Stop Security Leaks Before They Start

Opinion: To stop trouble before it starts, focus on monitoring user activity, not squashing bad code.

Microsoft would like to sell you a total security platform including the access control, tokens and scanning software intended to make your system hacker- and virus-free. Cisco would like to sell you a total security platform based on an overarching network model that can find, isolate and defeat bad code before it rampages through your system. Now that the big vendors have found security religion, are the small vendors in trouble, and, moreover, can you ease your foot off the security pedal and let those big vendors do the driving? The answer in both cases is no.

At the recent RSA Conference in San Jose, Calif., I was taken by how much Microsoft and Cisco, after years and varying degrees of neglect, are suddenly pitching themselves as overall security providers. With their security tokens, "the network is the operating system" mantra and plans to contain data into walled confines before squashing the bug, those companies both sounded to me like Sun Microsystems of years past. (Remember the Java ring?) They would like you to think that they have identified and are addressing the major security problems of today. Id suggest they are addressing the major security problems of yesterday and are a bit blind to those of tomorrow.

/zimages/5/28571.gifAnti-fraud tools stole the show at the RSA Conference. Click here to read more.

In his keynote, Bill Gates defined the Microsoft vision as a "trust ecosystem" and said that "today, people live without this trust ecosystem by either limiting activities ... or they simply take risk." John Chambers, Ciscos CEO and president, said during his keynote that "security point products will move more and more into the network fabric." Both executives included nifty demos of how their upcoming products could authenticate, analyze and kick the bad bugs out of their systems.

However, as eWEEK News Editor Dennis Fisher writes, in Microsofts case, at least its security offerings might be good for the consumer space but wont have the heft to provide corporate-level security. I believe you could make the same argument for Cisco in trying to be all things to all networks. The company wont be able to provide the best-of-breed security products required for an ever-changing and challenging network world. Fisher argued, correctly, that the individual security vendors will face a tougher, but not fatal, business environment.

The individual security vendors will prosper by going where companies such as Microsoft and Cisco have not tread. In the case of RSA Security, that space has been in buying companies that analyze and alert their customers—such as banks—to unusual activity to head off a breach. RSA purchased Cyota for $145 million, which seems to me a lot for a company rumored to have about $10 million in sales, but it was also the type of transaction companies such as RSA need to make. "First and foremost, the security industry is very much a growth industry," RSA President and CEO Art Coviello told me during an interview at the conference.

Coviello said the consolidation is due to vendors that once built individual security solutions now developing a broader reach, since they have realized that the borders between solutions have become favorite hunting grounds for the hackers. I think Coviello is correct, but in buying such companies as Cyota, RSA has recognized that the next stage in security is analyzing actions that indicate security problems, rather than trying to keep all the borders shut to all forms of bad code.

Are Microsoft and Cisco equipped to analyze user activity before it reaches the threat level? Maybe someday, but not yet. The ability to analyze and flag user aberrations rather than trap and squash known bad code takes an entirely different approach to security. So far, that approach has been the province of large financial (and, yes, government spook) operations and has been beyond the economic reach of smaller companies. However, if businesses are going to stop trouble before it starts, they need to watch customer interaction rather than sniff for bad data. Stopping trouble before it starts is the place where security vendors will head and what your security projects must address.

Editorial Director Eric Lundquist can be reached at

/zimages/5/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.