Tom Noonan is fed up with the security industry.
Hes tired of seeing every new point solution touted as the savior of the Internet, and hes had it with the hodgepodge of security technologies from various vendors not working together and causing administrators more headaches than the threats theyre trying to protect against.
This frustration is hardly unique among enterprise security specialists and CIOs. But its rare to hear the head of one of the worlds largest security vendors voice such concerns.
Noonan, the CEO of Internet Security Systems in Atlanta, says he has grown weary of trying to defend the prevailing wisdom in the security industry, which holds that enterprises need to adopt a best-of-breed approach to defending their networks, lest they fall victim to the shortcomings of one particular vendor.
“Best of breed is necessary, but its not sufficient. [The security industry has] been so damn pragmatic, building point solutions for every new threat that comes along, that we have a security architecture that doesnt act like a system,” Noonan said in a recent interview in advance of his keynote speech at the RSA Conference in San Jose, Calif., which begins Feb. 13.
“Now we have a bunch of stovepipes. [ISS] has been trying to build a system that acts like a system. All of the components will work horizontally. In the past, a new threat has equaled a new box. We cant keep operating like that.”
In his speech, Noonan said, he plans to unveil his companys new strategy for delivering live security services to enterprises that have deployed ISS Proventia integrated security appliances.
The appliances include a variety of security functions, such as IDS (intrusion detection system) and intrusion prevention, and now ISS wants to use the software agents sitting on all of those boxes to deliver advanced protection services that customers can turn on and off at their discretion.
The first offering will be an automated vulnerability protection service, based mainly on the intelligence generated by the companys X-Force research team. As the team discovers or learns of new vulnerabilities in various platforms, ISS will be able to automatically update the security policies on the Proventia boxes running at customer sites.
“If we find a vulnerability, we can do a remote security assessment of the customers environment and automatically update their policies on the system to block any threats against that [vulnerable] service,” Noonan said.
“When we talk to customers after attacks, their most common reply is, If Id only known. Now they dont have to know.”
ISS plans to roll out a number of other similar services in the coming months to address threats to emerging technologies, such as VOIP (voice over IP). Customers will be able to turn on the services capability in the first quarter of this year.
These kinds of on-demand offerings are all the rage among software providers in other sectors of the industry, especially CRM (customer relationship management), ERP (enterprise resource planning) and other back-end systems.
But the security community has been slow to adopt the software-as-a-service model, in large part due to the concerns that many enterprises have about putting the security of their networks in the hands of outsiders.
Some managed services providers, including ISS, have offered managed security services for several years, but that model never took off on the large scale that some observers believed it would.
Noonan said he believes that the time is right for ISS on-demand offering, in part because cost pressures and a shortage of trained security personnel have made it difficult for some enterprises to put together talented in-house security teams.
“I think this is the future model, truly a live services model that feeds the system,” Noonan said. “It automates the process of protection across the network. It offers flexibility. The threat spectrum will continue to evolve and corporations cant keep evolving for every regulation.
“Is what [the industry is] doing now working? The answer is clearly no. When you buy a security product, the next day its out of date. No one wants to buy crappy security. [With our model] the cost goes down; its simpler and more extensible.”