Changing Security As We Know It - Software as a Service (SaaS) Has Arrived Giving Rise to Plethora of Security Applications

Philippe Courtot, Chairman and CEO, Qualys, Inc.

We are entering into a new world. The rate of innovation is continuing to accelerate.

The Inconvenient Truth. 50% of corporate data resides unprotected on PC desktops and laptops. 1 out of 10 laptop computers will be lost or stolen within 12 months of purchase. 29.5 days - it takes on average to eliminate half of knows critical vulnerabilities on corporate networks. This is only a .5 day improvement.

Securing the enterprise is getting harder and harder.

Why is security so hard? To many variables, too may security patches, long software release cycle, technology is moving too fast. The burden is all on the enterprise.

The Cloud Computing Era

Software as a Service (SaaS). Infrastructure and Platform as a Service (IaaS, PaaS)

Cloud computing answers the IT business needs of agile, 21st century economies.

Why is it so disruptive? No IT resources needed, a delivery model that scales, disruptive business model, easier to select vendors.

One of the biggest advantages is the ability to quickly and inexpensively try things without a large capital expenditure.

The current financial situation is accelerating the adoption of cloud computing.

Why has adoption taken so long? resistance to change, Internet limitations, i.e. browsers, etc., Internet bubble (.com bust),

There is a tsunami of Enterprise SaaS solutions now coming to a browser near you.

What about security? A counter intuitive reality. Security can be made more granular and invisible in the cloud.

Why is this possible? Security can become part of the fabric.

What are the implications for the security industry? Accelerated consolidation. Major shift in buyers. Buyers of today are the enterprises, the buyers of tomorrow will be the cloud providers. Emergence of new players.

It is not about the survival of the fittest or the biggest, but of the one who adapts!

What are the implications for the security professional? Resistance is not an option anymore. We will be dealing with more complexity. Still have to deal with the current complexity and at the same time deal with the cloud.

What are the missing pieces? Technology: a more security and advanced browser, stronger authentication federated in the cloud, secure open protocols and standards. Legal: sla's, audits and compliance, privacy, location and ownership.

Closing with embrace the change.


Securing the Smarter Planet

Brian J. Truskowski, General Manager, Internet Security Systems (ISS), IBM Global Technology Services (GTS)

1995 was when the first really themed RSA conference happened. A lot has changed since then.

We all need to remember one thing. Bad times are the opportunity for companies to become great companies.

In bad times, change is not only possible, it is necessary.

The winners are not just surviving right now, they are preparing.

A significant number of CEOs saw change coming, but that they couldn't manage it. Systems and processes are to rigid to manage change. Change required.

Business that embrace change are the ones that can excel in this type of environment. Ready to seize opportunities. Keep enterprises focused on values and goals.


He states that the security industries goals and values are misaligned.

Talking about IBM being everywhere and able to see broadly because of that.

They see the world becoming a smarter planet. Instrumented, sensors embedded everywhere. Interconnect, soon 2 billion people on the internet, 4 billion mobile users. Intelligent, data explosion, power new systems for analyzing and using this data.

Ubiquitous computing. Rapidly approaching the day when there will be more smart devices accessing the internet than PCs.

Every day 1 million people become cell phone users. Ticking time bomb from a security perspective. Mobile computing that is.

There is only so much you can do to mitigate security issues after it has been deployed.

Security must become a function that enables business activities by being inherently embedded in all facets.

If you can respond to change more effectively than the competition you will win.

Changing to discuss social engineering. Humans are the weakest link in the security chain. Social engineering still very effective.

"Humans are an infinite threat to information security."

We need to design systems and processes that are resistant to human deficiencies.

Reduce complexity.

Successful business will embrace smarter security.

Pushing security as a business enabler (I don't agree with security as an enabler.)

Security spending must be contained.

Change and collaboration will be required to move forward in reducing cost and complexity.

Reblog this post [with Zemanta]

{ 1 comment }

The "Extreme Makeover" of Network Security

Brian Smith, Ph.D., Chief Technology Officer, TippingPoint

Talking about converging security technologies. (A bit Tipping Point vendorish)

Too many consoles. Each inline device has its own console. Three problems, total cost of ownership, i.e. staffing, etc., inconsistencies with security policies, (he lost he third one)

System integration. Lack of automation makes it difficult to integrate.

