Submission + - SPAM: Cybersecurity Products Rarely Live Up to Marketing Claims: RSA Panel
storagedude writes: A panel at this week's RSA Conference revealed that 90% of security buyers aren’t getting the efficacy from their products that vendors claim they can deliver.
Joe Hubback of cyber risk management startup ISTARI led both the panel and the study, which was based on in-depth interviews with more than a hundred high-level security officials, including CISOs, CIOs, CEOs, security and tech vendors, evaluation organizations and government organizations.
Hubback said that “90% of the people that I spoke to said that the security technologies they were buying from the market are just not delivering the effect that the vendors claim they can deliver. Quite a shocking proportion of people are suffering from technology that doesn’t deliver.”
A number of reasons for that product failure came out in the panel discussion, according to eSecurity Planet, but they can be boiled down to some key points:
Cybersecurity buyers are pressed for time and most don’t test the products they buy. “They’re basically just buying and hoping that the solutions they’re buying are really going to work,” Hubback said.
Vendors are under pressure from investors to get products to market quickly and from sales and marketing teams to make aggressive claims. On top of those pressures, it’s difficult to architect tools that are effective for a range of complex environments – and equally difficult for buyers to properly assess these “black box” solutions.
Those conditions create an information asymmetry, said Hubback: “A vendor knows a lot more about the quality of the product than the buyer so the vendor is not incentivized to bring high-quality products to market because buyers can’t properly evaluate what they’re buying.”
Hubback and fellow panelists hope to create a GSMA-like process for evaluating security product abilities, and he invited RSA attendees to join the effort.
Interestingly, a second article on eSecurity Planet this week examined the efficacy of Rapid7's InsightIDR SIEM system and found a number of shortcomings that the vendor is in the process of addressing.
The article — one of the few ever published on SIEM security tests — noted that such blind spots are common in SIEM systems and urged readers to use the article as a template for testing their own products.
"In our testing we found a number of issues that are common in SIEM systems," the article says. "The good news is vendors are responsive to these issues – they’d rather hear them from “white hat” folks and customers than the bad guys – and we’ve been in touch with Rapid7 throughout our work. We found Rapid7 to be responsive and straightforward to deal with – a good sign for user support, and critically important in cybersecurity. Rapid7 is working on a number of fixes to our findings – some of which were known issues the company was already aware of – so we’ll update this article in a few months to reflect completion of that work. We’ve also included Rapid7’s comments in a number of places.
"This is, to our knowledge, one of the few times that test results have been published on a cybersecurity product of this magnitude, so our goal is largely educational. We encourage you to use this article as a guide to conduct your own in-house testing of security solutions. We’ve focused on a number of detectable “warning shots” that can happen during an attack (or a pentest) that will let you know that bad things are brewing behind the scenes. If one or more of these attacks are not detected, challenge your vendors to write a signature for them. The result will be a stronger product for their entire user base."
Link to Original Source
Joe Hubback of cyber risk management startup ISTARI led both the panel and the study, which was based on in-depth interviews with more than a hundred high-level security officials, including CISOs, CIOs, CEOs, security and tech vendors, evaluation organizations and government organizations.
Hubback said that “90% of the people that I spoke to said that the security technologies they were buying from the market are just not delivering the effect that the vendors claim they can deliver. Quite a shocking proportion of people are suffering from technology that doesn’t deliver.”
A number of reasons for that product failure came out in the panel discussion, according to eSecurity Planet, but they can be boiled down to some key points:
Cybersecurity buyers are pressed for time and most don’t test the products they buy. “They’re basically just buying and hoping that the solutions they’re buying are really going to work,” Hubback said.
Vendors are under pressure from investors to get products to market quickly and from sales and marketing teams to make aggressive claims. On top of those pressures, it’s difficult to architect tools that are effective for a range of complex environments – and equally difficult for buyers to properly assess these “black box” solutions.
Those conditions create an information asymmetry, said Hubback: “A vendor knows a lot more about the quality of the product than the buyer so the vendor is not incentivized to bring high-quality products to market because buyers can’t properly evaluate what they’re buying.”
Hubback and fellow panelists hope to create a GSMA-like process for evaluating security product abilities, and he invited RSA attendees to join the effort.
Interestingly, a second article on eSecurity Planet this week examined the efficacy of Rapid7's InsightIDR SIEM system and found a number of shortcomings that the vendor is in the process of addressing.
The article — one of the few ever published on SIEM security tests — noted that such blind spots are common in SIEM systems and urged readers to use the article as a template for testing their own products.
"In our testing we found a number of issues that are common in SIEM systems," the article says. "The good news is vendors are responsive to these issues – they’d rather hear them from “white hat” folks and customers than the bad guys – and we’ve been in touch with Rapid7 throughout our work. We found Rapid7 to be responsive and straightforward to deal with – a good sign for user support, and critically important in cybersecurity. Rapid7 is working on a number of fixes to our findings – some of which were known issues the company was already aware of – so we’ll update this article in a few months to reflect completion of that work. We’ve also included Rapid7’s comments in a number of places.
"This is, to our knowledge, one of the few times that test results have been published on a cybersecurity product of this magnitude, so our goal is largely educational. We encourage you to use this article as a guide to conduct your own in-house testing of security solutions. We’ve focused on a number of detectable “warning shots” that can happen during an attack (or a pentest) that will let you know that bad things are brewing behind the scenes. If one or more of these attacks are not detected, challenge your vendors to write a signature for them. The result will be a stronger product for their entire user base."
Link to Original Source
