Friday, September 28, 2007

i know there's no panacea but i still want one, darnit!

have you read this post by lonervamp about the silver bullet syndrome? forgetting his specific example of jericho forums for the moment, i agree whole-heartedly with his observation that although we all seem to agree that there is no panacea people still seem to talk and act as though they expect their to be one...

need an example besides the jericho one? well anton chuvakin has been kind enough to provide us with one this evening that involves anti-virus... he's abandoned known-malware scanning completely after a friend of his had to rebuild their system despite being 'protected' by a major brand av....

now i'm not going to debate the merits of the decision itself, if he wants to use a whitelist instead of a blacklist, that's his decision and it's certainly a workable one... the problem is the motivation - getting fed up because of an instance of av failing (or even many instances) points to (as mike rothman would put it) mismatched expectations... if you know and agree that there is no panacea then you shouldn't be overly bothered by instances of failure, you should be expecting failure...

so what's going on here? i think that although we more or less all agree that there is no panacea, people don't seem to appreciate what that really means... i suspect that the use of the term panacea itself may be obscuring the real implications so i'm going to put it in simple terms that everyone, expert and novice alike, can understand:
all preventative measures fail
that's right, each and every single last one of them... that is what it means to truly accept that there is no panacea, you have to accept that there will be failures... getting fed up with the failures is an emotional rather than rational reaction, and if you base your decisions on it you are likely to be disappointed in the future when it turns out that the next big thing fails too...

people don't like failure, however, and they certainly don't want to accept it... this is a shame because if you're going to develop a successful security strategy you have to not only accept failure, you have to anticipate it... anticipating failure is really a cornerstone of strategic thinking, without it there would be no impetus to devise contingency plans, and without those a strategy is nothing more than a basic plan and a lot of poorly founded hope... in short you need to learn to succeed by planning for failure rather than running blindly from it...

5 comments:

Anonymous said...

Well, good post. I'd like, anyway, add something. Why people expects so much from such the broken technology as anti-viruses? Because anti-virus companies advertise their AVs as a end-point silver-bullet defense system! "Buy our award-winning AV and forget about viruses forever". And when AV's failed to do the job as advertised- naturally, they feel like frustrated.

kurt wismer said...

"Because anti-virus companies advertise their AVs as a end-point silver-bullet defense system! "Buy our award-winning AV and forget about viruses forever"."

citations please... the last time i looked the snake-oil being offered by most major av companies was far more subtle than what you're suggesting... owing more to the inappropriate use of words like protection and solution (which is pervasive across the entire security industry, not simply av) than to blatant intellectual dishonesty...

Anonymous said...

"citations please"-

Just read some magazine's AV-related articles. Many are sponsored by AV companies, I believe- too many blatant advertisement there (at least, in Russia, I don't know situation in other countries).

kurt wismer said...

"Just read some magazine's AV-related articles."

that's actually worse than saying 'just google it'... it does not qualify as a citation and does not meet my standards of evidence...

while i'm more than willing to believe that it actually does happen (marketing departments are notorious for not knowing how to avoid peddling snake oil), i won't be criticizing anyone for it without specific examples to point to...

Unknown said...

Thank you for putting that feeling into other, better words! I admit, my example of the Jericho Forum was slightly unfortunate, but I like yours as much. I see this subtle paradox quite often about rejecting a technology for a failure only to turn around and say elsewhere they believe there is no perfect solution. A growing pet peeve of mine. :)