Leverage. devices should be able to leverage each other.

Going to talk about "Too many consoles", "System Integration" and "Leverage"

Proposing a tag tables approach where an ip address or network is tagged with attributes. Those tags are now use in rule tables. Tags are used to turn on filters. Active rule table generation based on tags before matching takes place.

Now talking about how tags can be updated in many different ways. Automation becomes possible.

The threat landscape is changing. Applications are now the targets.

Sorry for the disjointed reporting on this one. A bit hard to follow. Key points were to use convergence to battle too many consoles, system integration problems and automation.


The Cybersecurity Challenge - How Do The Good Guys Win?

Dave DeWalt, Chief Executive Officer and President, McAfee, Inc.

It's a tough job to run security.

Wants to talk about two things: 1) State of security, seeing some trends. 2) Path forward.

Obviously the economy has had a downward slope, conversely data breaches, malware and ftc complaints are increasing like crazy.

Talking about the 1 trillian dollars in intellectual property losses worldwide.

"Several years ago zero countries armed for cyber-warfare" Everybody was about protecting, defensive.

"Today 20+ countries armed for cyber-warefare" offensive strategies.

Not limited to governments. There are individuals and groups.

Talking about Conficker and how we don't really understand what it is about yet.

"Why is this happening?" (Growth of cyber crime)

Malware growth, countries do not work together well yet. Looks like a 500% increase in malware is possiblein 2009 again.

Many many devices coming online, mobile devices, critical infrastructure becoming IP addressable. The huge growth of social networking and web 2.0 technologies.

"What's the outlook?"  Not so good. Using weather analogy. Rain, thunder and lightning for the next five years.

Why? No protection, security cutbacks, complex attack vectors.

Attack Scenarios. Multi-vector attacks. Point products don't work well because the don't share data. Integration and learning between products is vital to protecting against these types of attacks.

The CISO nightmare: Money, reputation, and jobs.

The Future. What are we going to do about it?

Weather analogy again. Sensors anywhere. There are weather sensors all over the place. Reporting information back to a correlation point. We need to do the same with security. Gives us global intelligence.

Visibility is very important.

The future is mulit-layered, multi-correlated with real-time visibility.

Multi-layered from silicon to satellite. Sensors everywhere. chips, storage, os, vm, database, web, satellite.

Correlate across sensors and products now becomes very important.  Trying to figure out ways to quickly correlate information. Correlate to a cloud mentioned several times.

Real-time visibility across all products.

Now going through an attack scenario to demonstrate what this might look like.  Demonstrating how the this can work when we can see multiple vectors and how correlation lets us determine something more quickly.

Global Threat Intelligence database in the cloud.

Re-iterating multi-layered, multi-correlated, and real-time visibility.

All done.


Collaborate with Confidence

John Chambers, Chairman and CEO, Cisco Systems, Inc.

We must be able to collaborate securely

Mobility and collaboration is changing how business is get done.

Integration of voice and data.

Cloud computing, virtualizaiont. You won't know where your data is. You won't know where your content is.

This is a all a security nightmare.

Three major questions:

  1. How are we going to use tech. to protect us from attacks?
  2. How do we trust what we are using? Not been changed
  3. How do we keep "bad stuff" out and the "good stuff" in?

Believes we are entering a decade where productivity will grow by 3-5 percent.

Innovation and Security must coexist, have to do it architecturally and integrated.

Operational excellence is very import to the c-suite. Even more so than innovation.

Gotta have a 5-10 year vision, strategy 2-4 years, execution 12-18 months. Need these plans.

Talking about Cisco market Transitions.

Keep bad stuff out, keep good stuff in - Simple concept, complex solution.

Reiterates that we must have a secure architecture to keep ahead of the bad guys.

"Network is he platform for Security"

Says that security is at an inflection point.

Starting to talk about how Cisco is approaching this.

Talking about Cisco security intelligence operations now. 500 GB of info daily inspected, 500 people, 700k sensors, this includes customer assets.

Now talking about Cisco Cloud Services.

Talking about things like twitter, social networking, vloggin etc.  Showing how quickly this type of traffic is growing.

Growth in the huge percentages.

Collaboration requires process changes, understanding where technologies are going, and how it affects your culture and people.

