Security Spin Cycle
Solution providers say that some vendors are using the alerts to promote their own self-serving interests, unfairly tarring rivals with higher vulnerability ratings and refusing to publicly air their own dirty laundry. They say what's needed is a "no spin zone."
But even without the spin, the vendors putting out the alerts often come up with widely differing scores on a particular vulnerability. This lack of consensus requires solution providers to spend valuable time calming their customers' fears and defending their vendor partners' products. Many solution providers told CRN they're often stuck in the middle between their vendor partners and customers after an alert is issued, which is putting their traditional role of trusted advisor to the test.
Chris Thatcher, a director of security solutions at Forsythe Solutions Group, Skokie, Ill., said because of the various alerts barraging the market, a big part of a solution provider's role now is to help customers navigate through the multiple messages from vendors. "There's so much noise in the market and so much confusion," he said.
What's worse, confusion is increasing as more companies get into the business of threat analysis and bring proprietary ratings schemes to the table, said Peter Allor, director of intelligence at Atlanta-based Internet Security Systems (ISS), which has been putting out ratings since 1997. "There are definitely vendors who release bulletins and evaluate criticalities of other vendors' products who have overstated the severity of vulnerabilities," he said.
Another problem with security ratings is the sheer volume of alerts, which can be overwhelming and can cause people to tune out, Allor said. "When I'm getting all these threat alerts throughout the day, how do I decide which ones to focus on? The reality is, you can't. There's no way to say, 'This is the most important, and I'm going to change my workflow accordingly.' You get maybe one a month that warrants doing that," he said.
However, allowing vendors to publish their own perceived risk levels associated with specific vulnerabilities will continue to promote security practices that are based more on marketing hype than on factual information, said Steve Palange, president of TLIC Worldwide, a solution provider in Wakefield, R.I.
If a vendor finds a vulnerability in a competitor's product, the discovering vendor should communicate it directly to the affected vendor instead of using the situation to gain recognition for itself, Palange said. "It's one thing to say, 'Our IPS is better than our competitor's' in public. It's quite another to publicly say, 'Our competitor's IPS has a serious caching overflow problem that can easily be compromised by anyone with kernel-level access,' " he said.
A solution provider that sells the affected product after an alert goes out runs the risk of losing its customers' trust or being legally liable for using its professional expertise to persuade the customer that the product is capable of defending valuable assets, Palange said. "The ratings put pressure on resellers to factor these public announcements in deciding what products they recommend to their customers," he said.
At the very least, some solution providers told CRN that sifting through security alerts costs them valuable time and can bring their integrity into question.
"When customers view ratings and are barraged with 'patch it now or else' edicts from a variety of vendors or agencies, there is suspicion," said Darrel Bowman, CEO of AppTech, a solution provider in Tacoma, Wash. "Unless all of them are reporting the same severity [level], we're spending precious time researching why one rating is higher than another and [then] explaining the differences and recommending a course of action for the customer so they can feel confident in their decision."
ARE VENDORS SPREADING FUD?
On the vendor front, Symantec has been particularly vocal about other vendors' security flaws of late. As longtime partner Microsoft moves further into the security market, Symantec has been clashing with the Redmond, Wash.-based software giant on a number of issues. These include an intensifying intellectual property battle over storage technology that Symantec claims Microsoft is illegally using in Windows Vista, and Microsoft's decision to lock down the kernel in Windows Vista, which Symantec claims is an anticompetitive move designed to block security software vendors from developing products for the next-generation operating system.
Symantec recently published a series of three reports in which it discussed several security loopholes in beta versions of Vista, which is due to ship early next year. In the reports, Symantec researchers pointed to flaws in Vista's networking stack, the User Account Control (UAC) feature that limits user privileges to mitigate the impact of malicious code, and security features in the Vista kernel.
Symantec would be better served by evaluating the Vista betas and offering Microsoft constructive feedback instead of seeking publicity, said Glen Gulyas, COO at Auto Bid Systems, a solution provider in Herndon, Va. "Everyone knows what 'beta' means and what running a beta program is supposed to producefeedback to fix problems. The question you have to ask is: Why shoot holes in a beta publicly? Other than exploiting a chance for Symantec to get its name in the media, it serves no purpose," he said.
Symantec's DeepSight Threat Management System, a subscription service that tracks threats and vulnerabilities from a database of more than 2,200 vendors, regularly scores vulnerabilities higher than other threat analysis firmsa move that hasn't escaped the notice of solution providers and vendors.
A source from a vendor whose products are regularly assessed by Symantec told CRN that DeepSight regularly overinflates the severity of his company's vulnerabilities.
However, from a business standpoint, Symantec has to send out alerts on a regular basis to demonstrate the value of its DeepSight product, said the source, who requested anonymity. "If you're paying for a service and they never alerted you, would you see value? It's kind of the same reason security guards walk around a building. Does the visible security actually make people safer, or does it make people feel safer?" he said.
Vincent Weafer, senior director of development for Symantec's security response group, said DeepSight consistently applies the same methodology in scoring all vulnerabilities. In terms of risk scores and impact statements, Symantec tends to be higher compared with some other vendors, but the analysis the vendor provides is more important and valuable to customers than the scores, Weafer said.
