Can you believe it - we are already on day 29? This month has gone very fast and we are scurrying to the end of the road.
Today's question is Should I Switch Software Vendors?
This topic was a bit perplexing to me when I first read it. As I began to think about the question in the realms of Recovery, I began to ponder the answer.
If we are talking about OS's - does it really help to switch software vendors? Does it really solve anything? Is one company really any better than the others? And how much of the problem was caused by us and our failure to perform the recommended updates, security patches, and close the holes as recommended by the vendor or the Security World?
If we are talking about applications be it Security or Network Monitoring software that may be a different story. If the application you were using didn't perform as expected perhaps it is a good time to take a look at what the competition is offering. However, again - we can't blame the application if we didn't do the vendor recommended updates.
There are so many different types of sooftware that could be discussed. There are pro's and con's to all of them. What works for me may not work for someone else in their environment. Another concern that I would have is at the time of recovery - you may not have a lot of time to learn a new product. This may lead to a failure in securing the system adequately.
We would like to hear from our reader's. What is your opinion on this question? Should you switch software vendors and under what conditions? How do you decide what to switch too and how do you determine that it will be any better than what you were using?
Let us know what you think.
We have received some really good feedback from some of our readers. I thought I would share some of it.
One important thing to consider during a recovery is if changing any software directly impacts any policy compliance. Do you have product evaluation criteria, customer requirements or documentation requirements? Changing the software may fix a single issue but may open up a whole host of other issues which may knock you out of compliance.
From Gary K
Changing software vendors, in general is only a benefit if it offers a more robust security venue for your environment. Its not a cure all for all organizations, but it may benefit some. Should your environment need a change because it is tagged by a hacking group who normally can get in with much trouble?
Changing the Router/Firewall company/IOS will make a difference. But as a last line of defense, a software firewall and antivirus combo that works well with each other might be the trick. Dont forget - changing software may not be the issue - it may be the configuration of the software that may be the weakest link. It boils down to Risk Assessment, and budget.
From an anonymous contributor
In terms of InfoSec and Incident Response I seek to build all of the following into SLAs/contracts:
Very tough question to answer because it is environment specific. In general, there are two options that should be considered for every project that represent the ends of the spectrum: "do nothing" and "rebuild from scratch". In reality, what usually happens is somewhere in between. My opinion (again in general) is that OS switching is actually easier than most people make it out to be. There seem to be more religious and political reasons than pure technical reasons not to utilize multiple OSs. Well established, effective sys admin and patching procedures are adaptable between AIX, HP/UX, Linux, OS X, Solaris, Windows, etc. Each one has quirks. Each one has strengths and weaknesses. Effective network and sys admins can adapt to these quirks. The problem I have most often seen is that personal, political or <sarcasm> religious </sarcasm> preferences skew choices from objective decision making. Often, the choice is decided by what application is going to be run on that system. Relying too heavily on one OS may diminish the IT/Security group's ability to have choice in what products it elects to use. I think an interesting outgrowth of the singular OS culture is the "appliance" offerings from vendors. The vendors have accepted the OS maintenance (of usually Linux) in exchange for the ease of developing on (and controlling) their OS of choice.
Oct 31st 2008
Oct 31st 2008
1 decade ago
I guess another way to understand this could be, using different software in different lines of defense... i.e: the antispam/antivirus solution could be from brand XXX, the local AV in servers (specially in file servers) from brand YYY, and finally in the workstations from brand ZZZ. This way your possibility of detecting an incident/risk is higher because you are using 3 different technologies.
Also, this idea could be extended to hardware vendors, specially to avoid issues/disaster like a massive vulnerability or even a bankrupt that may affect all your HW devices.
This focus depends absolutely on the context, if I am designer of a BCP, you can be sure we don't want anything that increases the variables to control (or try to control :P).
This is an interesting discussion.
Oct 30th 2008
1 decade ago