Some rah rah, we're Cisco and we're great talk.

All done now.


Information Governance Goes to Court

Moderator:Jeffrey Toobin, Senior Analyst, CNN
Panelists: John Facciola, United States Magistrate Judge; Shira Scheindlin,  United States District Judge; Jon Stanley, Director of InfoTech Legal Research, Elchemy; Steven Teppler, Senior Counsel, KamberEdelson, LLC

Toobin mentions two cases that took so long because of electronic discovery. Why did they take so long.

Shira: The first case was gender related. She kept all email. When requested from the company only 7 showed up. Pushed hard and got more from the backup which actually told the story. The verdict was in her favor.

Facciola: Disabled people said they were being discriminated against. Again missing email was key. Backup tapes again were used to get emails. Case settled.

How to avoid problems?

Steven: Setting up in advance is key. Having a plan.

Mod: What about the cost?

Jon: Cost is almost everything. Both money and time. Be prepared up front for this process. It will be much less costly. Legal and tech must work together.

Shira: Commenting about cost shifting and sharing. Should the plaintif share in that cost. New rules have a cost sharing and/or shifting portion.

Mod: How do you measure what is an appropriate cost?

Shire: Nobody has an absolute right to everything. We (courts) to be reasonable. Is the data reasonably accessible?

Lots more discussion of cost.

Seeing a decrease in cost.

Shire: Evidence is not always against you. Make sure you remember that. Mentions the assumption of asymmetric cases.

Current talk about why civil litigation is not going to trial.

Shira: 97% settle out of course.

Facciola: Judges are still very involved in settling cases.

Mod: What is reasonable treatment?

Shira: Discovery ruling are at lower court level. No hard guidance.

Mod: What does it mean to look for data in a modern company?

Steven: Where is your data stored? Where is backed up? Cloud computing, data is everywhere and anywhere. Searching and preserving gets much more complicated. No real legal precepts at this point.

Mod: Advice?

Steven: Outreach programs. Working with standards bodies.

Mod: Same question

Jon: Groups (ABA, etc.) are trying to come up with "best practices" and standards by working with groups like RSA and others and feeding that input back to lawyers.

Humor about not needing to describe data breach to the audience.

Jon: There is no case law to support data breach notification, patch management, etc.

Mod: What kind of sanctions are available to judges?

Facciola: They do everything in their power to avoid the need.

Shira: Sliding scale of sanctions, money to evidential sanctions to default judgments all the way up to contempt of court.

Mod: How do you convince people that it is worth to spend the time and money ahead of time?

Steven: Current processes to keep data secure and intact are in general the same processes you would use to get evidential data. More of a repurposing.

Jon: Doing it is kind of like insurance. It could save you in the future

Shira: Litigation is a cost of doing business. Companies of this.

Mod: What records other than email?

Steven: System meta data, application meta data, logs, processes, procedures, etc.

Jon: Audit logs.

Back to lots of discussion about cost.

Interesting comment from Facciola about the human component in the review of the amount of data to be looked at. Automation required.

Mod: Discussion about search now.

Steven: keyword searches and boolean searches. Context and content searches, looks for patterns.

Shari: New techniques always being developed.

Mod: What's the first thing a company should do when sued?

Steven: Make sure the "litigation button" gets turned on. Make sure documentation is being saved.

Jon: Activate a team that can make decisions and responsibilities established.

Shira: Litigation hold must go into effect immediately. Suspend auto deletes.

Facciola: Get a competent legal advice.

Some discussion about out-sourceing of e-discovery review. Causing some problems.

Panel closes.


The Obama Administration's Cyberspace Policy Review

Melissa E. Hathaway, Acting Senior Director for Cyberspace for the National Security and Homeland Security Councils

Mission Impossilbe theme starts up describing the current situation and giving her the mission to derive a strategy to protect out infrastructure. 🙂

The united states is at a crossroads. Cyberspace underpins all facets of our society.

The review was requested to get a common understanding of the problem

Talking about the current issues such at the ATM network heist and others.

The infrastructure is neither secure enough nor resilient enough.

Talking about the details of what they looked at in the review. Lots of stats. Legal issues were dealt with.

Talking about engaging all kinds of areas, academic, government, business, etc.

