April 22, 2010 at 1:44 am #4960Dark_KnightParticipant
Hard to believe that I ever thought I would be sitting here wondering about the state of security as a viable career path. I have built my career up as a security dude/hacker for years, but lately I have been noticing a few things.
– Vendors are getting really good at detecting network anomalies and the interfaces are getting easier and easier to program.
– Threat vectors have become so large that now we look at a multi-tiered attack surface instead of a laser-beamed attack point.
– Some of the biggest threats are due to applications and bots.
Here’s the thing. I have be tasked to write a TechWiseTV episode on security and truthfully, the stuff I have is really about as exciting as watching a grad student take a calculus exam. There is really nothing “new” under the sun. Oh, sure – product updates, faster detection, less false positives, this header manipulation or that compliance support; yada friggen yada… I refuse to do old attacks like BGP, ARP Spoofing, WPA cracking, etc… I need new stuff!!!
Kinda cool? Ummm… yeah… but I do not go out and by a new car every cycle to get a few nifty features. I suck it up and buy a car with a heated steering wheel when the one I currently have smokes out.
My question is this:
Have we finally done it and gotten to a point where security is handled via a SaaS provider?
Seems to me that a security design goes like this:
– Client-side protection (802.1X, TrustSec, AV, drive encryption)
– Device protection (TrustSec, SSHv2, DAI, SNMPv3, etc.)
– A firewall pair (deep rule set, N+1, line rate or close to it)
– Server Protection (TrustSec, drive encryption, AV)
– VPN subsystem (SSL, Mobile Phones, 3Des)
– Bonus: Log correlation device (OSSIM http://www.alienvault.com or MARS)
Press hard, the bottom copy is yours. (shout out to John Codrea!)
But the two BIG things on these devices are:
– How often are the devices updated to support the latest piss-ant bot, virus, DDOS or application vuln?
– How is MY staff is managing the massive amounts of data generated by these devices? Or do I just plug ‘um in, config them and never touch them again?
Is that it? Have we gotten to a point of security templating? Sure, there are a few changes in every account, but for the most part; we security folks are battling the little stuff we have to wait on another vendor to take care. Not much I can do on an XSS except change the browser rules (or browser multiple times) or how many times can I email Adobe about yet another PDF exploit? To me, it feels like I am a security bottom feeder waiting on the next update. What fun is that? Once the gear is installed and tuned in, now what? Just turn it over to a SaaS provider and make sure the current threat level is addressed, I guess. When exploits get to the level of application exploitation, the hacker clearly has the advantage. They have an endless stream of applications, the element of surprise, endless worldwide resources and a complicated global legal system protecting them. They exploit and I wait for an update. I HAVE to have a team of full-time researchers 24x7x365 augmenting my staff to try and level the playing field. Point: SaaS security teams.
The real security action today seems to be at the research or hobbyist level, where folks are hunting C&C for bots and taking them down. Seems like many resellers I talk to agree that security folks are just not something they are asking for. It’s nice to know to design to but a dedicated career? No room at the inn. I tell folks all the time that a solid knowledge in security can really make you stand out from others when you design a VOIP, Data Center or foundational network.
Am I wrong here? Is security still a good career path for folks interested? I do not believe so anymore and it hurts to say that. I believe it is like a augmentation skill like Unity in Mass Effect 2. There will always be security but more and more I see it having to be a more of a trusted third-party process that has those resources.
So what to about this show? Well, looks like ScanSafe is a good bet. IPS, ASA, CSA are out. LISP seems cool maybe some botnet stuff. Yawn… Is this really all there is??
Jimmy Ray Purser
April 22, 2010 at 2:31 am #31307teedge77Participant
Wow…this was borderline interesting as a viewpoint. Unfortunately, I was blinded by the third grade writing quality.
“Hard to believe that I ever thought I would be sitting here wondering about the state of security as a viable career path.”
I’m sorry….what? Did he mean never??
“So what to about this show?”
Ok…wait… no…wait….huh? Some other guy and I need to edit 3,889,334 other blogs. We don’t have time for this.
Anyway, SaaS is good for some people. I think SMBs would benefit most, as a result of lower overhead from SaaS options. Once you get to a larger enterprise, where there are constant changes to infrastructure and this requires constant tuning and auditing of it. A cost benefit analysis would probably lend more towards on site personnel constantly monitoring this evolving monster. There’s also a certain trust value that some business still hold on their proprietary info and the lack of trust they have with any third party, no matter how well recognized.
TJX puts a lot into their network security now. Obviously after the enormous black eye (bloody lip, broken nose, and knocked out teeth) they got; security has been something they no longer see as an extra if they can, but as a critical necessity. This requires constant attention and this attention needs to be well demonstrated and conveyed to management. SaaS doesn’t provide the face to face “What the hell happened?” or “Why are we spending this again?” that many corporate Lulus need.
Anyway…I’m tired so that’s as much as i can output for now.
Again….man that was written like crap. I just find it hard to take anything like that seriously. No matter how good of a point someone (not necessarily this guy) makes, if you can’t come off intelligently, then it is very difficult to take it seriously.
