This worrying report from InformationWeek.com suggests that AV vendors are missing the point and patching specific exploits not vulnerabilities. Further proof, if any were needed, that defence against cyber attack needs a holistic approach blending everything from policy and people management through perimeter defences down to intrusion detection, malware detection, patching, good application software controls, removable media controls and incident response. We have to get in a room and plan the whole thing. AV is not dead but it is no longer the big gun of our defences as it once was. Quoting Schneier: "antivirus software is neither necessary nor sufficient for security, but it's still a good idea. It's not a panacea that magically makes you safe, nor is it is obsolete in the face of current threats. As countermeasures go, it's cheap, it's easy, and it's effective". But it's clear that holistic security, as discussed back in 2008 by IBM, is an approach whose time has definitely come.
As a Security Manager, sometime Consultant and former Analyst, this blog is the product of my industry experience in Enterprise Security gained in the financial sector plus years of project, service and people management. Drawing on my experience of both System z and "distributed" access control, IBM RACF and Tivoli - with ITIL and CISSP mixed in - I blog on the practicalities of security measures, trends in governance, risk and compliance (GRC) and, occasionally, on the current mainframe renaissance.