I recently presented with Ryan Macfarlane on the Long Tail of Information Security at the Information Security Summit in Northeast Ohio. I wanted to blog about it because the talk itself resonated with me and directly correlates to a previous post on the current state of penetration tests (http://www.secmaniac.com/october-2010/traditional-penetration-testing-is-dead-bsides-atlanta/). Ryan and I came up with an interesting way to look at what we are protecting against very targeted and specific attacks. Before getting into the meat of the discussion, let's first dive into what the long tail is. The Long Tail book by Chris Anderson came out in 2006 and changed the way we look at a hit driven economy. For example, in a traditional economy, Walmart would only have in stock what made the most profit and had the most demand. It's what is called the Pareto principle of 20 percent in the high demand and the other 80 percent less of demand (80/20 rule). So you would see a Brittney Spears album but not a Bruce Hornsby album. With the dawn of Amazon, iTunes, and product available right at our finger tips, the whole traditional economic strategy has completely shifted and changed, so now I can buy Bruce Hornsby and have it right now. The book explained how we have shifted from the traditional supply and demand model to selling less of more. This example was represented in the Long Tail depiction below, the head which is the most in demand, the tail the less frequent. So how does all of this equate to information security? Ryan took the Malware Domain List and from 2006, applied the long tail to malicious software. It had some great results. We cleaned it up a little bit, if you want a full list you can see it here. If you look, we are all accustomed to the ones that have made news, Zeus, Fake AV, things that are prevalent when we talk malicious software and things we focus on in our network. However, looking at the tail, you can see additional ones we may not know, like the YES Exploit Kit, Bredolab, and other pieces of malware that may not have made news but could have a higher rate of impact to an organization. Taking a look at what we invest in as organizations, it's primarily to protect what we are accustomed to in the head. For example, the SQL Injection, the Cross-Site Scripting, Malicious Software, Buffer Overflows, and the list goes on. We've spent millions on protecting our perimeter, locking down our users, and buying the latest security product to fix our inherit flaws with security with our organization, almost purely on what we know and recognize in the head of the long tail. Let's take the banking industry, if you look at what is true impact towards the organization, from the depicted graph, you can see there are items in the tail which have a larger impact to the business that expand more than our traditional control framework we've implemented into our business. Let's apply this to the information security field. We invest in anti-virus (which isn't protecting us anymore), HIPS, NIPS, WAF, SIEM, NAC, and all of these technologies to protect against head related attack vectors. What we're seeing in the industry is that these types of investments are absolutely warranted and needed, but we are missing a whole slew of additional attack vectors that we never see and go un-noticed. Ryan used a good example, a hacker breaks into the pbx server, sets up a 1-800 number that is for "technical IT support" and racks up 5 grand each month on support fees. A large organization would never detect that and could go on for months, if not years. Let's take Social-Engineering, something we are getting pounded with right now but aren't solving the core issues related to this (people). A product will never solve your wildest dreams in protecting against these types of attacks. Let's take a look at where commercial techniques fit: You can see the general lack of coverage when we start to leave the head of the long tail. So whats the solution in protecting against high impact and low detection in security? We came up with a good quote that I think resonated with me "Commercial security products are designed to handle the head. Great security people defend against the tail." Companies need to invest in resources that are experts in the field, that understand different threats and the impact towards organizations in order to defend against them. The reliance on technology and software in order to plug exposures continues to increase, and security budget has skyrocketed over the past few years. Your seeing the majority of these technologies fail and fall flat. We will continue to see breaches occur towards every organization, and even those that have significant security budget. Purely because they haven't invested in the adequate resources to protect the organization. Tying this into third party penetration tests, are your security providers testing against the tail? Do they understand your organization and the impact a specific system or piece of data has on the company? If you read the traditional penetration testing is dead blog I wrote this month, that is your standard commercial product. Something that provides value however isn't where the true impact can occur. While nothing is perfect, a group of dedicated and skilled security people can make the whole world of difference in protecting from the tail. We'll never be 100 percent protected, but the ability to make it hard, real hard, and detect if someone breaks your armor can make the world of difference in minimizing damage and the impact to the business. Are you defending against the tail? If your interested in our presentation you can download it: Here