Cyber Security failures in the Western World have reached a pandemic stage. Research conducted by the National Security Agency (NSA), in conjunction with the Department of Defense, FBI, Department of State, local law enforcement, civilian security agencies, and large security providers such as Mandiant and McAfee have shown that government and industry alike suffer from poor security practices.
The result of the research, published by the Center for Strategic and International Studies at the request of Congress, led to the establishment of the Top 20 Critical Security Controls for government and private networks alike. The data used in the study consisted of actual verifiable attacks, and only controls designed to stop those attacks were included in the framework. The U.S. Department of State implemented these controls in 2009, and confirmed an 88% attack threat mitigation across their network systems.
For security professionals, these 20 critical security controls will not look new. Indeed, the NSA recommended security practices conjoin many top traditional security practices already codified in leading professional security standards such as National Institute of Standards and Technology (NIST) 800-53. The alarming aspect of the study is that while competent security standards for protecting America's networks and systems had already been developed, the standards have been poorly implemented across the country.
Some examples of large security breaches resulting from poor security practices include a recent Distributed Denial of Service Attack (DDOS) against Spamhaus which clogged Internet lines leading Matthew Prince, Chief Executive of Cloud Flare, to compare the attack to a nuclear bomb.
Here is a graphic showing some of the largest reported data breaches to date:
(click to enlarge)
Security experts note that the majority of security breaches never go reported. What's more alarming is that for networks lacking proper diagnostic tools and well seasoned and trained security professionals, many security breaches go undetected.
From my discussions with top security professionals at leading security organizations, including Big 4 consulting and assurance companies, software such as Antivirus and Intrusion Detection and Prevention (IDS/IPS) are currently only marginally effective at catching security threats. Some estimate that software stops malware only 15-20% of the time. The reason for this is that programmed security solutions can only address known attack methods. Variants of popular attacks and new malware creations slide by many popular security software products. In addition, many security solutions are installed out of the box with little modification or customization to the needs of each network, leading to reduced or ineffective defense.
Sophos has estimated that a new virus or malware is created every half-second, which adds up to more than 50 million per year. While hackers previously sought notoriety for their exploits, many different types of hackers exist now. Many of them are quietly looking for network security weaknesses to commit industrial espionage, steal secrets from computing governments, get paid for finding weaknesses, or become hacktivists protesting perceived societal wrongdoing. These attackers aren't going to publicize their methods, which is why reports of popular viruses like Melissa have all but disappeared in the mainstream television media. Reports of security breaches have once again been relegated to security journals and online blogs, away from the purview of most Americans.
Other Security Standards
In addition to the NSA research, the NIST SCAP (Security Content Automation Project) collects community vulnerability information in order to enumerate that information into automated vulnerability management, measurement, and police compliance. SCAP has found similar vulnerabilities as determined in NSA research. Australia's Defence Signals Directorate (DSD) found 4 primary and 35 secondary security controls that effectively mitigate security attacks. The 4 primary controls can be implemented at a relatively small cost for most organizations. While the cost of security can be effectively streamlined, the cost of security breaches is rising significantly.
A recent Symantec report indicated that breaches involving social security numbers or credit cards cost companies $7 million per incident. A large part of the cost included a patchwork of state and federal requirements to report and respond to security threats. Congress has been trying to set a unified standard in 2009, but the bill has yet to pass.
Recent developments by some leading security companies show promise in thwarting Internet attacks. For instance, Fireeye is a product that has developed a learning system that collects data on existing attacks from their subscribers using their custom tools. While hackers previously had the upper hand in combining security known weaknesses into highly complex attacks, Fireeye tools use the same method of sharing security breaches with each other to raise the defense profile of each of the subscribers on the network quickly.
In addition, HP (HPQ) has developed software to link operational system logs with security event logging, enabling network operations and security to unite in common defense of corporate networks. Eliminating functional silos in network operations and security means more coordinated and efficient defenses against attackers.
Lastly, Cisco (CSCO) and VMware have teamed up to develop networking gear that integrates network firewall defenses with virtual computing used in cloud deployments. Current cloud configurations have patchwork security systems pulled from legacy network technologies. Security holes plague these legacy network implementations, but that is about to change as new technologies are adopted.
