ESG Blogs

As the title of this blog post implies, there seems to be a blurred line in the general rhetoric between “privacy” and “security”. These topics are not the same, and yet I see them lumped together all too often (ahem, CNN & Co). It's tough, however, to weave a coherent single narrative on the subjects, so let me present a few disparate points to help distinguish the two:

New Year’s Eve has come and gone, and thusly, the annual prediction blog cycle draws to a close. Permit me to sneak one in just before the doors are locked, if you would. I've put together a list of three consumer security bogeymen (more hype than substance) and three consumer security issues that everyone needs to actually worry about. There is a very obvious theme here in terms of the division — see if you can spot it!

My generation can get awfully snarky about antivirus: go on reddit, search for the topic, and you’ll find some arrogant responses along the lines of “antivirus is just adware and all I need is Malwarebytes”.

Well hey, good for you, and Malwarebytes is great (I use it too). But we millennials have a harder time remembering what the internet was like before AV came along, a time when any email or misclicked website could brick your computer. Now with the rise of ransomware and targeted attacks putting entire devices at risk once more, we have somehow resorted to blaming antivirus for not being effective enough at blocking these attacks. It’s unfair and short-sighted, and the popularity of the “AV is unnecessary” trend remains perpetually premature.

Every year at Blackhat there is a section of the show floor charmingly referred to as "Innovation City," which functions as an area for up-and-coming vendors to show their stuff. One of the citizens of Innovation City this year was x.o.ware, which bills itself as an "end-to-end encryption solution" that makes public Wi-Fi completely secure. At the risk of misrepresenting their product (I have not been officially briefed), essentially what they do is this: the customer buys a box (which is called XOnet and looks like a mini Wi-Fi router) that stays at home. With that box comes a small piece of rubber-covered  hardware (which is called an XOkey); this key pairs with the box and then plugs into a laptop. Result? If I am at Starbucks on public Wi-Fi, I plug the encryption key into my computer, it uses the public Wi-Fi to tunnel back to my XOnet box at home, and voila! --my very insecure public Wi-Fi connection has become a secure home Wi-Fi connection. This is a very cool idea! But as cool as the idea is, I found myself wondering- are people ready to buy personal security hardware? Are people even thinking about this stuff? 

Let’s get something out of the way: I know that all the data says people care more about their privacy than ever before, and especially the under-40 age group sees it as a “key issue.” And I don’t for a second doubt the data—if you ask me in a survey, “Is privacy important to you?,” I’ll say yes. If you ask “Would you do business with a company that does not protect your privacy?,” I would say no—because those are the right answers, and intellectually we understand that. But there is a gigantic disconnect between what people say in a survey, and how they actually behave. I’m the first to admit guilt here.

Endpoint security is a fast-paced, dynamic market right now. The amount of funding, M&A, and general product development is moving at what can feel like a blurring speed, and separating the facts from the marketing language can be a challenge.

For a thought experiment, imagine for a moment you are a CIO/CISO/equivalent in charge of the security budget.  You are a little behind, maybe updating from an AV-only environment to a more advanced endpoint solution. How do you go about selecting a vendor? How do you begin quantifying your organizational needs? 

ESG data shows that 57% of enterprises have either already switched to free antivirus software or are actively exploring the option. It makes some sense: Free AV programs have posted competitive efficacy rates against paid versions, and AV is increasingly viewed as an IT operations checkbox as opposed to a pure endpoint security control. There also seems to be a decreasing need to assign budget for AV. The thinking is that those dollars could instead be spent on newer technologies such as advanced endpoint anti-malware products, endpoint forensics, or endpoint analytics. For many organizations, ditching paid antivirus for a free product could be viewed as a sensible cost-cutting move. 

News of the so-called Heartbleed bug made the rounds last week. I received a message from a friend asking, “Why didn’t you warn me about this?” So I had better respond.

Unlike, say, the Target breach, this one was steeped in tech lingo that made understanding it a bit of a project. So let’s walk through what happened and how it affects the average user.

Here are some trends to keep an eye on (in no particular order):

Despite well over a decade of sales success, antivirus technology has never been beloved in the security marketplace. Security professionals do not have immense faith in antivirus (AV) products to stop modern malware, and average users have never enjoyed the notifications, scans, and updates that go along with protecting a computer from roughly 6,000 new malware variants per day.