Digital Common Sense

For those outside the field, RSA hosts a conference annually in the bay area. It’s one of the big events for network security professionals. Trade show exhibit floor and all the vendors hawking their wares, but also a series of daily keynotes and an array of educational class tracks.

I made no effort to blog the event. It was one of those times my pocket journal was far more convenient for capturing interesting ideas. I’ll actually probably post some thoughts on that in the next few days as I wander through my own notes. I’ve no intention of even attempting a blow-by-blow rundown, but wanted to share a few things I came away with.

Bill Gates gave the opening keynote. For all you anti-MS folks, you can skip down a paragraph or two. Gates deliver one set of pretty consistent messages that all bear out one theme - Microsoft is indeed serious about security. Sure they’re bring out a new IE 7.0 release.. And yes, while he didn’t say so, it’s partially in response to Firefox. and yes, it’s part of Longhorn which he mentioned by name, with a delivery date. I expect to see Scoble winding the topic up again.

John Chambers also gave a keynote. So did Art Coviello from RSA and a host of others.

While vendors elbow one another aside saying either “I do that better” or “me too,” there were two really obvious standout points. Every vendor represented (hundreds) consitently delivered the message “me too.” Even when they were convinced they were unique, they were all saying “I’m unique and different too.”

But the me too message wasn’t a bad one. Focal points for activity -

• Secure internal assetts
• Prevent viruses
• Segmentation of traffic for better control of flows
• Access control (and identity management is the real theme here)
• Secure critical information

Other themes and observations

The geeks won’t inherit the earth folks. Business concepts will drive security. The technical lexicon needs to give way to the language of business. That shift will drive more money into security budgets. It’s how the people who get things done will get things done.

Managers need to be able to immediately the impact of an event in terms of

• Time
• Cost
• Customers

That’s the only way they evaluate the business impact of a security event. Nothing else matters. Find a way to put security in that business context.

When you consider a new project, there are only three risk factors to consider

• Regulation
• Revenue
• Reputation

Those are the drivers your senior execs will care about. When you’re making a business case for a new project, describe how your project protects and enhances each of these. If you want to win a proposal with your CFO, put in the right lexicons - business and finance.

The role of CSO is changing from the role of NO to the role of HOW.
Security can’t be the disabling technology that says “sorry, but we can’t do that.” It’s time for creativity and entrepreneurial thinking in security that says “if we implement X security, we can wind Y business.” Use security as a competitive advantage and help the business team make intelligent and informed risk decisions.

Good people will create a good methodology, but good methodology won’t create good people. People are a critical key. You have to give people the trust to do what they need to do, but you also have to make sure you put trustworthy people in those positions of trust.

Bruce Schneier spoke in an early session and delivered a typically Schneier-like message (fortunately sans the buy managed services pitch).

Security is a system, and systems are complex. Most vendors, no matter what they say, don’t design or understand systems. Nearly every security offering in the marketplace is a point solution to a point problem. Systems interact with other systems and do not exist in isolation.

Knowing how security systems fail is more important that knowing how they work. We in the field don’t care how they work, only that they do. We care about how they fail. How can we make them fail? Good security people break things because we need to understand the impact of failure.

Designing systems to survive - resilience and continuous operations - is a safety approach. In security we design for the malicious adversary, not safety. Think like the attacker. And remember, to an attacker, there’s no such thing as cheating. The goal is to make the system fail.

Security imbalances are brought on by technology changes. Smart attackers look for the leverage points. In new technologies, the imbalance generally gives the attacker greater leverage.

Complex systems are insecure because the increase in complexity progresses faster than the rate of increased security. We’re always catching up.

When it comes to attackers, skill and ability are very different things. Attackers used to need skill. Now all they need is the ability. Automation exacerbates our vulnerabilities and distance is not a factor. On the Internet, we’re all equidistant.

Remember that most attackers are copycats in some fashion. There hasn’t been a new crime in a millenia. Tactics change and technology gets incorporated, but they mimic and copy time and again. And they have a “budget” to work with. Attackers may have a budget of time, resources, people, and tools. They attack within their budget based on what their perceived return on investment of these resources is. Understand their budget and how the attacker defines ROI.

There was another undercurrent of conversation picked up by several major vendors - the big players. Some of them have gotten the message that “we suck less” is no way to win business and prevail in the security sector. There was a new sense of openness from a couple 800 pound gorillas that I’ve not seen in years, and I do have relationships with both companies dating back many years. That was a good sign. A very good sign.
*** mo:Blogged ***

Filed by Ken at 11:05 am under General, InfoSec, Technology