"When people look at risk ratings, they're looking for the assessment and intelligence piece of itthat's the value proposition," Weafer said. "Anyone can give a number."
Another reason DeepSight ratings are higher than others is that they're geared toward enterprise customers and not home users, Weafer said. "IT administrators will look at the information we provide and understand why we are making those evaluations," he said.
Symantec is "very rigorous" about applying the same threat analysis criteria to its own products than it does for those of other vendors, Weafer said. And in looking at how Symantec has rated its own vulnerabilities recently, it's clear that DeepSight has indeed rated Symantec flaws higher than other ratings organizations.
But when a vendor rates its own security vulnerabilities lower than other organizations, it can lead to questions about that vendor's objectivity. Last month, McAfee patched a vulnerability in SecurityCenter, a component in all of the Santa Clara, Calif.-based vendor's consumer security products, that could have allowed remote attackers to execute code and gain control over affected PCs.
While other organizations' ratings were all in the higher range, McAfee assigned it a score of "medium," or 3 on a 5-point scale, on the grounds that the exploit requires reverse-engineering of the software in addition to the assistance of the user.
"When we saw McAfee do that, we jumped to the conclusion that they were downplaying the seriousness," said Marc Maiffret, chief hacking officer at eEye Digital Security, the Aliso Viejo, Calif.-based vendor that discovered the vulnerability. However, after scanning McAfee's Web site for other vulnerabilities that had similar impact, eEye's researchers found that McAfee had consistently given a "medium" rating to that particular class of attack, Maiffret said.
"When you talk about security vulnerabilities, a lot depends on environment, configuration and other factors that can change a rating to be less or more important," Maiffret said. "The main thing behind the credibility of any vendor rating system is that, regardless of how you rate, you have to do it consistently."
-- DARREL BOWMAN, CEO OF APPTECH
McAfee's Threat Center Web site assigns scores based on the origin of attack, whether user interaction is required, and the result of the attack, said Monty Ijzerman, senior manager of McAfee Avert Labs' Global Threat Group. McAfee currently assigns ratings only to patched Microsoft vulnerabilities, but by the end of the year, the security vendor plans to begin expanding its ratings to other vendors' operating systems and infrastructure components, based on what its customers have in place, Ijzerman said.
Steven Reese, security practice manager at Nexus Integration Services, a solution provider in Valencia, Calif., said he advises his customers to pay more attention to what the affected vendor says than to third-party ratings when it comes to gauging the seriousness of a vulnerability. "Most vendors may downplay vulnerabilities, but they are disclosing them. There's an implied level of liability to the manufacturer if they were to understate a flaw in their own products," Reese said.
To get beyond the hype, it's important to study a vendor's track record when it comes to addressing security issues on their own products, said Bill Calderwood, president of The Root Group, a solution provider in Boulder, Colo. Included in this analysis is how openly a vendor discusses its vulnerabilities, how quick it is to announce them, and its objectivity regarding the impact and urgency of threats, he added.
"If you can factor the severity of different vulnerabilities and exposures into your risk equations, you can better prioritize your response resources and minimize loss incidence," Calderwood said. "Besides, patch management is too tricky these days to just follow the old 'just patch it now' rule that we used to follow."
IS CVSS THE ANSWER?
The Common Vulnerability Scoring System (CVSS), a nascent industry initiative that includes the participation of Cisco Systems, Symantec, ISS and McAfee, aims to clear up the confusion by creating a vendor-neutral system for companies to evaluate threats and prioritize patching efforts.
CVSS will help eliminate situations in which a vendor might be want to downplay the true impact of a vulnerability in its own product, or a security researcher might want to play up a vulnerability because he or she wants publicity, said Gavin Reid, chairman of the CVSS group within FIRST.org. (Forum of Incident Response and Security Teams).
CVSS replaces vendors' proprietary rating systems with a 10-point scale that includes consistent metrics for evaluating vulnerabilities, according to Reid. The group also helps companies address the challenge of setting up policies for networks that includes infrastructure from multiple vendors, he added.
Some solution providers feel CVSS is a step in the right direction. "We believe CVSS is necessary and will go a long way in reducing the FUD [fear, uncertainty and doubt] from the vendors that do end up mudslinging and misrepresenting severities," Calderwood said.
Vendors are becoming too vocal about each other's security issues, and the challenge of sifting through the noise will continue until CVSS reaches widespread adoption, Reese said.
Until that happens, though, solution providers will have to continue with damage-control efforts whenever an alert is issued for one of their vendors' products. And VARs that do due diligence and give customers a clear course of action will be the most likely to retain their trusted advisor status.
"Our customers don't know what CVSS is or what it wants to be," AppTech's Bowman said. "From a security standpoint, our customers are constantly deluged with information regarding the severity of a potential compromise to one of a hundred-plus products they use," he said.
"We can't be doing the Chicken Little thing and crying, 'The sky is falling' every time an alert goes out," Bowman said. "We have to be cautious and evaluate how those alerts affect our clients and then make recommendations."