Comments on: The Face of FUD http://newschoolsecurity.com/2010/01/the-face-of-fud/ The Blog Inspired By The Book Wed, 16 May 2012 16:05:54 +0000 hourly 1 http://wordpress.org/?v=3.3.2 By: APT Ramblings « cyberwart http://newschoolsecurity.com/2010/01/the-face-of-fud/#comment-1217 APT Ramblings « cyberwart Mon, 15 Mar 2010 02:50:16 +0000 http://newschoolsecurity.com/?p=1266#comment-1217 [...] community seems to have mixed feelings on the topic. I believe this stems from the fact that marketing FUD is mixed in with thoughtful analysis by some serious dudes. Then there’s also some crazy [...] [...] community seems to have mixed feelings on the topic. I believe this stems from the fact that marketing FUD is mixed in with thoughtful analysis by some serious dudes. Then there’s also some crazy [...]

]]> By: Eddie Schwartz, CSO NetWitness http://newschoolsecurity.com/2010/01/the-face-of-fud/#comment-873 Eddie Schwartz, CSO NetWitness Fri, 22 Jan 2010 06:48:32 +0000 http://newschoolsecurity.com/?p=1266#comment-873 Great points, Russell. Thanks. I think where I differ with Richard, Gartner, and some others is that APTs are a state-sponsored / government issue. There is this whole notion that the trajectory is strictly related to government, DIB, and now related R&D entities. I would argue from first hand experience that other groups have been using what could be classified as APTs for years for other purposes that have nothing to do with political reasons. Anyway, thanks for the response. Great points, Russell. Thanks. I think where I differ with Richard, Gartner, and some others is that APTs are a state-sponsored / government issue. There is this whole notion that the trajectory is strictly related to government, DIB, and now related R&D entities. I would argue from first hand experience that other groups have been using what could be classified as APTs for years for other purposes that have nothing to do with political reasons. Anyway, thanks for the response.

]]> By: Russell http://newschoolsecurity.com/2010/01/the-face-of-fud/#comment-870 Russell Thu, 21 Jan 2010 19:59:57 +0000 http://newschoolsecurity.com/?p=1266#comment-870 Hi Eddie, Thanks so much for your thoughtful and open comments. It's great to hear from a senior person in the vendor community. Thanks also for seeing the serious elements of my original post. I tagged it "amusement" because I was initially motivated by the graphic image ("fearful face") NetWitness used in the promotional, opt-in email. I know such decisions are in the hands of creative types in marketing and don't have much connection to corporate strategy, value propositions, or measuring security. So many of us have been debating FUD and related issues, I just thought that this image was a classic representation. On to the heart of your comments... "To FUD or not to FUD" is an active topic of debate in this blog and elsewhere, including Anton's blog and fudsec.org. We've even had some blog debates with them: http://newschoolsecurity.com/2009/10/just-say-no-to-fud/ http://newschoolsecurity.com/2009/11/on-smelly-goats-unicorns-and-fud/ I think everyone involved agrees that security decisions and designs are made in the context of high uncertainty and doubt, overlayed with personal and organization fears and anxieties (spoken and unspoken). We also agree that many times people only take action when they are scared to death, or what the consulting industry has called "the burning platform". The biggest area of disagreement is how anyone with a stake in the outcomes reacts to these intrinsic conditions. Properly speaking, "FUD" is active spin and amplification of fears, uncertainties, and doubt, with an aim to manipulate and/or paralyze the decision-makers so they do what you want them to do. (The posts listed above go into more detail on why I think this should not be the primary strategy of security people.) Moving from the general to the specific, I'm <em>thrilled</em> to hear how NetWitness is approaching your PoC to help your potential clients develop their own "in-house evidence". So often, PoC of some new tool consists of getting it installed, running a few demos, migrating some data, generating a report or two, and then polling the users to see if they like it ("I'll give it an 86 because it's got a nice beat and you can dance to it" :-) ) It sounds like NetWitness PoC actually attempts to get some meaningful results for the customer. I'm just cheering you on to see if you can do even more regarding collecting data and other evidence regarding effectiveness of various solutions. It's damn hard in the arena you are working in, the now-famous APTs. I'll point to Richard Bejtlich's post "Is APT after you?" http://taosecurity.blogspot.com/2010/01/is-apt-after-you.html . He's way more expert on this than I am. What he basically says is: * You can't really tell if APT is after you or not, until it's too late. * If you are wondering if APT are after you, then they probably are. While this may be a very sober, realistic stance, it's not much comfort to decision makers who may be asked to spend big money (or forgo big revenue) to adequately mitigate the risk. The NewSchool philosophy would be to work toward better data, better analysis, and even better reasoning about uncertainty so that decision makers stand a better chance of making rational economic decisions. In contrast, anyone who uses FUD tactics as their "one-trick pony" is, in effect, pulling in the opposite direction. The arena of APT seems to be crying out for better and more sophisticated threat intelligence systems, both individually and collectively. On this, see these two posts: http://newschoolsecurity.com/2010/01/doing-threat-intelligence-right/ http://newschoolsecurity.com/2009/12/can-risk-management-guide-policy-regarding-password-change-frequency/ Thanks again, Eddie, for joining the debate so constructively. Hi Eddie,

