Security Spin Cycle

However, from a business standpoint, Symantec has to send out alerts on a regular basis to demonstrate the value of its DeepSight product, said the source, who requested anonymity. "If you're paying for a service and they never alerted you, would you see value? It's kind of the same reason security guards walk around a building. Does the visible security actually make people safer, or does it make people feel safer?" he said.

Vincent Weafer, senior director of development for Symantec's security response group, said DeepSight consistently applies the same methodology in scoring all vulnerabilities. In terms of risk scores and impact statements, Symantec tends to be higher compared with some other vendors, but the analysis the vendor provides is more important and valuable to customers than the scores, Weafer said.

"When people look at risk ratings, they're looking for the assessment and intelligence piece of it—that's the value proposition," Weafer said. "Anyone can give a number."

Another reason DeepSight ratings are higher than others is that they're geared toward enterprise customers and not home users, Weafer said. "IT administrators will look at the information we provide and understand why we are making those evaluations," he said.

Symantec is "very rigorous" about applying the same threat analysis criteria to its own products than it does for those of other vendors, Weafer said. And in looking at how Symantec has rated its own vulnerabilities recently, it's clear that DeepSight has indeed rated Symantec flaws higher than other ratings organizations.

But when a vendor rates its own security vulnerabilities lower than other organizations, it can lead to questions about that vendor's objectivity. Last month, McAfee patched a vulnerability in SecurityCenter, a component in all of the Santa Clara, Calif.-based vendor's consumer security products, that could have allowed remote attackers to execute code and gain control over affected PCs.

While other organizations' ratings were all in the higher range, McAfee assigned it a score of "medium," or 3 on a 5-point scale, on the grounds that the exploit requires reverse-engineering of the software in addition to the assistance of the user.

"When we saw McAfee do that, we jumped to the conclusion that they were downplaying the seriousness," said Marc Maiffret, chief hacking officer at eEye Digital Security, the Aliso Viejo, Calif.-based vendor that discovered the vulnerability. However, after scanning McAfee's Web site for other vulnerabilities that had similar impact, eEye's researchers found that McAfee had consistently given a "medium" rating to that particular class of attack, Maiffret said.

"When you talk about security vulnerabilities, a lot depends on environment, configuration and other factors that can change a rating to be less or more important," Maiffret said. "The main thing behind the credibility of any vendor rating system is that, regardless of how you rate, you have to do it consistently."

>> " When customers view ratings and are barraged with 'patch it now or else' edicts from avariety of vendors or agencies, there is suspicion." -- DARREL BOWMAN, CEO OF APPTECH

McAfee's Threat Center Web site assigns scores based on the origin of attack, whether user interaction is required, and the result of the attack, said Monty Ijzerman, senior manager of McAfee Avert Labs' Global Threat Group. McAfee currently assigns ratings only to patched Microsoft vulnerabilities, but by the end of the year, the security vendor plans to begin expanding its ratings to other vendors' operating systems and infrastructure components, based on what its customers have in place, Ijzerman said.

Steven Reese, security practice manager at Nexus Integration Services, a solution provider in Valencia, Calif., said he advises his customers to pay more attention to what the affected vendor says than to third-party ratings when it comes to gauging the seriousness of a vulnerability. "Most vendors may downplay vulnerabilities, but they are disclosing them. There's an implied level of liability to the manufacturer if they were to understate a flaw in their own products," Reese said.

To get beyond the hype, it's important to study a vendor's track record when it comes to addressing security issues on their own products, said Bill Calderwood, president of The Root Group, a solution provider in Boulder, Colo. Included in this analysis is how openly a vendor discusses its vulnerabilities, how quick it is to announce them, and its objectivity regarding the impact and urgency of threats, he added.

"If you can factor the severity of different vulnerabilities and exposures into your risk equations, you can better prioritize your response resources and minimize loss incidence," Calderwood said. "Besides, patch management is too tricky these days to just follow the old 'just patch it now' rule that we used to follow."

IS CVSS THE ANSWER?
The Common Vulnerability Scoring System (CVSS), a nascent industry initiative that includes the participation of Cisco Systems, Symantec, ISS and McAfee, aims to clear up the confusion by creating a vendor-neutral system for companies to evaluate threats and prioritize patching efforts.

CVSS will help eliminate situations in which a vendor might be want to downplay the true impact of a vulnerability in its own product, or a security researcher might want to play up a vulnerability because he or she wants publicity, said Gavin Reid, chairman of the CVSS group within FIRST.org. (Forum of Incident Response and Security Teams).

CVSS replaces vendors' proprietary rating systems with a 10-point scale that includes consistent metrics for evaluating vulnerabilities, according to Reid. The group also helps companies address the challenge of setting up policies for networks that includes infrastructure from multiple vendors, he added.

Some solution providers feel CVSS is a step in the right direction. "We believe CVSS is necessary and will go a long way in reducing the FUD [fear, uncertainty and doubt] from the vendors that do end up mudslinging and misrepresenting severities," Calderwood said.

Vendors are becoming too vocal about each other's security issues, and the challenge of sifting through the noise will continue until CVSS reaches widespread adoption, Reese said.

Until that happens, though, solution providers will have to continue with damage-control efforts whenever an alert is issued for one of their vendors' products. And VARs that do due diligence and give customers a clear course of action will be the most likely to retain their trusted advisor status.

"Our customers don't know what CVSS is or what it wants to be," AppTech's Bowman said. "From a security standpoint, our customers are constantly deluged with information regarding the severity of a potential compromise to one of a hundred-plus products they use," he said.

"We can't be doing the Chicken Little thing and crying, 'The sky is falling' every time an alert goes out," Bowman said. "We have to be cautious and evaluate how those alerts affect our clients and then make recommendations."