Interested to see what the rest of you think.
April 22, 2010 at 3:34 am #31308impelseParticipant
I think that you lost what make you interested in security. You lost your passion for a moment.
Try to remember what excited you about security and why does not do it anymore. Thinks something more challenger for you or go to the other side like trying to implement system enstead of attack those systems, etc etc, etc. You know better.
April 22, 2010 at 7:46 am #31309AnquilasParticipant
Actually I’m pretty happy that a viewpoint like this comes forward, because I’ve been toying with a similar question.
As you may know by now, I’m a new guy, training himself up to mutate to security one day as a career.
Everyone I talk to who has been down that path, says that I some point I have to ‘choose where I want to go, into what field of security I want to go deeper’.
Management doesn’t enter into the equation yet, so purely technical: I want to go either network security, or application security. (as a first, broad choice of direction)
I find the former the most interesting, but.. is there still so much to do there? I ask you guys, as most of you are pentesters: do you still get a lot of issues on that area?
Application security is interesting as well, and it seems like a more ‘fresh ground’ to make a bit of a difference, and a ground that will be asked much more by companies in the future.
My developing background might come in handy there, but meh, it just seems less interesting then network/os hacking on first glance.
This is a shout out for opinions, go nuts 🙂
April 22, 2010 at 9:43 am #31310j0rDyParticipant
even i’m not very long in the security field, i already see the demand for network security go down, and (web)application go up.
Network security is pretty much been there done that. everybody has best practices and plenty experience. I think its still usefull to have knowledge of network security for penetration tests, but i have to admit, i think its getting a lot less exiting then it used to be.
webapplication is the next hot thing. think about availability of data (must be accessible 24/7) and the new hype of cloud computing. i cant look into the future but i think the security field is, and always be, an interesting field to work in where there will be plenty to learn and see…
April 22, 2010 at 2:07 pm #31311caissydParticipant
I think everyone goes through something similar after spending about 10 years working in a field. I when through this last year after a decade as a web application developer (that’s why I am moving toward security now!).
By reading his post, it is obvious that he knows what he is talking about, but only in his field. Like mentioned above, he could maybe learn about webapps security and get interesting challenges this way.
Also, he mentioned that all he has to do is install and configure tools. He may have forgotten how long it took him to learn about all attack vectors, protocols, security tools, etc. So it is still a difficult job, he is just used to it.
April 24, 2010 at 12:55 am #31312What90Participant
Let’s start off with I disagree that Network Security a Dead End Career.
Nice that Jimmy Ray has his say, but to me it comes over as he’s stuck in a loop and given up. He’d like to demo some new cutting edge attack to impress his viewers. Why? The “old” stuff works just fine and is STILL working on state of the art networks now. Just read the news on most breaches on networks, yes web apps might be the way in, but it the good ol’ network flaws that let them get to the money.
Security constantly changes as the threats drive this change. In simple terms, the bad guys what your stuff, so they come up with new wacky ways to get it. The big but here is that if you don’t know the fundamentals of good security all the flashy new security services won’t do spit against a moderately smart attacker.
Jimmy’s take is too simplistic – Take the car industry, which is older than computers by a few decades. They are still finding ways to make road travel safer. Is it boring and dead end to rethink how to keep people safe? Must be dull smashing cars in to walls trying to work out how to save lives. Surely they should of worked out a way to fix the simple problem of stopping crashes? His take would be why not just build jet packs and be done with car?
As a side, the “boring logs reviews” have lead to me running down plenty of attackers and problems. Yes, a SIEM or auto-magic review tool helps in sorting the data, but still a human needs to makes sense of the what the bigger picture is and what’s going on.
From looking at the job ads, web pentesting jobs are the hot skills to have now. Yep, it’s a great skill set to have, but even if cloud computing removes LAN’s, once you hacked the web server you have to then get in and out of the network. That’s where network security steps in. In IT Security, you have to look at the whole picture, understand where the problems are and work to strengthen those weakest links.
Finally, if he does have a magic tool that can secure my environment, I’d love to see it. I meet with plenty of vendors that promise to make security a breeze and after a ten minute demo of them securing everything, I ask them how it works with x. X being one of the legacy or custom written systems. Oddly enough they don’t a solution for that…
April 26, 2010 at 2:30 pm #31313AnonymousParticipant
Personally, I can understand the author’s point of view. Securing and Attacking during the last years have started to move towards the Application layer. Most attacks use well-known open ports 80, 53 etc targeting the applications themselves.
Network Security nowadays is limited to MITM (ok, blackmailing or bribing an ISP employee is easier than any attack) and those stupid but nasty DDoS. I don’t think that many people are into MAC Flooding, ARP Spoofing, VLAN Hopping, DoS, fuzzing etc anymore…. These days are over…and the Network Vendors have inmcreased their security to the highest level.
WWW is the attackers’ target and this is where Security is focusing as well now.
I am a Network Security professional and I can identify this reality at the moment. This is why I am trying to introduce Applications and programming to my life now.
- You must be logged in to reply to this topic.