Transparency was vital to the success of the review. Saying there is a lot of work to do. Won't be done over night. It is a marathon.

Security is a marathon. The review was completed April 17th. IT provides the President with a recommendation for a White House org. to guide the implementation.

Leading must come from the top. From a broader perspective.

Pubic and private interests are intertwined in securing the digital infrastructure.

Partnerships will be required to truly enhance cyber security. Research and development will be key.

Cyber security is not just the responsibility of the government and business, but of everyone.

That's it.


Cryptographer's Panel

Moderator: Ari Juels, RSA Laboratories

Panelists: Whitfield Diffie, Sun Microsystems; Martin E. Hellman, Standord Univercity; Ronald Rivest, MIT; Bruce Schneier, BT Counterpain; Adi Shamir, Weizmann Institute of Science, Israel.

I'm not sure how well this is going to work for a panel. We'll see. It will be starting in the next few minutes.

Here we go.

Ari mentions the catastrophic failure in risk management in financial securities.

Opening thoughts by panelists.

Diffie: Mentions some prominent cryptographers who have passed in the last year. He is bullish on cloud computing that represents a challenge to information security that we haven't really seen before. You have to put your best information out there or you are going to go out of business. How do you protect it.

Hellman: How risky is it? 1000 times riskier than a nuclear power plant near your home. Paper on site. "Soaring, Cryptography and Nuclear Weapons". Technology can be a great enabler and also a great danger. We have the power of gods and the maturity of 16 year olds. Human beings ignore risk until it is too late. Points out that many warnings were given about the financial issues prior to the recent issues.

Blarg. Computer malfunction. Lost update for last three. Current question: Are we headed for a infosec Pearl Harbor.

Bruce says no. Diffie thinks we are headed for more of a 911 instead of a Pearl Harbo. Adi says very low likelyhood, but could be very significant if it happened.

More computer difficulties. Missed question.

Lots of discussion about black swan events and also we need to be very careful where we spend our money because those monies only get so much increase in security.

Closing Statements:

Diffie: If you are doing security you count it as a cost center, "what can you do with 20% less". If you are doing cyber operations you are seen as a profit center, i.e. spying, "what more can you do with 20% more"

Ronald: Cloud computing going to be the focal area of a lot of our work. Terminology matters.  Optimistic about it. A lot of hard work to do to make it work right and securely.

Adi: Points out that the Conficker meets the criteria of 1 month or older and on over a million systems.

Bruce: Who should be in charge of cyber security? Nobody.  Top-down is not the right model. Distrubuted, i.e. everybody is responsible.

That's a wrap of the panel.


Moving Towards 'End to End Trust': A Collaborative Effort

Scott Charney, Corporate VP - Trustworthy Computing, Microsoft Corporation

Used to prosecute cyber crime.

Applications continue to be vulnerable.

The threat landscape continues to evolve.

A very information dense slide is up right now that depicts end to end trust. Need Security/Privacy fundamentals at the bottom, then trusted stack and identity metasystem. All covered by an integrated management and audit function. All of this needs to work within the arenas of economic forces, social requirements, and political/legislative issues in alignment with them all.

Talking about Microsoft's Security Development Lifecycle. Mentioned the threat modeling tool released last year.

Trusted stack. This talk is very specific to what Microsoft is doing with their products and partners. While interesting, it is not what I intended as a live blogging exercise.  This will be the end of this particular keynote blogging effort.

Reblog this post [with Zemanta]


The New Security Agenda: Changing the Game

It is about information. It is the most valuable thing we protect.

We are in an environment of increasing complexity and risk.

When the internet was young we never thought about virtualization being available over the internet.


  • External threat environment is growing at an increasing rate and changing.
    • Moving away from mass distribution. Going to micro distribution. Targeted.
  • The internet continues to change from and internal perspective. Insider threat.
    • Not all malicious. Many accidental.
    • Some are malicious.
  • The current security model isn't working. It is time to operationalize security.
    • It needs to be risk based, information centric, responsive, and workflow driven.

Really pushing for workflow.

Blacklisting is important, whitelisting works too. New direction, reputation based security.

Closing remarks:

Visibility and Control. Skiing metaphor about leaning forward to maintain control. Back to workflow and automation.

That's it for the second keynote. The third keynote starts iat 10:00 am PST/3:00 pm EST.