Cloud Security Alliance Congress Orlando 2012 pt5 – closing keynote

Closing Keynote – State of the Union

Chris Hoff, who is the author of the Rational Survivability blog, gave a great closing keynote covering the last few years via his previous presentation titles and content.  I can recommend reading / viewing the mentioned presentations.  This was followed by a brief overview of current issues and trends, and then coverage of upcoming / very new areas of focus we all need to be aware of.

What’s happened?

2008 – Platforms dictate capabilities (security) and operations – Read ‘The four horsemen of the virtualisation security apocalypse’

–          Monolithic security vendor virtual appliances are the virtualisation version of the UTM argument.

–          Virtualised security can seriously impact performance, resiliency and scalability

–          Replicating many highly-available security applications and network topologies in virtual switches don’t work

–          Virtualising security will not save you money.  It will cost you more.

2009 – Realities of hybrid cloud, interesting attacks, changing security models – Read – ‘The frogs who desired a king – A virtualisation and cloud computing fable set to interpretive dance’

–          Cloud is actually something to be really happy about; people who would not ordinarily think about security are doing so

–          While we’re scrambling to adapt, we’re turning over rocks and shining lights in dark crevices

–          Sure bad things will happen, but really smart people are engaging in meaningful dialogue and starting to work on solutions

–          You’ll find that much of what you have works.. Perhaps just differently; setting expectations is critical

2010 – Turtles all the way down – Read – ‘Cloudifornication – Indiscriminate information intercourse involving internet infrastructure’

–          Security becomes a question of scale

–          Attacks on and attacks using large-scale public cloud providers are coming and cloud services are already being used for $evil

–          Hybrid security solutions (and more of them) are needed

–          Service transparency, assurance and auditability is key

–          Providers have the chance to make security better.  Be transparent.

2010 – Public cloud platform dependencies will liberate of kill you – Read ‘Cloudinomicon – Idempotent infrastructure, survivable systems and the return of information centricity’

–          Not all cloud offerings are created equal or for the same reasons

–          Differentiation based upon PLATFORM: Networking security, Transparency/visibility and forensics

–          Apps in clouds can most definitely be deployed as securely or even more securely than in an enterprise

–          However this often required profound architectural, operational, technology, security and compliance model changes

–          What makes cloud platforms tick matters in the long term

 2011 – Security Automation FTW – Read ‘Commode computing – from squat pots to cloud bots – better waste management through security automation’

–          Don’t just sit there: it wont automate itself

–          Recognise, accept and move on: The DMZ design pattern is dead

–          Make use of existing / new services: you don’t have to do it all yourself

–          Demand and use programmatic interfaces from security solutions

–          Encourage networks / security wonks to use tools / learn to program / use automation

–          Squash audit inefficiency and maximise efficacy

–          DevOps and security need to make nice

–          AppSec and SDLC are huge

–          Automate data protection

2012 – Keepin it real with respect to challenges and changing landscape – Read – ‘The 7 dirty words of Cloud Security’

–          Scalability

–          Portability

–          Fungibility

–          Compliance

–          Cost

–          Manageability

–          Trust

2012 – DevOps, continual deployment, platforms –  Read – ‘Sh*t my Cloud evangelist says …Just not to my CSO’

–          [Missing] Instrumentation that is inclusive of security

–          [Missing] Intelligence and context shared between infrastructure and application layers

–          [Missing] Maturity of “Automation Mechanics” and frameworks

–          [Missing} Standard interfaces, precise syntactical representation of elemental security constructs

–          [Missing] An operational methodology that ensures and commone understanding of outcomes and ‘agile’ culture in general

–          [Missing] Sanitary application security practices

What’s happening?

–          Mobility, Internet of Things, Consumerisation

–          New application architecture and platforms (Azure, Cloud foundry, NoSQL, Cassandra, Hadoop etc.)

–          APIs – everything connected by APIs

–          DevOps – Need to understand how this works and who owns security

–          Programmatic (virtualised) Networking and SDN (Software Defined Network)

–          Advanced adversaries and tactics (APTs, organised crime, nation states, using cloud and virtualisation benefits to attack us etc.)

What’s coming?

–          Security analytics and intelligence – security data is becoming ‘big data – Volume. Velocity. Variety. Veracity.

–          AppSec Reloaded – APIs. REST. PaaS. DevOps. – On top of all the existing AppSec issues – how long has the OWASP top threats remained largely unchanged??

–          Security as a Service 2.0 – “Cloud.” SDN. Virtualised.

–          Offensive security – Cyber. Cyber. Cyber. Cyber…  Instead of just being purely defensive, do things more proactive – not necessarily actually attacking them, can mean deceiving them to honeypots / honynets, fingerprinting the attack, tracking back the connections etc. all the way up to actually striking back.

