Hard to believe that I ever thought I would be sitting here wondering about the state of security as a viable career path. I have built my career up as a security dude/hacker for years, but lately I have been noticing a few things.
- Vendors are getting really good at detecting network anomalies and the interfaces are getting easier and easier to program.
- Threat vectors have become so large that now we look at a multi-tiered attack surface instead of a laser-beamed attack point.
- Some of the biggest threats are due to applications and bots.
Here's the thing. I have be tasked to write a TechWiseTV episode on security and truthfully, the stuff I have is really about as exciting as watching a grad student take a calculus exam. There is really nothing "new" under the sun. Oh, sure - product updates, faster detection, less false positives, this header manipulation or that compliance support; yada friggen yada... I refuse to do old attacks like BGP, ARP Spoofing, WPA cracking, etc... I need new stuff!!!
Kinda cool? Ummm... yeah... but I do not go out and by a new car every cycle to get a few nifty features. I suck it up and buy a car with a heated steering wheel when the one I currently have smokes out.
My question is this:
Have we finally done it and gotten to a point where security is handled via a SaaS provider?
Seems to me that a security design goes like this:
- Client-side protection (802.1X, TrustSec, AV, drive encryption)
- Device protection (TrustSec, SSHv2, DAI, SNMPv3, etc.)
- A firewall pair (deep rule set, N+1, line rate or close to it)
- Server Protection (TrustSec, drive encryption, AV)
- VPN subsystem (SSL, Mobile Phones, 3Des)
- Bonus: Log correlation device (OSSIM http://www.alienvault.com or MARS)
Press hard, the bottom copy is yours. (shout out to John Codrea!)
But the two BIG things on these devices are:
- How often are the devices updated to support the latest piss-ant bot, virus, DDOS or application vuln?
- How is MY staff is managing the massive amounts of data generated by these devices? Or do I just plug 'um in, config them and never touch them again?
Is that it? Have we gotten to a point of security templating? Sure, there are a few changes in every account, but for the most part; we security folks are battling the little stuff we have to wait on another vendor to take care. Not much I can do on an XSS except change the browser rules (or browser multiple times) or how many times can I email Adobe about yet another PDF exploit? To me, it feels like I am a security bottom feeder waiting on the next update. What fun is that? Once the gear is installed and tuned in, now what? Just turn it over to a SaaS provider and make sure the current threat level is addressed, I guess. When exploits get to the level of application exploitation, the hacker clearly has the advantage. They have an endless stream of applications, the element of surprise, endless worldwide resources and a complicated global legal system protecting them. They exploit and I wait for an update. I HAVE to have a team of full-time researchers 24x7x365 augmenting my staff to try and level the playing field. Point: SaaS security teams.
The real security action today seems to be at the research or hobbyist level, where folks are hunting C&C for bots and taking them down. Seems like many resellers I talk to agree that security folks are just not something they are asking for. It's nice to know to design to but a dedicated career? No room at the inn. I tell folks all the time that a solid knowledge in security can really make you stand out from others when you design a VOIP, Data Center or foundational network.
Am I wrong here? Is security still a good career path for folks interested? I do not believe so anymore and it hurts to say that. I believe it is like a augmentation skill like Unity in Mass Effect 2. There will always be security but more and more I see it having to be a more of a trusted third-party process that has those resources.
So what to about this show? Well, looks like ScanSafe is a good bet. IPS, ASA, CSA are out. LISP seems cool maybe some botnet stuff. Yawn... Is this really all there is??
Jimmy Ray Purser