Security Spin Cycle
3:00 PM EDT Fri. Sep. 01, 2006
From the September 04, 2006 issue of CRN
Page 1 of 2
Solution providers say that some vendors are using the alerts to promote their own self-serving interests, unfairly tarring rivals with higher vulnerability ratings and refusing to publicly air their own dirty laundry. They say what's needed is a "no spin zone."
But even without the spin, the vendors putting out the alerts often come up with widely differing scores on a particular vulnerability. This lack of consensus requires solution providers to spend valuable time calming their customers' fears and defending their vendor partners' products. Many solution providers told CRN they're often stuck in the middle between their vendor partners and customers after an alert is issued, which is putting their traditional role of trusted advisor to the test.
Chris Thatcher, a director of security solutions at Forsythe Solutions Group, Skokie, Ill., said because of the various alerts barraging the market, a big part of a solution provider's role now is to help customers navigate through the multiple messages from vendors. "There's so much noise in the market and so much confusion," he said.
What's worse, confusion is increasing as more companies get into the business of threat analysis and bring proprietary ratings schemes to the table, said Peter Allor, director of intelligence at Atlanta-based Internet Security Systems (ISS), which has been putting out ratings since 1997. "There are definitely vendors who release bulletins and evaluate criticalities of other vendors' products who have overstated the severity of vulnerabilities," he said.
Another problem with security ratings is the sheer volume of alerts, which can be overwhelming and can cause people to tune out, Allor said. "When I'm getting all these threat alerts throughout the day, how do I decide which ones to focus on? The reality is, you can't. There's no way to say, 'This is the most important, and I'm going to change my workflow accordingly.' You get maybe one a month that warrants doing that," he said.
However, allowing vendors to publish their own perceived risk levels associated with specific vulnerabilities will continue to promote security practices that are based more on marketing hype than on factual information, said Steve Palange, president of TLIC Worldwide, a solution provider in Wakefield, R.I.
If a vendor finds a vulnerability in a competitor's product, the discovering vendor should communicate it directly to the affected vendor instead of using the situation to gain recognition for itself, Palange said. "It's one thing to say, 'Our IPS is better than our competitor's' in public. It's quite another to publicly say, 'Our competitor's IPS has a serious caching overflow problem that can easily be compromised by anyone with kernel-level access,' " he said.
A solution provider that sells the affected product after an alert goes out runs the risk of losing its customers' trust or being legally liable for using its professional expertise to persuade the customer that the product is capable of defending valuable assets, Palange said. "The ratings put pressure on resellers to factor these public announcements in deciding what products they recommend to their customers," he said.
At the very least, some solution providers told CRN that sifting through security alerts costs them valuable time and can bring their integrity into question.
"When customers view ratings and are barraged with 'patch it now or else' edicts from a variety of vendors or agencies, there is suspicion," said Darrel Bowman, CEO of AppTech, a solution provider in Tacoma, Wash. "Unless all of them are reporting the same severity [level], we're spending precious time researching why one rating is higher than another and [then] explaining the differences and recommending a course of action for the customer so they can feel confident in their decision."
ARE VENDORS SPREADING FUD?
On the vendor front, Symantec has been particularly vocal about other vendors' security flaws of late. As longtime partner Microsoft moves further into the security market, Symantec has been clashing with the Redmond, Wash.-based software giant on a number of issues. These include an intensifying intellectual property battle over storage technology that Symantec claims Microsoft is illegally using in Windows Vista, and Microsoft's decision to lock down the kernel in Windows Vista, which Symantec claims is an anticompetitive move designed to block security software vendors from developing products for the next-generation operating system.
Symantec recently published a series of three reports in which it discussed several security loopholes in beta versions of Vista, which is due to ship early next year. In the reports, Symantec researchers pointed to flaws in Vista's networking stack, the User Account Control (UAC) feature that limits user privileges to mitigate the impact of malicious code, and security features in the Vista kernel.
Symantec would be better served by evaluating the Vista betas and offering Microsoft constructive feedback instead of seeking publicity, said Glen Gulyas, COO at Auto Bid Systems, a solution provider in Herndon, Va. "Everyone knows what 'beta' means and what running a beta program is supposed to produce—feedback to fix problems. The question you have to ask is: Why shoot holes in a beta publicly? Other than exploiting a chance for Symantec to get its name in the media, it serves no purpose," he said.
Symantec's DeepSight Threat Management System, a subscription service that tracks threats and vulnerabilities from a database of more than 2,200 vendors, regularly scores vulnerabilities higher than other threat analysis firms—a move that hasn't escaped the notice of solution providers and vendors.
A source from a vendor whose products are regularly assessed by Symantec told CRN that DeepSight regularly overinflates the severity of his company's vulnerabilities.