Summary;

–          Public clouds are marching onward; Platforms are maturing… Getting simpler to deploy and operate and the platform level, but have heavy impact on application architecture

–          Private clouds are getting more complex(as expected) and the use case differences between the two are obvious; more exposed infrastructure connected knobs and dials

–          Hybrid clouds are emerging, hypervisors commoditised and orchestration / provisioning systems differentiate as ecosystem and corporate interests emerge

–          Mobility (workload and consuming devices) and APIs are everywhere

–          Network models are being abstracted even further (Physical > Virtual > Overlay) and that creates more ‘simplexity’

–          Application and information ‘ETL sprawl’ is a force to be reckoned with

–          Security is getting much more interesting!

This was a great wrap up highlighting the last few years’ issues, how many of these have we really fixed?  Along with where we are now, and a nice wrap up of what’s coming up.  Are you up to speed with all the current and outstanding issues you need to be aware of?  How prepared are you and your organisation for what’s coming up?  Don’t be like the 3 monkeys.. 😉

While the picture is complex and we have loads of work to do, Chris’s last point aptly sums up why I love security and working in the security field!

Lastly, have a look at Chris’s blog; http://www.rationalsurvivability.com/blog/ which has loads of interesting content.

K

RSA Conference Europe 2012 Keynotes; day one part one

The first two keynotes were from RSA and were both very interesting with a LOT of valid points;

Keynote 1 – Art Coviello, Executive Chairman RSA.  Titled ‘Intelligence-driven security: The new model’

The vast majority of security spend is still for edge security and edge focussed monitoring, which is failing in this open world where attacks and breaches are to be expected.

Currently many people think that the security risks are overhyped, but is this true?  Organisation don’t like to reveal that they have been breached so how many breaches go unreported?  Verizon survey has also revealed the majority of breaches go undetected for a long time, if they are ever caught.  So how many organisations have been breached without even knowing it?  This was referred to as ‘the PR gap’ with the tip of the iceberg being what is known, but the unknown massive underwater part of the iceberg is the reality.

We must gain a better understanding of the situation.  How mature and sophisticated is your organisations security?

Proposed four levels of cyber security’

  1. Control – these likely have already been hacked and just don’t know it!
  2. Compliance – likely heavily regulated, but focus on compliance and tick boxes rather than stong governance leading to compliance.  Often caused by management and budgetary pressures
  3. IT risk – good understanding of IT risk, only slightly behind 4, but more tactical and IT focused than strategically aligned with the business.
  4. Business risk – This is where you should aspire to be, security fully aligned and working with the business, leveraging technology and processes in line with business strategy.

How do we get there? – Understand the issues;

–          Budget – pressures, how to best use it, how to justify it and highlight benefits and business cases

–          Security Talent – ensue your team is as good as it can be, are they passionate, engaged, and have an understanding of your industry.  The right team will drive security benefits and change, not just sit back, tick boxes or point further up the chain for reasons they are not acting.

–          PR Gap – explained above

–          Privacy Regulations – understand the regulatory environment your business is operating in.

Keynote 2 – Tom Heiser – President RSA – Intelligence Driven security.

–          Reconsider – our risks.  Move to a risk based approach to security. Understand regulatory challenges to this approach

–          Rethink  – Detection strategies and deploy continuous monitoring.

–          Harden Authentication and tighten access controls

–          Educate.. Educate.. Educate.. – Users, staff, regulators, media, auditors.  Obviously your business will focus on your staff and users, but the security industry also needs to get better at the wider piece.  Consider cyber security education around risks and phishing etc.  This point resonated with me as I come from an environment where we had various security awareness strategies from awareness weeks to educational phishing emails, and I have proposed this approach to my current employer.

Inevitability of compromise – Does not equate to accepting loss – New tactics and tools.  Moore’s law can apply to criminals as much as processors – criminals have more and more tools, last years military grade attack is this years scripted attack tool in the wild.  Example that Stuxnet derived attacks have been found in the wild and used against banking customers.

Improved monitoring and understanding will reduce ‘dwell time’ – how long the criminals can reside on your network.  If we assume breaches will occur (and they will), then minimising this dwell time is key to minimising risk.

This does require new tools.  Consider how we re-distribute budget spend.  Reduce spend on lower value services and premium priced tools such as AV and perimeter security.  Re-allocate spent to more advanced security solutions.

How to we access security knowledge?  How do we share information?  How do we ensure we protect privacy while we do this?  Currently nation states and criminals have much much better intelligence and information sharing processes than legitimate governments and organisations.

We need standardised ways to share information, ideally at machine speed – ‘standardised share act’.  This must be understood and driven from board level down, we as a security industry need to ensure we educate the board in business terms around policy and business risk.  How much does your board currently know about your organisations security stance and the risks you currently face?

We also need to be mindful of managing compliance and risk.  Just focusing on compliance does not necessarily reduce risk.  Remember the criminals can read the same compliance requirements you are meeting, so they know exactly what you are doing if you do not have a risk management / security program in addition to just meeting regulatory and compliance requirements.  This can be a challenge given the volume of compliance projects and budgetary constraints in many organisations, but needs to be considered.

We need a more proactive stance that focusses on intelligence, understanding, and education from user to board level.

Keynote ended with some comments on new RSA products and tools.

I really liked both of these talks, and think we really need to consider the points raised.

K