And Gary McGraw, CTO of Cigital, said Yoran was "stating the obvious" when he said the adversaries are winning, but was missing the more important point -- that too many systems don't even have a good perimeter to defend. "Perimeter security only works if you have a perimeter," he said, "and that starts with building things that don't suck. He's got the cart before the horse, and the cart is in a different state."
In his keynote, Yoran said a major reason the security industry needs a new "map" is because, "we can neither secure nor trust the pervasive, complex, and diverse endpoint participants in any large and distributed computing environment, let alone the transports and protocols through which they interact."
His colleagues say that while they agree endpoint protection is a problem, they think a blanket statement like that is overly broad.
"Yes, the PC endpoint is lost indeed," Chuvakin said "But strangely enough, a mobile endpoint is a bright area -- despite all the whining about Android malware, iOS and Android are relatively unscathed."
And Gula said it doesn't apply to all business sectors. "Manufacturer of ATMs who run their own network, write their own code, etc., would completely disagree," he said. "ISPs that carry their customer's data would disagree as well."
There were also mixed views on Yoran's five recommendations (see sidebar) for the industry to "reprogram itself for success." Two of them are to, "stop believing that advanced protections work," and to, "adopt a deep and pervasive level of visibility everywhere, from the endpoint, to the network to the cloud -- what SIEM (Security Information and Event Management) isn't, but was meant to be."
Chuvakin said that just because something is not 100% effective doesn't mean it doesn't work.
"Try this for size," he said. "A bulletproof vest does not work, since you can be shot in the head or burned or shot with an armor piercing bullet. Nobody thinks like that."
But he and others agree with the need for more visibility. Pirc said that, "what you can't see will in fact hurt you in the long run," he said. "That's why you need visibility throughout your entire infrastructure."
Sudhakar notes, however, that saying visibility and achieving it are two different things. "A big part of the problem is that while we have a handle on known threats, we do not have a good handle on unknown or hidden threats," he said.
And McGraw said visibility, while a good thing, doesn't matter that much if systems lack security by design. "You should do that, but build good stuff first," he said, likening it to tracking termites in a house built of wood. "You can spend your time with a whole army tracking termites, or you can change your building material from wood to steel," he said.
Sign up for MIS Asia eNewsletters.