The Mach37 Security Leader Dinner series has become a premier forum for discussing important topics in Information Security. On October 23, Philip Reitinger was the guest speaker. Although these discussions are non-attribution, and the philosophical musings, views, and opinions expressed are solely those of the author, a few of the ideas in this post are paraphrased from Mr. Reitinger's prepared remarks, and are used with his permission. Some other ideas presented are crowdsourced from the community discussion or represent my own ideas on various topics.Can we win the information security war? Currently the answer is no, and the situation is getting worse rather than better. It is getting worse for three reasons: complexity, connectivity, and criticality. The internet is so complex that nobody fully understands it, yet we are connecting everything to it, including all of our personal data and most critical infrastructure. At least we are finally paying attention to the issue, and our defensive technology is improving, so should we expect to be able to win in the long run? If winning means reasonable expectations of privacy, and reasonable expectations of protection for transactional information and intellectual property then the answer should be yes. So what would it take?First, the internet was designed for connectivity rather than security, so there are some fundamental flaws to be fixed. There is some hope that the transition to IPv6 will address many of these issues, if not subverted by the providers. Baseline strong encryption of all internet traffic with no back doors is currently feasible. Strong authentication, providing some assurance that you are who you claim to be as we interact remotely, is on the horizon.Second, the "edge of the network" is now every device, and the information and core computing resources (processor, storage, network interface) need to be encrypted and hardened. The move to stronger security by major device providers is a good step in this direction. Next comes automation. Procedures that involve highly skilled operators continuously monitoring for dangerous traffic simply cannot scale; they are orders of magnitude too slow and too expensive. The information security community is developing more automated processes and techniques which will help improve this situation.Finally for the U.S. comes the legal and social changes necessary to support the technological changes. Unlike some parts of the world, we have criminalized much of the behavior of the "hacker" community in identifying issues and fixes in various information services, even among that large majority of the community willing to use their skills for positive purposes; we need to find ways to enlist their support rather than suppress it. We have also built an ecosystem where service and application providers of all types have been given free license to trade on individual's data at the expense of privacy. Fixing these major legal/cultural loopholes is a key step in fixing the underlying security flaws, giving incentives for security rather than ignoring it.So, in spite of the complexity, connectivity and criticality issues that widen the gap if all we do is play catch up, the answer is yes, we are still in a position to win…IF we put our minds and technology to the task…IF we are able to change some of the legal and structural problems…and IF we accept a relative rather than absolute version of what it means to win.EPILOGUE (Call to Action): Phil Reitinger summarized the state of information security by re-telling the old tale of the two campers. As they get ready for bed, one starts putting on his sneakers, and the second one says “why bother; if a bear comes during the night, you won’t be able to outrun it”. To which the speedy camper replies “I don’t need to outrun the bear, I just need to outrun you”. We are very much under this type of extraordinary evolutionary pressure in cyberspace. The weak will continue as prey, and the predators will continue to roam. To survive in this new age the call to action is simple: Put on your sneakers and start running. Maybe if we all do it we might even starve a few dragons and bears along the way.
CTO SmackChat: The Dreaded “Pivot”
Your startup is a success! Family and friends have seen you through to the point where an angel investor got excited, and your first alpha customer really likes where you are heading. The beta tests are under way and the feedback is coming in.One customer says he would be interested in buying if your product could provide two additional capabilities not in the beta version. Another indicates her problem is not exactly the one you are addressing but she sees how it could apply by changing the domain slightly and taking some additional inputs into account. Some feedback says it seems similar to what they are already using. There is a request to show the output on a map background. And, your marketing guru says that several customers are really struggling to solve a problem that one component of your solution could make dramatically easier. Should you pivot, or stay the course? Add features or simplify? Expand to related problem areas? What feedback do you rely on to make those decisions?A couple things are clear. As a startup your resources are stretched way too thin simply trying to address one market. Expanding to a second problem area before succeeding in the first one makes it much more likely that neither will succeed. The second notion is integrity of a core product offering. If every customer has a different set of implemented features, your business is really a service business built around customizing features rather than a product business.But the harder trap for most entrepreneurial technologists is falling in love with your own ideas. After all, you thought it up, and your whole career has been built on confidence in your technical ideas. You probably know better than the customer what is really possible from a technical standpoint, and what the hard problems are that you know how to solve. In the end though, the right answer is always what customers will pay for. And in our example above I would be inclined to listen to the marketing guru who seems to be close to some potentially paying customers: perhaps it is time to change the product idea, get rid of a bunch of the features that are not helping differentiate it, and focus on the one core bit that could help several customers solve a critical problem.There is no science behind when to pivot and when to stay the course. An important indicator is slow or flat sales (or interest) combined with some customer pull along a different development vector than the one you are following. As the divergence grows that market signal gets stronger that the pivot is upon you, but in the end you need to make a judgment call and work with your own company leadership to ensure it is the right one.
