Embed Size (px)
Citation preview
3/25/2015 Putting An End To Security Snake Oil | Fortinet Blog
http://blog.fortinet.com/post/putting-an-end-to-security-snake-oil 1/4
FortiGuard Services (http://fortinet.com/products/fortiguard/index.html)Fortinet Blog (http://blog.fortinet.com/)Video Library (http://video.fortinet.com)
Resources (http://fortinet.com/resource_center/index.html)
(http://fortinet.com)
Subscribe to All Posts (/feed)
by Chris Dawson (/author/chris-dawson) | March 16, 2015 | Category: Industry Trends & News (/category/industry-trends-news)
Putting An End To Security Snake Oil
Imagine it’s the late 19th century. Modern medicine is in its infancy. Folk cures, snake oil, and patent medicines are still being peddled to naive consumers and a nascent marketfor legitimate pharmaceuticals struggles to balance profit and genuine benefit for patients. A desperate public, struggling with diseases like tuberculosis and polio needed realmedicine but settled for whatever miracle cure they could find (or what early marketers told them would work).
Then, in 1906, Congress passed the Food and Drugs Act, giving new powers to the US Bureau of Chemistry, the agency that would eventually become the FDA. Suddenly,medications had to comply with standards for purity and formulations, the groundwork was laid for rigorous clinical trials, and marketing became more about truth and scienceinstead of inflated claims and potential profits.
While few would argue that the FDA as we know it today is perfect, consumers and doctors alike can generally assume that approved and regulated medications meet highstandards for effectiveness and safety.
When it comes to information security, though, we don’t have regulatory bodies that can provide the same level of assurance for the safety of our data or the effectiveness of oursecurity solutions. Instead, we have data sheets. Data sheets are marketing materials that security vendors publish touting the abilities of their hardware and software to detectthreats and keep the bad guys at bay. Imagine if you needed to decide which cholesterol drug to take based solely on advertising from various pharmaceutical companies. At thesame time, imagine if there was no oversight on that advertising. It would be a dangerous and risky proposition.
Obviously, there are no higher stakes than our health. But in security, the stakes are still remarkably high. Companies reputations are on the line, customers’ credit and identitiesare at risk, and costs from a data breach can quickly rise into the millions of dollars. Smaller companies can easily be put out of business by one well-timed attack on theirnetworks.
Fortunately, absent an agency like the FDA to verify the ability of solutions to keep our data and networks safe, independentthird parties have emerged to put security hardware and software to the test. One organization that has really stepped up to fillthis gap is NSS Labs (https://nsslabs.com/). They have been testing security solutions from every major vendor for years andmaking the results of the tests available to IT decision makers who can use the data to decide which hardware best meets theirneeds.
This week NSS Labs opened the virtual doors on their Cyber Advanced Warning System(https://www.nsslabs.com/caws/cyber-advanced-warning-system) (CAWS). As Nicole Perlroth explained in a New York Timesblog post (http://bits.blogs.nytimes.com/2015/03/10/nss-labs-testing-service-will-hold-security-vendors-accountable/),
“NSS Labs...has developed a testing service that will allow corporations to see how vendors stack up, including whichreal threats their products are blocking, and which they are not. That kind of basic benchmarking is long overdue in anindustry crowded with security firms that love to claim their products catch all the threats their competitors do not.”
The service is easy for users but incredibly sophisticated on the back end. As NSS Labs explains, the system is not focuseddirectly on the countless bits of malware and wide range of threats floating around on the Internet, but rather on exploits - the particular means by which hackers can get into anorganization’s network and wreak havoc. For example, users can profile versions of software, operating systems, and specific security hardware in use in their organization andthen receive near real-time information on whether the combination is vulnerable to attack. NSS Labs uses real data from BaitNet, a test environment that obscures itself fromhackers but that can comprehensively and safely evaluate threats and vulnerabilities with incredible speed and precision.
ALL SECURITY RESEARCH SECURITY 101 BEHIND THE FIREWALL Q AND A
69 67 44 11Google +
INDUSTRY TRENDS
3/25/2015 Putting An End To Security Snake Oil | Fortinet Blog
http://blog.fortinet.com/post/putting-an-end-to-security-snake-oil 2/4
by Chris Dawson (/author/chris-dawson) | March 16, 2015 | Category: Industry Trends & News (/category/industry-trends-news)
CAWS benefits businesses in several ways but the most important are:
1. 1. Increased situational awareness - It answers the question, “Are my current systems vulnerable to real threats in the wild right now?” This allows businessesto address those holes before they fall victim to an attack.
2. 2. Evaluating security solutions in the context of their needs - In this case, it answers the question, “Which security solutions best protect my network based onthe software and operating systems I have in place?”
This is absolutely essential information for businesses as they look to proactively protect their networks and as they purchase new security hardware.
As security becomes the top concern for organizations operating in an increasingly unsafe environment and handling more sensitive data than ever before, tools like NSS LabsCAWS are the only way for businesses to sort out the security snake oil from reliable protection. And since no security solution is 100% effective all the time, the Cyber AdvanceWarning System itself is a powerful additional layer of security for organizations who put the safety of their customers’ data first.
Tags: nss labs (/tag/nss-labs-2) snake oil (/tag/snake-oil) fda (/tag/fda) caws (/tag/caws) cyber advanced warning system (/tag/cyber-advanced-warning-system)
0 Comments Fortinet Blog Login
Share⤤ Sort by Best
Start the discussion…
Be the first to comment.
