Article received from Shimon Gruper,
Executive VP eSafe Technologies Aladdin Knowledge Systems Ltd

---

THE SECURITY CONFUSION

Do Independant Experts Hold The Keys...

A few weeks ago, I visited a big security tradeshow and was astounded to see that the show was probably twice as big as last year. Big security vendors had larger booths than last year and many new small vendors had appeared from nowhere, jumping on this hot security bandwagon.

 

Walking the floor, one could easily get lost in the myriad of security offerings from comprehensive do-it-all security suites to security audits that advise customers what security they actually need.

 

I have been in the IT security industry for the last 20 years, I hold CISSP (Certified Information Systems Security Professional) accreditation and still I found it very difficult to understand exactly what it is that some companies offer and why their offering is the solution you absolutely cannot live without. It makes me wonder how customers, who do not always have deep security knowledge, should decide which product to buy. There are, of course, many options but what are the pros and cons?

 

Should I, as a customer, just listen to my reseller, who can recommend the best solution for me? They should know, after all, that is their job. But will they not be biased towards products in their portfolio?

 

Should I go for a big brand name? After all, nobody has ever been fired for buying I*M, but is this really the best-of-breed solution? Large companies are known for their slow adoption of new technologies and they usually lag behind the market. As an example, just look at what happened with anti-virus companies when spyware became a big problem. Organisations had to purchase a dedicated anti-spyware solution because their anti-virus vendor kept promising solutions that never materialised.

 

Should I therefore go for a small and dynamic company that is certain to have new, innovative technology? But how can I be sure they will still be around tomorrow? The security market is a converging market where big fish constantly swallow small ones and, after the digestion, are not always loyal to customers that use the old product.

 

This is a complex dilemma and there are too many parameters in the equation to solve. Therefore, I would recommend doing the homework yourself or consulting an independent security expert who is unbiased because they are not actually selling you any products. Don’t necessary go for the big name just because they have a big booth at the tradeshow and spend a lot of money on marketing. If you decide to go with a small company, check their background and their financial stability to make sure they will not go belly up next week.

 

However, the most important advice that I can give you is to test it yourself before signing the check. There is nothing like seeing with your own eyes that the solution actually does what the vendor promises and that it meets your needs.  I know what you are going to say now that implementing and testing each solution you want to buy is a nightmare for the IT department and unsuccessful tests will waste their time I know that it is not simple to install a security product that you want to test in production, and testing it in a lab will never give you a good and accurate picture. So how would you go about selecting a product and test it without affecting your infrastructure, your network and your users?

 

Actually, I have found out that some vendors, especially the smaller ones, have thought about this and will offer you a no-obligation test of their product by connecting their solution to your network in a non-intrusive way, for example to a mirror/span port of the switch. Such a security audit will show you, just by sniffing the network traffic and analysing it, any malicious activity in your traffic without actually blocking or affecting it.

 

I strongly suggest looking for security vendors who will be able to give you such transparent testing functionality of their product before you decide to purchase it.