Security Spaces Worth Watching
People sometimes ask about the process by which we select companies for participation in our accelerator program. One of the challenges with investing in the information security market (or any early-stage technology space) is that of identifying companies with a product that is both different and useful.While "different" is an important criterion, it is necessary but not sufficient for a product to be successful in the market. For a product to be “useful,” it must address a real-world problem in an accessible way.Thinking about what might be useful naturally leads us to ponder where the real, unsolved problems lie. In this article I'll describe some areas in which I see opportunities for people who want to solve important security problems in a new and different way. This list is by no means exhaustive, but it includes approaches where we see underserved markets, new ways to deal with old problems, or significant chances to make a dent in the continuing onslaught of security threats that people experience every day.Encapsulated ExpertiseThis isn’t a technology approach so much as a useful measure of whether a company’s product is likely to matter in the market. As I described in a previous article, if one looks at the history of the information security market, many of the most significant developments have been products that somehow embodied the experience of skilled people who may be expensive, difficult to find or hire, or simply rare enough that it is impossible to find enough of them to fully staff a security function. It is probably fair to say that the same value applies in the network operations markets as well. As we saw with the network intrusion detection system (IDS) market, a product that can identify important events and route them to the most appropriate people may allow an enterprise to make more efficient use of the people who are already there.The hard part of building good products that embody or automate expertise is that there are natural pressures that tend to make the product complicated for the user. The most successful products not only solve complex security problems with automation, but also provide improvements in product usability and organization workflow.A definition of a “home run” might be a security product that also simultaneously improves the user experience or user interface of something that people do every day. Those are rare, but when it happens, the opportunity is worthy of note. By some measures, Single Sign-On technology might be one example of improving the end-user experience while also enhancing security. It’s not always easy to deploy, but if done well, many people save time and administrators have a better handle on identity management.The Internet of ThingsA problem in the security business (and perhaps any technology sector) is that people toss terms about without actually agreeing upon what they mean. Perhaps the best example of this is "The Internet of Things." Because anything can be a "thing" it's difficult to even know where this category begins and ends.If you have been wondering which things are capital-T "Things," here is a list of some examples that might fit the description:
- Network-connected home appliances like the Nest Thermostat
- Network-connected sensor devices such as electric power meters
- "Smart cars" and "smart highways"
- Industrial control systems
- Remotely piloted vehicles
- Any device that can be attached to a wired or wireless network that isn't a computer or workstation at which you can sit.
