Security Software... why I don't recommend any
... a response to the general question asking for security software recommendations....
It's amazing how often I'm asked to recommend security software and
services to use. For the record, I don't think I can give a
particularly satisfying answer, because I don't recommend anything
over anything else. It is my professional opinion that the
software won't make you substantially safer. And, frankly, anyone
who tells you otherwise is probably trying to sell you something.
There is a longer version that gets a lot more complex, but most
people get lost, because it's complicated.
- Most of my computing environment isn't vulnerable to Windows or
Mac malware, at the cost of requiring a heck of a lot more technical
skill and attention to achieve my tasks. My thinking and approach are
shaped by my ability to recognize and undo damage, which may make my
response impactical for you.
- My technical environment is dramatically more complicated than
most home or small business networks.
- I do use security software solutions when I use platforms that are
vulnerable, but for liability reasons would require a consulting
engagement before I will identify them.
- It's probably a bigger deal to address how you can recover your
data if it gets lost/corrupted/destroyed than it is to seek out
anti-malware, firewalls, or the like. That means backups, which are
frequent and reliable. I like systems that use 'opportunistic
synchronization' to capture on-disk changes in near-real-time, with
'versioning' of data objects so that you can get to previous
revisions.
- The bulk of the security benefits I receive come from my behavior,
not from my software.
Why am I so down on oftware for prevention of security problems?
- Because I don't think prevention works when implemented in software.
- Anti-malware software (including antivirus, antispyware, endpoint solutions and "security suites") are largely ineffective.
- Most malware infections are "polymorphic" now, and most are designed to be missed by basic heuristics and by pattern recognition.
The best anti-malware solutions have heuristics and fuzzy matches that hit somewhere around 20% of the active threat factors out there. The other 80% are just not defended against.
- In my use cases, I see a noticable performance cost for the limited benefits.
Because prevention really only works based on personal, individual vigilance against well-understood threats and managed risk. The vast bulk of people don't have the necessary discipline, knowledge, and skills to do that, and don't have the necessary drive to build them.
The way I look at it, security runs across five phases of activity, in a cycle:
- Identify: what you have, what you value, what it's worth, what can threaten it, how bad that those threats are if realized, and how likely that threat is to be realized.
- Protect: measures which prevent a threat from being realized
- Detect: ways to tell that your protection measures are working... or not working.
- Respond: what to do when something has gone wrong, and
- Recover: how to do you make it right after things have gone wrong?
Most people seem to think that protection is enough. It's not. It's the "easiest" part of the problem, and as a result typically receives far more investment and attention than it should to maximize value. There isn't a whole lot of consumer software that focuses outside protection, because everything else requires an investment in expertise, perspective, training, and attention... but that's where the real security gains are made.
Being secure isn't about stopping a bad guy from getting at my
stuff. It's about making sure he isn't going to do any lasting harm that
I'm not prepared to live with.
