Wednesday, May 20, 2015

Research calendar for 2015

My post-RSA research is moving along at a nice accelerating pace! After being laid up for far too long, I have set an ambitious 2015 plan intending to cover:

  1. User controls and behavior analytics,
  2. Next generation endpoint security,
  3. Securing virtualized infrastructures,
  4. Re-imagining file security, and
  5. Advances in practical network integrity monitoring

My user controls and behavior analytics report  is well underway with several vendor briefings and a few background-only enterprise briefings already completed with a June publish date targeted. As usual, my security segment reports always come up with interesting trends - what started out as a "protect the business against unauthorized privileged insider activity" has become more of a "protect the business against malicious threats via inappropriate user behavior detection". Makes sense in that security must detect malware grabbing a user's credentials and enterprises always have more budget for anti-malware provisions than for controlling users. Stay tuned as I did deeper into some clever innovations that every security team should be evaluating.

Along the same line, vendors are looking at re-imagining file security in light of malware protection and the evolution towards cloud architectures. It is stunning to think in these days of disclosing sensitive data loss that none of the primary security technologies - firewalls, antivirus, IPS, IAM, SIEM - have any concept of file security! The best you can do is to control access to servers, but honestly you cannot control where your files go once they reach a remote PC. Fortunately, there are vendors worrying about what happens to your files once they travel beyond the firewalls. There are some excellent concepts discussed by SC Magazine and FinalCode in a May 21st webcast that you may find interesting.

A lot of vendors are scrambling for a category to detect attacks that evade classical signature-oriented defenses. I am quite enthused about the next generation endpoint players and about those looking at the problem from a network integrity viewpoint. Lots seem to be scrambling towards EDR even though nobody, including Gartner, really knows what EDR is. So I'll take a crack at defining next generation endpoint security and network integrity with an eye to solving specific enterprise problems that cannot be solved via classical methods.  

Finally, let's hope that the government actually does the right thing by restricting NSA cyber activities, and that the NSA stops treating laws like Massachusetts drivers treat yellow lights. Just because you can eavesdrop, collect data on private conversations, and develop malware attacks doesn't mean that you should. Mother's Day just passed - maybe the NSA got an earful from their moms on how to behave?

Friday, May 1, 2015

Hard to believe that it has been almost a week since I got home from RSA 2015! It was a whirlwind week reconnecting with friends and having fascinating security discussions at every turn. Security is riding high and this had to be the largest RSA Conference yet whether measured by numbers of attendees or exhibitors!

Of course, there is always a mix of experiences so here is my brief recap of the highs and lows of the week.

Things that made me smile:

  1. The new breed of network security vendors, including Cyphort, Elastica, Lastline, and TaaSera taking dead aim on detecting malware within enterprise networks. They take different approaches, but all of them combine intelligent analysis of network and endpoint behavior to fill in the blanks between AV and IDS systems. Neat stuff!
  2. FIDO and smartphone based authentication systems that elevate the prospect of widespread consumer by distributing proof of identity to remote devices. There are so many phones and devices that a person carries, that separately purchased and managed security tokens are becoming less and less appealing. I talked with Identiv, Keypasco, Nok Nok, and RSA VIA at the show and came away from each excited about the future direction of authentication.
  3. A shout out to the RSA Conference itself for their edict banning booth babes. It seems like more than a few sharp female security professionals were being treated as if they were at the conference only for their looks, and of course others were there only for their ability to flaunt their curves and swipe badges. The conference committee put an end to that practice and the RSA experience was far far better as a result. Two thumbs up there!
  4. Best parties? I bumped into a lot of folks at the Qualys event, and scored an autographed copy of Brian Kreb's Spam Nation for reading on a rainy New England day. I also had a great time clubbing with Royal Blood, thanks to vArmour, where it was dark enough that only a few close to me could laugh at my excuse for moves :).

Things that made me pause:

  1. "Security is broken". I must have heard this a hundred times throughout the week, from CEOs to demo engineers. Unfortunately, most of the people saying "security is broken" followed it up with an upbeat description of their product's 5.2 dot release - which hasn't moved the security bar in years. I would have liked hearing more innovative attempts to fix security's problems.
  2. I can't help but feel that the attention paid to Threat Intelligence is the best example of how broken security is. Think about it - it is basically tossing threat information to enterprise security and telling them to go protect themselves. Seems it is our job as security professionals to analyze security threats, protect the enterprise, and help them recover when an attack inevitably breaks through.
  3. My federal government tax dollars at work. I honestly do not see how the government believes it should be in the consumer security business, and nothing has shown me that they can do the job even adequately. Yet, there were booths in the exhibit halls by the DHS, DHS Science & Technology, FBI, Federal Reserve Bank, NSA and Treasury. I get that DHS is the leading vertical for many security vendors, money talks and lively discourse is good. But wouldn't we be better served if the government figured out how to prosecute cyber-thieves, established national disclosure policies, and educated enterprises on investigative requirements for incident response plans?