Thanks so much for your thoughtful and open comments. It’s great to hear from a senior person in the vendor community.

Thanks also for seeing the serious elements of my original post. I tagged it “amusement” because I was initially motivated by the graphic image (“fearful face”) NetWitness used in the promotional, opt-in email. I know such decisions are in the hands of creative types in marketing and don’t have much connection to corporate strategy, value propositions, or measuring security. So many of us have been debating FUD and related issues, I just thought that this image was a classic representation.

On to the heart of your comments…

“To FUD or not to FUD” is an active topic of debate in this blog and elsewhere, including Anton’s blog and fudsec.org. We’ve even had some blog debates with them:

http://newschoolsecurity.com/2009/10/just-say-no-to-fud/
http://newschoolsecurity.com/2009/11/on-smelly-goats-unicorns-and-fud/

I think everyone involved agrees that security decisions and designs are made in the context of high uncertainty and doubt, overlayed with personal and organization fears and anxieties (spoken and unspoken). We also agree that many times people only take action when they are scared to death, or what the consulting industry has called “the burning platform”.

The biggest area of disagreement is how anyone with a stake in the outcomes reacts to these intrinsic conditions. Properly speaking, “FUD” is active spin and amplification of fears, uncertainties, and doubt, with an aim to manipulate and/or paralyze the decision-makers so they do what you want them to do. (The posts listed above go into more detail on why I think this should not be the primary strategy of security people.)

Moving from the general to the specific, I’m thrilled to hear how NetWitness is approaching your PoC to help your potential clients develop their own “in-house evidence”. So often, PoC of some new tool consists of getting it installed, running a few demos, migrating some data, generating a report or two, and then polling the users to see if they like it (“I’ll give it an 86 because it’s got a nice beat and you can dance to it” :-) ) It sounds like NetWitness PoC actually attempts to get some meaningful results for the customer.

I’m just cheering you on to see if you can do even more regarding collecting data and other evidence regarding effectiveness of various solutions. It’s damn hard in the arena you are working in, the now-famous APTs. I’ll point to Richard Bejtlich’s post “Is APT after you?” http://taosecurity.blogspot.com/2010/01/is-apt-after-you.html . He’s way more expert on this than I am. What he basically says is:

* You can’t really tell if APT is after you or not, until it’s too late.
* If you are wondering if APT are after you, then they probably are.

