Question: Fewer choices means less security?

[zencoder]

Reading the recent threads surrounding Microsofts acquistion of Sybari (and Giant), and having piped up myself about it being no wonder Microsoft is actively getting into the security business, it got me to thinking.

With a 90%+ market share for end users, and showing no signs of slowing down, Microsoft could well start to dominate the 'end user security industry'. Do we as Information Security evangelists really feel comfortable getting all of ours eggs from the same basket? For a business manager, it could be tempting. I'd bet that enterprise licensing for Server/Desktop Operating Systems, Application Servers, Email/PIM servers, Personal Productivity clients, Server/Desktop/Email-Filter antivirus, Server/Client anti-spyware packages is a helluva lot cheaper from 1 vendor than from 10.

But is that really a good idea? I'm not saying 'no' definitively, I'd like to see some conversation from several view points to expand my position on this subject.

My initial reaction is a bit negative. The term defense-in-depth comes to mind, and here's what I mean. You don't secure your network with simply 1 firewall and assume everything will be fine. You buy the firewall, but you also configure a DMZ, host based firewalls, IDS, maybe throw in an IPS, type your fingers to the nub configuring and testing everything, and then spend countless hours testing, vallidating, monitoring, and patching. Your intention is the firewall stops 100% of the bad traffic...but if even 1 attack comes through, you have other lines of defense. The DMZ will hopefully contain the outbreak. It it doesn't, the workstations all have their own defenses. The IDS will alert you sooner, and the IPS (if it actually works) could shut down or at least bottleneck the attack vector.

So seeing how all these things will sort of work in harmony, I can imagine how attractive an offer to acquire all of these pieces from the same vendor at a discounted price would look (since you are buying several items 'in bulk'.) But is that wise? Do we really want to trust one company to make all of our software (firewall, av, as, monitoring, etc.) and also validate that if the right combination of attack packets comes along, the whole house of cards won't come tumbling down?

There are obvious advantages from getting all of your solutions from one point; interoperability, consistent interface, easier to support and troubleshoot, licensing and cost benefits.

But what about the value of 'defense in depth'? We see the idea mentioned here almost everyday! How many of us rely SOLELY on Ad Aware, and don't bother with Spybot-SD, MS Anti-Spyware, PestPatrol, etc. as well? I think its safe to safe you are foolishly deluded if you think a single product will protect you from all the various forms of malware out there.

So why would we think that Microsoft (or Symantec...or McAffee) has all the answers we seek? Anyone have a different position?

I'll be back in a bit...discuss amongst yourselves.

[Soda_Popinsky]

There are obvious advantages from getting all of your solutions from one point; interoperability, consistent interface, easier to support and troubleshoot, licensing and cost benefits.

Centralization is the keyword here... when things need to get done, you have one number to call, one representative from one vendor to get the wheels movin.

and also validate that if the right combination of attack packets comes along, the whole house of cards won't come tumbling down?

I can't really see a situation where a one vendor network can be crippled from the same vector, perhaps you had one in mind? Let's think of this though, if 20 devices fail, and you need to get back up and running, do you want spend time with 20 different vendor reps, or would you rather start limiting your risk with one phone call? Response time is a benefit with one vendor, they pay attention to you when you're a valued custy


edit:

This is kind of related. I had a conversation with someone who felt that it would be a better idea to have unique firewalls everywhere there should be one. The reasoning was that the same exploit couldn't be used on all the firewalls, limiting your risk.

However, this is a bad idea because it increases risk, you now have a new potential vector for every new firewall you put up. If an attacker wants in, they have a wide array of choices and just need to wait for a new vuln for any of those firewalls to pop up.

[chefer]

I am not immune to the idea that centralization is good. However, I also see that we are a society built around specialization. We have specific people who handle specific tasks. Integration of all those specifics can be brutal (to say the least).

With our network I am not so inclined to put my faith entirely in one vendor. I like the convenience of having one vendor, but knowing that there is possibly someone better out there, I will pay the extra and spend the extra time on a seperate phone line if needed. The specialization of specific vendors is a good thing. Most work diligently to master their craft and I have reaped the rewards of well designed applications to aid me in my daily tasks and they take in a profit for that hard work. I believe this to be a system that works in this case.

On occassion there have been issues for which we required a little support, but making the call was almost easy; the hardest part of the process was using the rolodex to find the name and number I needed.

I have had little occassion to call for support as of late however having to monitor several updates of different products on a regular basis is tedious. We work to refine and patch our systems all the time. I am torn by the idea that I could alleviate some of my daily workload. Knowing that, at least in theory, all the patches and updates from one vendor should work with all the modules comprising your collection of their application suite. Not having run multiple update services, creating several batch files to run updates, or (the one I hate most) having to manually navigate separate websites and then run installers is more than just appealing.

No to bash microsoft, we use many of their products because they work, but they do tend to be a little slow getting their patches out. I have suffered delays at the hands of other vendors and have dropped them like bad habits. I am often frightened that I have done all that I can but there is still one patch I need but can't have because my vendor is not helping me through.

