I have been a strong proponent of SANS and GIAC for many years. Their training is, quite simply, the best available in many of the sub-disciplines within Information Security. Their staff represent the best of the best in the industry. I am a member of the SANS advisory board, and while I have no financial incentive in the success of the organization, I feel the continued health of SANS is vital to the Information Security discipline. It is for that reason that I have become concerned about some of the decisions made by SANS over the past few years. Beginning with the decision to separate the practical from certification, and continuing through to the introduction of their Master's degree, I see decisions increasingly being made solely around financial considerations.
In August, Stephen Northcutt asked the advisory board for our thoughts on discontinuing an unprofitable certification. I am posting the bulk of my response below, as it articulates many of my concerns with SANS. It is my hope that by voicing my opinion, positive direction can be maintained in the organization and, by consequence, the industry as a whole.
This cuts right to a core issue about SANS that I have been meaning to bring to the attention of the advisory board & leadership for some time, which is this: SANS needs to decide if its primary mission is to make money, or to educate. Many decisions I've seen from the leadership at SANS in the past few years seem to indicate that it is the former. I hope, for the sake of the integrity of the organization, that this tendency can be changed. It would be rather naive of me to think that this note would begin to turn the ship, but I hope it can raise awareness of the issue. I can say with absolute certainty that it has been noticed by professionals and decision-makers outside of SANS (some of whom I respect greatly); this is a real risk.
Bringing this more to the point, I believe that the value of certifications should not be solely measured by their profitability. SANS needs to remain in good financial standing, no doubt, but costs can be reclaimed elsewhere. Other untapped profit opportunities (corporate sponsorship, linking employers with job hunters, etc.) are out there. Universities face the very same trade-offs. In recent years, a debate has grown about the cost and value of technical degrees versus liberal arts degrees. Merely charging more for some degrees than others was highly controversial for the Universities; dropping less profitable, more technical degrees would be considered unconscionable. If SANS wants to operate at a similar level, I feel it must adopt this sort of mindset.
If [this certification] is judged to be valuable as an educational tool to the Information Security community at large, and it can reasonably be afforded by SANS, it should be kept. Otherwise, you needlessly sacrifice education for a larger bottom line, which advances a financial rather than educational mission. If we feel [this certification] in its current instantiation is a bad way to vet the top of the InfoSec talent pool, then it's a different problem we're talking about and financial concerns shouldn't really play a part in our discussions - the shortcomings should be addressed and a new approach tried before the life of this certification is prematurely cut short.
Showing posts with label SANS. Show all posts
Showing posts with label SANS. Show all posts
2007-11-23
2007-11-11
Overhaul Anti-Virus Products NOW
It's been a few weeks since the below story appeared in SANS NewsBites, but I wanted to point it out to the community. The story, and subsequent NewsBites editor comments, speaks volumes to not only challenges with Anti-Virus that we're currently experiencing, but also to the attitude of the established Anti-Virus industry towards anyone not already part of their collective. I've lamented about the state of the anti-virus industry in the past, but this particular problem is the most dire for their industry - and the rest of us. The nature of the industry's rebuff of Ed Skoudis and Tom Liston (both highly-respected and recognized security professionals) that is discussed in the comments section below echoes of attitudes I've found amongst individual "antivirus researchers" with whom I've worked - some even as peers and coworkers. I think the root of the problem is Antivirus companies and contributors have developed their own self-serving, self-congratulating circle that espouses "group think" and rejects constructive criticism from anyone not a part of this clique. Further, they do not see themselves as security analysts and companies. Malware has become woven into the fabric of the security challenges facing entities in the 21st century and at this point the two can scarcely be separated in many cases. It's time these companies and contributors begin seeing themselves as part of the larger security industry, not simply a clique that sits at the "cool kids" table at lunch.