Subscribe✉ Add Disqus to your sited Privacy
Recommend
Twitter(http://www.twitter.com/fortiguardlabs)
Facebook(https://www.facebook.com/FortiGuard.Labs)
LinkedIn(http://www.linkedin.com/groups?gid=1321377&trk=hb_side_g)
Youtube(http://www.youtube.com/user/SecureNetworks)
2
6
18
16
11
11
20
21
FortiGuard Labs on the Web
Monthly Archives
January 2015 (/2015/01)
December 2014 (/2014/12)
November 2014 (/2014/11)
October 2014 (/2014/10)
September 2014 (/2014/09)
August 2014 (/2014/08)
July 2014 (/2014/07)
June 2014 (/2014/06)
69 67 44 11Google +
3/25/2015 Putting An End To Security Snake Oil | Fortinet Blog
http://blog.fortinet.com/post/putting-an-end-to-security-snake-oil 3/4
20
16
20
15
25
10
15
19
19
14
14
2
1
12
11
12
8
7
4
6
7
62
17
14
15
14
11
6
4
6
11
2
2
4
6
6
5
7
5
7
May 2014 (/2014/05)
April 2014 (/2014/04)
March 2014 (/2014/03)
February 2014 (/2014/02)
January 2014 (/2014/01)
December 2013 (/2013/12)
November 2013 (/2013/11)
October 2013 (/2013/10)
September 2013 (/2013/09)
August 2013 (/2013/08)
July 2013 (/2013/07)
June 2013 (/2013/06)
April 2013 (/2013/04)
March 2013 (/2013/03)
February 2013 (/2013/02)
January 2013 (/2013/01)
December 2012 (/2012/12)
November 2012 (/2012/11)
October 2012 (/2012/10)
September 2012 (/2012/09)
August 2012 (/2012/08)
July 2012 (/2012/07)
June 2012 (/2012/06)
May 2012 (/2012/05)
April 2012 (/2012/04)
March 2012 (/2012/03)
February 2012 (/2012/02)
January 2012 (/2012/01)
December 2011 (/2011/12)
November 2011 (/2011/11)
October 2011 (/2011/10)
September 2011 (/2011/09)
August 2011 (/2011/08)
July 2011 (/2011/07)
June 2011 (/2011/06)
May 2011 (/2011/05)
April 2011 (/2011/04)
March 2011 (/2011/03)
February 2011 (/2011/02)
January 2011 (/2011/01)
3/25/2015 Putting An End To Security Snake Oil | Fortinet Blog
http://blog.fortinet.com/post/putting-an-end-to-security-snake-oil 4/4
8
11
3
8
4
9
9
9
6
8
6
9
8
6
6
8
5
8
7
4
7
9
4
1
December 2010 (/2010/12)
November 2010 (/2010/11)
October 2010 (/2010/10)
September 2010 (/2010/09)
August 2010 (/2010/08)
July 2010 (/2010/07)
June 2010 (/2010/06)
May 2010 (/2010/05)
April 2010 (/2010/04)
March 2010 (/2010/03)
February 2010 (/2010/02)
January 2010 (/2010/01)
December 2009 (/2009/12)
November 2009 (/2009/11)
October 2009 (/2009/10)
September 2009 (/2009/09)
August 2009 (/2009/08)
July 2009 (/2009/07)
June 2009 (/2009/06)
May 2009 (/2009/05)
April 2009 (/2009/04)
March 2009 (/2009/03)
February 2009 (/2009/02)
January 2009 (/2009/01)
Corporate
About Fortinet (http://fortinet.com/aboutus/aboutus.html)
Investor Relations (http://investor.fortinet.com/)
Careers (http://jobs.fortinet.com/)
Press Room (http://fortinet.com/press_releases/press.html)
Partners (http://fortinet.com/partners/index.html)
Global Offices (http://fortinet.com/aboutus/locations.html)
Fortinet Blog (http://blog.fortinet.com/)
Fortinet in the News (http://fortinet.com/aboutus/media/news.html)
Events (http://fortinet.com/events/index.html)
Contact Us (http://fortinet.com/contact_us/index.html)
How to Buy
Find a Reseller (http://fortinet.com/partners/reseller_locator/locator.html)
FortiPartner Program (http://fortinet.com/partners/partner_program/fpp.html)
Try & Buy (http://fortinet.com/how_to_buy/try_and_buy.html)
Fortinet Store (https://store.fortinet.com)
Products
Product Family (http://fortinet.com/products/index.html)
Certifications (http://fortinet.com/aboutus/fortinet_advantages/certifications.html)
Awards (http://fortinet.com/aboutus/fortinet_advantages/awards.html)
Video Library (http://video.fortinet.com/)
Service & Support
FortiCare Support (http://fortinet.com/support/forticare_support/index.html)
Support Helpdesk (https://support.fortinet.com/)
FortiGuard Center (http://fortiguard.com/)
(http://blog.fortinet.com)
(http://www.facebook.com/fortinet)
(http://www.twitter.com/fortinet)
(http://www.youtube.com/user/SecureNetworks)
(http://www.linkedin.com/company/fortinet)
(http://fortinet.com/rss.xml)
Copyright © 2015 Fortinet, Inc. All Rights Reserved. | Terms of Service (/aboutus/legal.html) | Privacy (/aboutus/privacy.html)