Informed technology investors promise to benefit from companies that develop next generation security technology. Any development that specifically addresses efficient security threat mitigation while being kind to corporate bottom lines will capture market share quickly. While companies want better security, they have to balance expenditures with product results.
VMware (VMW) provides a cloud solution for companies wanting to reduce data center expenditures by virtualizing systems to maximize computing power over available hardware resources. VMWare has a very mature product, that is well documented and used by thousands of companies. This market dominance ensures properly trained VMware administrators are in abundant supply. The company sports a very solid healthy balance sheet with much higher assets than liabilities. In addition, they trade at a reasonable multiple to their book value.
VMware has raised their security profile in ESXi version 5, including improvements to the administrative access module and system patching efficiencies. In addition, VMware's partnership with Cisco hardware networking products provides a robust, integrated security solution with a hardware provider that dominates the corporate LAN network device space.
Competitors include the hot OpenStack open source cloud computing software, based upon the Linux operating system. Costs for adoption of OpenStack software are cheaper than VMware, but the system is newer and not as well documented. Costs for OpenStack are shifted from licensing to Engineering. In addition, OpenStack is not a hypervisor, so it will rely on other software such as VMware or KVM. For larger cloud implementations, OpenStack is expected to reduce costs. VMware provides advanced features that the company feels warrant their licensing fees and will likely appeal to more small to mid-size adopters of cloud technology.
VMware has already done a good job of reducing costs for its platform as well. At the end of the day, this battle reminds of Windows versus Linux in the server market. Both platforms have seen robust growth and have served needs in the marketplace alongside each other. Most companies run both Linux and Windows servers, and I expect in a similar way VMware and OpenStack will coexist as solutions in the cloud space.
VMware has solid upside and the company has announced higher profitability targets for 2014 - 2015. Recent earnings have disappointed, but these include divestitures and R&D expenditure that position the company for robust future growth.
Sourcefire (FIRE) provides IDS/IPS subscription software for Intrusion Detection and Prevention. The company has a large market share and is a quality, proven product. As far as intrusion prevention goes, Sourcefire is a top quality product. They have not developed a community based approach to threat updates like Fireeye, which should emerge as a key threat to Sourcefire's business. Right now the stock is too expensive, but the company is key to the current security marketplace.
Symantec (SYMC) owns domestic corporate software, a storage division, and consulting services. The company has been losing share in the corporate market and therefore revenues and profits have been flat. On the plus side, this company is very well positioned financially and is still recognized as an industry leader. The company has begun focusing on their consumer market by renewing relationships with distributors. They have also announced entry into the mobile device security market which is crowded with several AV providers including names like McAfee and AVG. Symantec will have to figure out how to differentiate them in the mobile market while they strengthen consumer and corporate offerings. Symantec can avoid a RIMM-type collapse by increasing product innovation and avoiding unnecessary acquisitions.
Fortinet (FTNT) offers an integrated suite of soft and hardware security products for IDS, firewall, VPN, network load balancing, application management, and vulnerability scanning. This product mix concentrates on sensitive security control areas highlighted by NSA research. However, there are many other vendors in the same product space. Fortinet has won an award for the efficiency of firewall and IDS security products. Fortinet's strategy is to become an end-to-end network layer management and security provider and has recently moved up in market share. The balance sheet is fantastic, but revenues are expected to flat-line in 2013 as the company concentrates on developing their cloud portfolio.
Companies that innovate and fill holes in the security sector should profit handsomely. Government and corporate networks are in dire need of effective security practices performed efficiently, and will look to leading security firms to provide scalable solutions. In addition to a maturing product portfolio, IT leaders would do well to strengthen focus on security by hiring technicians with a proven security background, such as Information Assurance and Security professionals. Alignment of Information Security Officers atop corporate IT systems will drive mature security practices.
On that note, I have written a new research paper focused on securing the consumer Internet experience. The report delves into core Internet security issues and offers a step by step approach to combating cyber threats. The research report is downloadable for free, no registration required, on the Custom Research section of my website.