This category creates security challenges because:1) These things can provide a point of entry for attackers to the rest of your network2) Some of these things have the ability to affect the physical world in real ways3) These things may be transmitting information about you or your environment with significant implications for your privacy.Sometimes, existing tools may be helpful for improving the security of connected devices, but there are constraints that may not be present with a regular computer. Connected devices may have minimal processing power, limited communications bandwidth, and in some cases, very limited power budgets due to battery size limitations. This necessitates new ways of approaching security management and monitoring.Software Defined NetworksAnother area that is showing up more and more in the enterprise IT conversation is software defined networking or "SDN." This is another space that means different things to different people (and vendors), but the general idea is that the flexibility of networking equipment hasn't improved as quickly as the flexibility of computing systems has. For example, the use of virtualization has made it very easy to move an entire server's configuration and data from one computer to another very quickly and much more easily than the traditional process of installing everything on a new machine, verifying that the new system does the same thing as the old one, and then moving the data.Similarly, software defined networking offers the promise of simpler and more flexible network routers and/or switches where even low-level configuration changes to hardware behavior can be stored in profiles and pushed out from a central management point. This technology potentially even allows for radical reconfiguration of the network "fabric" while systems are in operation without significantly impacting throughput on the network.Obviously, this flexibility is powerful for enterprise network managers in terms of enabling new ways of adapting to enterprise needs very rapidly. This flexibility may come at a security cost, however. The standards and technology approaches in this area are still somewhat young, and some of the emerging standards don't address security in much depth yet.Some things to consider about SDN include:1) The implications of centrally storing the configuration of your entire network on a system that can transmit changes that take effect rapidly;2) How to prevent unauthorized access to the management/change function on individual routers or switches3) Emergent network effects after making a change - do side effects "ripple" through the network afterward? How long do they take to dissipate?Zero-Trust Security ModelsRecently, a number of organizations have been advancing an approach to security that is a departure from traditions and practices that current information security practitioners hold dear.The "zero trust" or "untrusted everything" approach is driven by the need to acknowledge that threats and attacks have changed more quickly than our defenses have. Current environments often have pre-defined trust relationships between various computer systems. The problem is that an attacker can compromise one system and use it as a springboard or stepping stone to other systems that are configured to trust the first.These approaches often explicitly reject the idea that there is an "inside network” of trusted resources and an "outside network" full of bad actors waiting to attack things.In the past, enterprises would often deploy some perimeter security technology at the border between the “inside” and the “outside”, while frequently neglecting security improvements to systems on the “inside.” Security people have long referred to the resulting condition as having a “hard shell with a soft, chewy center.”Today, not only is there ambiguity about exactly where “inside” ends and “outside” begins but also an increasing mix of mobile devices that may connect to internal networks while also sometimes traveling to hostile or insecure networks. Using your mobile handset in a favourite coffee shop and then in the office might be an example of that scenario. Sometimes these devices may even be personally owned, which may make it difficult to choose a satisfactory protection regime that allows users to get their work done on tools with which they’re the most comfortable.In order to even begin to address this ambiguous environment, it is necessary to make some decisions. One decision that can guide the beginning of a workable strategy is to declare that bring-your-own-device environments, and networks running personal applications should be considered untrusted.Some organizations choose to turn a blind eye to the prevalence of personally owned devices and personal applications while tacitly acknowledging that there is a productivity benefit to allowing their use. Reality requires that an organization develop a strategy to mitigate risk sufficiently in a world that isn’t black-and-white.
You Don't Scale
The more that information security incidents are in the news, the more often we hear that there aren't enough people to do all of the work necessary to batten down the hatches against everyone who'd like to compromise our systems and networks. The U.S. Government has been particularly vocal in discussing a shortage of security talent, but it's not uncommon to hear this refrain in business circles as well.If these folks are as difficult to find, hire, and retain as we're told, then we only have a few choices:
- Train them internally;
- Automate as many security processes as possible;
- Do things to make the people you have more effective
Most people choose door #2 as a way to get what's behind door #3.There is a common criticism of information security practitioners: that we depend too much on technology, even when the core problems may not be technical ones. Those critics have a point: effective security isn't something one can buy in a box and then proclaim victory afterward. However, in the face of limited talent, deploying a new technology may be the most straightforward way to attempt to address some risks.The reason is simple: many of the best security products tend to embody some very specific, reproducible, automation-friendly aspect of security expertise and perform it tirelessly, over and over. You may have the best internal security people in the world, or the best world-renowned consultants, but the bottom line is that humans don't scale particularly well.This is true whether you're the security manager with the responsibility to keep your network safe 24 hours a day, or the consultant who parachutes in to save the day when things look bleak. The former can only hire so many staff members, and the latter can only be billed for a finite number of hours in a day/week/year.If experts are in short supply, then one of the most scalable options is to encapsulate the expertise of rare, highly paid people and build it into a mechanism that can attempt to apply that expertise to real environments, be they network traffic flows, host configurations, or software updates.There has yet to exist a security product that solved all of the world's (or even one enterprise's) problems, but if we look at some things that made a difference in the state of the art when they arrived, they tend to fall into a few categories:
- They allow less-senior people to do some work that used to be the province of a few
- They help people to make better sense of information they (usually) already had somewhere
- They help less-technical users to avoid inadvertently hurting themselves
- They fundamentally changed some aspect of how we work or build systems to make them inherently more secure*
*This is where the most value is created, but it's also the most difficult.If you've gone to the trouble of building something to solve a problem for yourself, and believe that other people have the same problem, that's called a market opportunity.