Enjoy:
TOP OF THE NEWS
-- Overhaul AntiVirus Product Testing Now
(October 10, 2007)
Momentum is growing for an overhaul of the way anti-virus products are tested. Presently, tests focus on signature-based malware detection and have changed little over the last 10 years. However, anti-virus technology is changing to meet the demands created by new malware, and the organizations believe that tests need to be reformulated to reflect that change. The tests don't examine the effectiveness of behavioral anomaly malware detection, a technique that is proving valuable in catching malware that spreads quickly. Proposals for new testing methods and procedures will be presented in November at the Association of AntiVirus Asia Researchers 2007 Conference in Seoul, Korea.
http://www.theregister.co.uk/2007/10/10/av_tests_revamp/print.html
[Editor's Note (Skoudis);: Given the change in threat, with new malware introduced every hour, this is a good development. My colleagues and I have been pushing for something like this for about 2 years now. I made a call very much like this at a talk during the Anti-Spyware Coalition meeting in February 2006. My colleague Tom Liston and I released a tool called Spycar a year and a half ago to test the behavior-based claims of anti-malware vendors, and discovered that most were either not doing any behavior-based detection at all or had severely broken behavior-based functionality. Many of the anti-malware vendors publicly scoffed at our testing, while a few said that our results were interesting. Just last month, my colleague Matt Carpenter and I tested a bunch of products again, and found that the behavior-based detection capabilities of all the major vendors were severely lacking. I'm hopeful that this new initiative will help improve the state of
behavior-based detection.
(Liston): Saying we were "skoffed at" is Ed's way of being polite. Essentially, they told us that we were amateurs who didn't know what we talking about, even _after_ we had discovered and disclosed serious flaws in the behavior-based detection offered by several major vendors. With increasing numbers of malware being released and the rise of targeted malcode attacks, behavior-based detection is going to become
anti-malware's front line defense. It's nice to finally see this reality being addressed by AV vendors' testing methods, and, of course, it's also nice to be vindicated.
(Northcutt): The anti-virus industry has served us well. Without them, computing might well have failed, but they are a tad stuck in their ways and malware grows ever more complex. I hope that projects like Spycar, which hold vendors responsible for something beyond signature detection, continue to prosper.]
Enjoy:
TOP OF THE NEWS
-- Overhaul AntiVirus Product Testing Now
(October 10, 2007)
Momentum is growing for an overhaul of the way anti-virus products are tested. Presently, tests focus on signature-based malware detection and have changed little over the last 10 years. However, anti-virus technology is changing to meet the demands created by new malware, and the organizations believe that tests need to be reformulated to reflect that change. The tests don't examine the effectiveness of behavioral anomaly malware detection, a technique that is proving valuable in catching malware that spreads quickly. Proposals for new testing methods and procedures will be presented in November at the Association of AntiVirus Asia Researchers 2007 Conference in Seoul, Korea.
http://www.theregister.co.uk
[Editor's Note (Skoudis);: Given the change in threat, with new malware introduced every hour, this is a good development. My colleagues and I have been pushing for something like this for about 2 years now. I made a call very much like this at a talk during the Anti-Spyware Coalition meeting in February 2006. My colleague Tom Liston and I released a tool called Spycar a year and a half ago to test the behavior-based claims of anti-malware vendors, and discovered that most were either not doing any behavior-based detection at all or had severely broken behavior-based functionality. Many of the anti-malware vendors publicly scoffed at our testing, while a few said that our results were interesting. Just last month, my colleague Matt Carpenter and I tested a bunch of products again, and found that the behavior-based detection capabilities of all the major vendors were severely lacking. I'm hopeful that this new initiative will help improve the state of
behavior-based detection.
(Liston): Saying we were "skoffed at" is Ed's way of being polite. Essentially, they told us that we were amateurs who didn't know what we talking about, even _after_ we had discovered and disclosed serious flaws in the behavior-based detection offered by several major vendors. With increasing numbers of malware being released and the rise of targeted malcode attacks, behavior-based detection is going to become
anti-malware's front line defense. It's nice to finally see this reality being addressed by AV vendors' testing methods, and, of course, it's also nice to be vindicated.
(Northcutt): The anti-virus industry has served us well. Without them, computing might well have failed, but they are a tad stuck in their ways and malware grows ever more complex. I hope that projects like Spycar, which hold vendors responsible for something beyond signature detection, continue to prosper.]
Subscribe to:
Posts (Atom)
