber Advance Warning System itself is a powerful additional layer of security for organizations who put the safety of their customers’ data first.

Join the Discussion