I believe that as we move forward we will see more attempts to provide aggregate suites as well as comprehensive suites from individual vendors. Until such time as they can be proven as any more secure, I will continue test in a safe, disconnected test environment before implementing and only when I'm sure will I allow full implementation. I suppose I'm a masochist, I would rather suffer through the less than productive expenditure of my time while I wait it out and see what happens.

Just my opinion though.

[XTC46]

well, the problem is, when one company takes of a market place (microsoft in this case) the product quality tends to drop becasue of lack of competition. that is my biggest concern.

[MrLinus]

zen, it sounds almost like Cyberinsecurity: The Cost of Monopoly. Reality is we've been doing this for quite a while to varying degrees (e.g., BIND for DNS, Apache for HTTP). Although I will say that I haven't seen anyone take it to the degree that Microsoft has. I worry about putting everything into one since it removes, to a degree, the idea of layers of security. One of the reasons why, IMO, Linux/Unix doesn't have as many overriding threats (besides smaller audience/usage) is the diversity that exists. While to a newbie it may seem daunting, the reality is that there is safety in numbers so to speak.

Sybari has told me that they will continue to product their product as they have but I wonder how long that will last or how quickly it will change. When you have an attitude that "vulnerabilities don't exist until someone knows about them", you can get worried.

I have found, unfortunately, that there is a triangle to security. The three sides are: security, ease of use and stability. You can, however, only pick two. So which ones do you gamble on?

[zencoder]

I have found, unfortunately, that there is a triangle to security. The three sides are: security, ease of use and stability. You can, however, only pick two. So which ones do you gamble on?

That's rich! It reminds me of an old craft sign at the state fair.
"We do three kinds of work here:
Quick
Good
Cheap
You can have any two"

So far I'm hearing positions that seem akin to mine. I agree that multiple vendors makes for more work, simply because you have different venues to subscribe to for information of vulnerabilities and updates. There are many more reasons, but thats the simplest to point out. The idea that you should use a differentent brand of firewall at every instance of one is...ridiculous. I mean, if there's a legitimate need, or if you've got a legacy heterogenerous environment that's been hobbled together over time, I can see how that would happen...but to do so as a matter of policy? That's crazy work.

When I refer to a the 'magic attack sequence' it was more of a nod to the recent Symantec announcement. That was quite a long list of products affected, and I could see how many of them would be deployed at different points within an organization. Now I was just making a reference, we don't use anything from them so I didn't spend a lot of time with it, and I don't really know what the specific vulnerability was. It was an example.

[ss2chef]

Zen: You have some great points but I think the problem is much larger.
I manage 100s of hosts running UNIX, MS, Novell, and so on. Properly configured, they all
run as intended with very little downtime, viruses, worms, spyware yadda yadda yadda.

I think the focus should start getting away from network operating systems and their supporting softwares, and move towards the fact the TCP/IP and IP4 in particular with their many protocols and sub protocols whos RFC's are still held in high regard is garbage. We continue to limp along with SMTP for example. The vast majority of Inet traffic + problems is SMTP based. Garbage is garbage regardless of how many band-aids you strap on it. IDS, IPS, AV, PFW they are all just bandages to try to stop the bleeding.

Zen, nice work on getting a decent discussion going. While this forum is too often MS bitchfest cliche, discussions like this are a great addition.

[Timmy77]

Another value in staying with one vendor is there is that your tech support folks and security professionals are more likely to know all the ins and outs of that vendors product. This should reduce the number of security holes that are open due to misconfiguration.

[MrLinus]

The idea that you should use a differentent brand of firewall at every instance of one is...ridiculous. I mean, if there's a legitimate need, or if you've got a legacy heterogenerous environment that's been hobbled together over time, I can see how that would happen...but to do so as a matter of policy?

I don't think that's necessary as it seems rather overboard. It's the opposite extreme to having all your "security answers" from one source. I believe that if there is enough variety -- say a mix of CISCO devices (Pix, routers, etc.) along with say Sourcefire for an IDS, Linux server to serve MySQL and Apache, Email on AS/400 with Windows XP for Desktops.

I also think this depends on how large the company is. Smaller organizations will be more dependent on uniform environments for a cost factor. Larger environments need more "heavy duty" server types (RS/6000, AS/400, etc. -- to me, Microsoft Servers, while I know they have Datacenter versions and the like, are a medium strength server). I think OS monopolies work better and can be controlled better when you are only dealing with a small handful of servers compared to if you are deaing with 100 or more.

Another value in staying with one vendor is there is that your tech support folks and security professionals are more likely to know all the ins and outs of that vendors product. This should reduce the number of security holes that are open due to misconfiguration.

At the same time, it might lead to a false sense of security because they "know all the ins and outs". While being extremely knowledgeable and it may reduce some risks, I still believe there is a higher risk if a worm is able to go through the "shop" (Linux shop, Windows shop, etc.). You need only to see the effect of slammer/sapphire to see what happens when we put all our eggs in a basket. (keep in mind that the MDSE is found in other sources than just Microsoft SQL)

[Timmy77]

Excellent point, a threat like SQL Slammer or Blaster is much greater in a single vendor shop.