BlackHat 2009 - Key Note Sessions 1&2 - What is Changing in this Ecosystem?
August 2009 by Michael Hayes CTO, B-4-U Inc.
Our Strategic Goal is to move Governments and Industry towards a Resilient Cyber Ecosystem. We need to secure the network by embracing new protocols like IPV6, DNSSEC, BPGSEC and SMPTSEC as strategic components, moving the foundation of our network towards Resilience and Trust. Protection must embrace the Identity and Privacy of an individual, securing our Content and Performance of both networks and applications.
We used to focus on boundary defense, the Burning Ring of Fire (Merrill) now we need to shift to protection of employees, customer’s information and Content, the gems of our corporations. We need to shift our Security Investment Strategy, “the investment in boundary security was wrong, incentives are wrong and vendors are wrong. We need to plant our grass out there, and based on user behavior, give them what they want” (Merrill). Google IT Security, is not the center of security in Google but an enabler of security. The IT Security group had their users code in security, reviewed by IT Security, the application and data owners are accountable for the security themselves. Google also made it easy, by having the security group provide easy to use log tools, and easy to use forms, “if you make it easy they will come” (Merrill). The applications and data owners in the U.S. Federal Government also have a process (C&A, Certification and Accreditation) with each owner accountable for the security.
IT Security is a big job, an ever changing job, and a very critical job.
Side note, two interesting companies that bear some looking into that attended BlackHat: www.splunk.com, a data aggregator that shows great real-time promise for data mining security logs, alerts and other data mining applications. Also www.digitalstakeout.com, a company that can determine external and internal security threats in a non-intrusive manner from the outside facing in.
As most of us realize “Cyberspace is a Fragile Ecosystem, but it is a key to our Global Economy. Responsibility to secure this ecosystem rests on all of us” (Lenz). We see the way users of Enterprise and Governments are changing, young entrants into the economy have lived with the WEB all their lives, and they expect to connect NOW. These connections are 24 x 7, 365 days a year, through Face Book, YouTube, Twitter, E-Mail, IM, Blogs and BlackBerry, from the home, on the road or at work. The way we work and the way they work has changed and we as leaders in Enterprise and Government IT need to embrace this change and innovation (Merrill). In one example with the U.S. Navy, a concern moral could fall, if those social connections fail, so how do we secure this fragile internet environment.
What has or is changing now? Networks are becoming so porous; we need to expand from a defense in depth strategy to a new security model. “The Content Wave and Net Centric Wave are converging” (Lenz); we need to look at how we protect content, from the outside threats as well as the inside threats.
Good news for Security Officers, in 2009, Security Budgets are up 5%, while Technology budgets are down 5% (Merrill). The bad news is corporate expectations and user expectations are higher, and CEO’s still do not understand the risk of the net, but demand a clear positive impact on their bottom line. Security Officers focus on compliance and security, while CEO’s expect compliance, but focus on growing the business; Operationally, as well as the business ROI and technology ROI that provide positive impacts on the top and bottom lines (Merrill).
“A Paradigm shift needs to occur in Cyber Security, changing from static defense, to maintaining a defense in depth won’t be sufficient in a Content Centric World” (LENZ). Wave of Power illustrates a convergence of Content, with Resilience in a Net Centric environment. Cyber Risk Management needs to embrace Time & Environment, Content & Service plus the protection of the Identity of Individuals and the Organization, its Equipment and Assets while balancing the Operational needs with Security and compliance requirements.
As CIOs, CSOs and CISOs, we need to enact a shift in Strategic Focus while enabling innovation, “we need to move from Protection of Information to Ensuring secure Operational Success, from Static Pre-placed Defenses to Dynamic Networks and Resilients” (Lenz). Additionally we cannot leave our heads in the sand, we need to understand the impact and value of Cloud Computing, and be proactive in understanding the real security issues of this emerging concept. We need to continue to, Assure Software and Systems, while Managing Attack Surfaces, Reducing Anonymity, Improve Cyber Awareness, add Edge Forensics and Forensics on the fly, embrace Leak Detection and Automating Content Security, while building Mission Based Architectures, and that’s before lunch.
Key Note Day 1 - Douglas Merrill COO of EMI records, Former VP of Engineering at Google
Key Note Day 2 - Robert F Lenz DoD U.S.A.
Deputy Assistant Sectary of Defense
Cyber Identity and Information Assurance