While this may be a very sober, realistic stance, it’s not much comfort to decision makers who may be asked to spend big money (or forgo big revenue) to adequately mitigate the risk. The NewSchool philosophy would be to work toward better data, better analysis, and even better reasoning about uncertainty so that decision makers stand a better chance of making rational economic decisions. In contrast, anyone who uses FUD tactics as their “one-trick pony” is, in effect, pulling in the opposite direction.

The arena of APT seems to be crying out for better and more sophisticated threat intelligence systems, both individually and collectively. On this, see these two posts:

http://newschoolsecurity.com/2010/01/doing-threat-intelligence-right/
http://newschoolsecurity.com/2009/12/can-risk-management-guide-policy-regarding-password-change-frequency/

Thanks again, Eddie, for joining the debate so constructively.

]]> By: Eddie Schwartz, CSO NetWitness http://newschoolsecurity.com/2010/01/the-face-of-fud/#comment-868 Eddie Schwartz, CSO NetWitness Thu, 21 Jan 2010 16:59:09 +0000 http://newschoolsecurity.com/?p=1266#comment-868 Hi Russell, Thanks for rebroadcasting parts of our opt-in email! Even though it appeared in the “amusement” section of your blog, we actually take all this quite seriously at NetWitness and stand behind what we put in the email. Your post raises a classic issue facing security professionals– to FUD, or not to FUD. It’s really unfortunate that FUD became a dirty word when compliance and “risk management” took over the security budget, but that’s when many organizations began to fail at security too. While many people, particularly CIOs in hindsight, would argue that compliance has helped increase the focus and spending on information security, I would argue that it has distracted many security programs into performing a large number of basically low impact or worthless activities in the name of metrics, versus FUD. And, compliance certainly has sponsored a whole class of expensive security technologies and associated total ownership costs (TCO) which drain the security budget. There’s also an unfortunate psychology involved here. Many security professionals feel guilty or inadequate using FUD as an argument because all the other I/T people have real metrics and we don’t. To some, it’s like when we were kids and everyone had Converse “Chuck Taylor” All-Star high tops and you were the one with the red Pro-Keds. Security people can’t talk about how many “9’s” of network uptime we have, or how much we have improved call center response time, or improved the TCO of storage. Security sucks at producing decent metrics -- and the ones we do produce (which I’ll save for a much longer separate discussion), stink even more at reducing the fear of being owned by national-sponsored or organized criminal groups or the uncertainty and the doubts regarding the security of information in a world of advanced threats. Security people cringe when some C-level executive compares the cost of information security to the cost of insurance – “no one likes to pay it, but you have to have it.” Ugh! So, we hate the FUD argument – both when we have to use it and when someone uses it to trivialize what we all do for a living. But I do not think security professionals have to feel this way. I think that FUD still has a lot of usefulness in the toolkit of the security professional and within the enterprise security program, if applied in the right doses to the right places. One of my favorite Websites is fudsec.com. There are many good, bad and ugly uses of FUD cited here, for example, one of the good ones is Anton Chuvakin’s post, “A Treatise on FUD” – required reading for any committed FUDists. With regard to advanced threats, I encourage the use of a combination of FUD and proof. The FUD comes in the form of security professionals updating their talk track to highlight the real causes of many cyber losses in 2010, and the need for more focus on threat intelligence and operational security. Current issues such as Operation Aurora should be analyzed and briefed to senior management, and should be coupled one of the more credible surveys that show that most data losses result from advanced threat sources (sophisticated exploits, malware, etc.). In the end, you will have to produce real evidence, however, and that’s why we put the POC offer on the table in our e-mail blast. FUD only goes so far, so, you have to show your colleagues the smoking gun with your own organization’s data. Ultimately in developing this sort of in-house evidence, you’d be the one to earn Russell’s “New School Tip-of-the-Hat” versus NetWitness. Because while we as a vendor could put out FUD-sounding marketing statistics about how this approach will make you more effective at changing the face of FUD to a smile than other alternatives, you will ONLY believe it when it happens in your organization, you can bank the results, and actually reduce the FUD for yourself and your CEO. Hi Russell,
