ISS exec on security threat prevention

Security architectures that are designed solely to react to threats instead of preventing them in the first place are doomed to fail in a world of fast-evolving and self-propagating threats, says Tom Noonan, CEO of Internet Security Systems.

What do you see as some of the big trends in the security market?

This whole notion of reaction in terms of how our systems have been built is running out of steam. Preemption is going to be a very, very fundamental theme in the direction which security is taking. The concept of preemption basically addresses the question of why not avoid a threat or detect it and prevent it rather than react to it. If you look at the traditional security model, all of our technologies have been built as an ad hoc response to a new threat. Fifteen years ago, the only threat was floppy-transported viruses, so the solution was PC-based antivirus. When the threat became unauthorized access, we built firewalls; when it was spam, we built antispam; when it became spyware, we built antispyware tools; and when it is malicious content, we built content security tools. This entire industry has been built in an ad hoc, reactive manner. The technologies that lie underneath are all signature-based, and you cannot have a signature until you have an active threat. That was fine in a disconnected world.

When you mention "signature-based technologies," are you referring specifically to antivirus tools?

I'm talking about a signature that uniquely identifies a threat by name. Most intrusion-detection systems, most antivirus products, spam, spyware and content-security systems effectively work this way.

So how does being preemptive help?

Today, time and again, you see the devastating and pervasive impact of highly effective, self-propagating viruses and worms because the vast majority of businesses are dependent on multiple layers of reactive technology. Businesses are suffering daily from this reactive model. They have added every layer of protection they can, and they are still being compromised. The highly effective, self-propagating nature of Internet threats today forces companies into a reactive posture, and that is inefficient. The threat has scaled the control systems that are in place.

When you talk about being more proactive, it's not only technology we are talking about, right?

We are talking about technology and also about architecture. We are already seeing a pretty dramatic shift in security architectures on the Net. We are talking about management, which is very, very different in a preemptive world. We are talking about a dramatically different economic model in terms of the cost structure and clearly we are talking about different processes internally.

What shift are you seeing in security architectures?

A move away from point products toward platforms. The disaggregated, multiple layers are going away because the responsibility for making all that stuff work together has been thrust upon the unknowing IT department. The reality is that a whole bunch of acquired products marketed under the same brand, or the same bunch of products marketed under different brands, have never been built as a system or as a platform for security -- only as independent point capabilities to detect a threat.

You also mentioned a shift in security economics.

Since 2001, security budgets have been increasing on an average of 15 percent to 20 percent a year. That is totally unsustainable. No aspect of your cost structure can possibly sustain that kind of growth rate in a competitive global economic environment. CEOs and CFOs are forcing CIOs to be more efficient, not just with capital purchases but with the cost of labor itself. The economic shift in moving toward a platform is pretty significant. Platforms are built to be enterprisewide, meaning they are built and integrated to operate as one system from a vendor.

What kind of products or services are you delivering to help your customers address these trends?

If you look at our company, most people recognize us as the inventor of intrusion-detection systems and vulnerability-detection systems. From the start, the vision of this company was to build what we call the universal protection agent. We believed that threats would evolve, as would vulnerabilities, and they would continually change. Building any system that was threat-specific was fundamentally wrong to the long-term scale model. So this whole concept of preemption really began years ago with our vision of building a highly scalable enterprise system that could detect, analyze and prevent any kind of threats against vulnerable pieces of the infrastructure. Instead of focusing primarily on the threat, we are focusing on the vulnerabilities. Because we understand that vulnerability, we can protect against it.

Show Comments