Why Security tools are like pr0n to the Security Professional

I love the technical end of Security. Coming from a mathematical background, I crave that buzz that comes from proving a tough theorem. In Security, there is nothing that really matches the buzz of reversing a tough binary, or figuring out some undocumented protocol with nothing but blackbox fuzzers and a packet sniffer, or writing that fuzzer that generates an exception in some popular app. Security research is sexy, fun and stimulating. At the same time, it doesn’t often impact the bottom line (or goal) of a more secure network. It’s mental masturbation – fun, habit-forming, sometimes beautiful but meaningless shortly after complete.

Now, all of this uber-technical research leads to … well, it leads to uber-technical security tools. Cool tools – Star-Trek-Cool or Matrix-Cool. We have tools which mimic the human body and tell us when an anomaly occurs within a TCP session, or when a kernel call was followed by some other call which had not been modelled into the norm. We have tools which automatically shut down attacks based on some learned or programmed behavior. We have tools which exploit a flaw and then drop a shell, allowing the clueless user to initiate a second scan from the exploited machine. I could go on and on. We have a veritable CRAPLOAD of tools. We buy these tools, rush them home to our shiny network, deploy them, and at the end of the day there is no discernible increase or decrease in Security Posture. It doesn’t take a Phd in Statistics to tell us that the tools are (at best) a marginal help. They make us *feel* more secure without actually being more secure. Are the tools useless? Some of them are. Are the tools either used wrongly or used at the wrong time in the Security cycle? Many times, yes.

The problem is that the really useful security applications have already been discovered, marketed, and sold. Firewalls, vulnerability scanners and anti-virus are largely useful tools, but that market is already saturated. So, we get these over-engineered, marginally useful security tools. Many vendors would have us buy a tool for it’s technical aesthetic value. Many of these tools are breathtakingly spectacular, complex, and elegant. We, the geeks, gather around a console at SANS, blackhat, or some other show and catch a chubby watching all that arousing, binary pr0n. And, at times, I nearly succumb and buy the product just to reward the original thought and sheer beauty of the engineering. But, I won’t buy a jigsaw if I need a hammer and neither should you. Art is art and a tool is a tool and rarely the two shall meet. A tool should serve a purpose – a specific purpose relative to your infrastructure and policy.

FOCUS. Are you with me? The goal of a Security Professional should be to (here it comes) increase the level of security on the network. As I mentioned in a prior post, securing a network can be as simple as creating, communicating, and enforcing a specific corporate policy. Increased compliance implies an increase in my security posture. The tool(s) that I deploy will be designed to increase compliance with policies and standards.


  • sunshine

    Amen. Every word.

    Looking at it from the other side, though, this comes to show some of the ill in our industry. People buying “products” to do security rather than incorporate products in their security strategy and infrastructure. Whether to help enforce policy or help detect intrusions.

    That’s the cheap consultants ran industry of today.

    I must say that from the whole world England and Sweden most impress me. They MANAGEMENT types security folks who are all CISSP-babble actually know what they are talking about and understand and see security as a maze and an artistic thing – only at a much higher macro level.

    Not to put down the rest of the world or the whole industry, but most of it is “cheap consultants” with a few good ones, and “products to buy in this budget year” alone with some new projects security and killing fires that show how insecure they really are.

  • http://www.peertech.org/ coderman

    The goal of a Security Professional should be to increase the level of security on the network… securing a network can be as simple as creating, communicating, and enforcing a specific corporate policy.

    search in blog: ‘identity management’ – Not Found, Error 404

    search in blog: ‘digital identity’ – Not Found, Error 404

    defining a robust system / method for digital identity management is a critical component of good security. i’d love to see you guys discuss this topic as your insight is useful and sharp.

  • http://www.waridtel.com Salman

    I completely agree. I guess more security professionals should learn to distinguish between craving for cool product and actual requirement.

  • sunshine

    There is cool product and there is “products are security” which is what vendors try to get us to think. Products come to be implemented as part of solutions, not to give solutions.

  • http://arik.baratz.org Arik

    The problem is that this goes against the corporate mentality that has the formula pretty much set – security is a problem, security software is a solution.

  • http://ravichar.blogharbor.com Ravi Char

    Dmitry – Very nice post indeed. I had some thoughts similiar to yours.

    Are security professionals shaving the Yak (http://sethgodin.typepad.com/seths_blog/2005/03/dont_shave_that.html) or implementing security?

  • http://www.shareware123.com/utility/security_encryption/index_31.htm security tool

    to protect our privacy, we should own our security software!