Thanks for rebroadcasting parts of our opt-in email! Even though it appeared in the “amusement” section of your blog, we actually take all this quite seriously at NetWitness and stand behind what we put in the email. Your post raises a classic issue facing security professionals– to FUD, or not to FUD.
It’s really unfortunate that FUD became a dirty word when compliance and “risk management” took over the security budget, but that’s when many organizations began to fail at security too. While many people, particularly CIOs in hindsight, would argue that compliance has helped increase the focus and spending on information security, I would argue that it has distracted many security programs into performing a large number of basically low impact or worthless activities in the name of metrics, versus FUD. And, compliance certainly has sponsored a whole class of expensive security technologies and associated total ownership costs (TCO) which drain the security budget.
There’s also an unfortunate psychology involved here. Many security professionals feel guilty or inadequate using FUD as an argument because all the other I/T people have real metrics and we don’t. To some, it’s like when we were kids and everyone had Converse “Chuck Taylor” All-Star high tops and you were the one with the red Pro-Keds. Security people can’t talk about how many “9’s” of network uptime we have, or how much we have improved call center response time, or improved the TCO of storage. Security sucks at producing decent metrics — and the ones we do produce (which I’ll save for a much longer separate discussion), stink even more at reducing the fear of being owned by national-sponsored or organized criminal groups or the uncertainty and the doubts regarding the security of information in a world of advanced threats. Security people cringe when some C-level executive compares the cost of information security to the cost of insurance – “no one likes to pay it, but you have to have it.” Ugh! So, we hate the FUD argument – both when we have to use it and when someone uses it to trivialize what we all do for a living.
But I do not think security professionals have to feel this way. I think that FUD still has a lot of usefulness in the toolkit of the security professional and within the enterprise security program, if applied in the right doses to the right places. One of my favorite Websites is fudsec.com. There are many good, bad and ugly uses of FUD cited here, for example, one of the good ones is Anton Chuvakin’s post, “A Treatise on FUD” – required reading for any committed FUDists.
With regard to advanced threats, I encourage the use of a combination of FUD and proof. The FUD comes in the form of security professionals updating their talk track to highlight the real causes of many cyber losses in 2010, and the need for more focus on threat intelligence and operational security. Current issues such as Operation Aurora should be analyzed and briefed to senior management, and should be coupled one of the more credible surveys that show that most data losses result from advanced threat sources (sophisticated exploits, malware, etc.).
In the end, you will have to produce real evidence, however, and that’s why we put the POC offer on the table in our e-mail blast. FUD only goes so far, so, you have to show your colleagues the smoking gun with your own organization’s data. Ultimately in developing this sort of in-house evidence, you’d be the one to earn Russell’s “New School Tip-of-the-Hat” versus NetWitness. Because while we as a vendor could put out FUD-sounding marketing statistics about how this approach will make you more effective at changing the face of FUD to a smile than other alternatives, you will ONLY believe it when it happens in your organization, you can bank the results, and actually reduce the FUD for yourself and your CEO.

]]> By: Ben http://newschoolsecurity.com/2010/01/the-face-of-fud/#comment-863 Ben Thu, 21 Jan 2010 00:59:43 +0000 http://newschoolsecurity.com/?p=1266#comment-863 That's funny... I saw the subject and just deleted the email... and to think I could have seen that sullen face! :) That’s funny… I saw the subject and just deleted the email… and to think I could have seen that sullen face! :)

]]> By: shrdlu http://newschoolsecurity.com/2010/01/the-face-of-fud/#comment-861 shrdlu Wed, 20 Jan 2010 20:43:09 +0000 http://newschoolsecurity.com/?p=1266#comment-861 I got that same spam today, and my first thought was that they took first prize for FUD, thanks to that subject line. I got that same spam today, and my first thought was that they took first prize for FUD, thanks to that subject line.

]]>