Recently in Security Solutions Category

Research does not guarantee innovation

| 1 Comment | No TrackBacks
| More

Earlier this week I attended the excellent Stevenson Science lecture at Royal Holloway University on "The Birth of Machine Cryptanalysis at Bletchley Park" given by Dr Joel Greenberg of the Bletchley Park Trust. When listening to any account of wartime code breaking one cannot fail to be impressed by the astounding level of innovation demonstrated by the early cryptographers. Such creativity is rarely encountered in today's commercial environment which stamps out mavericks and encourages tick-box conformance, short-term action and widespread copying of other people's practices.

The lecture was followed by a private dinner at which the Dean announced the University's plans for a new Innovation Centre. There's been a slight hitch in accommodation. (I'm told the earmarked site was sold to house builders.) But the concept must be applauded. Innovation is essential to help us escape from the damaging culture of conformance and compliance that has poisoned our cyber security efforts. And funding of fresh thinking is the key to finding the silver bullets to kill advanced persistent threats.  

Unfortunately it's more likely to be more of same rather than anything new: one step forward and another back. The step forward is the creation of a bigger research effort and an incubator for new developments. That is certainly welcome though it might not necessarily create any new funding. The step back is that the research will still be under the direction of the usual suspects, i.e. the government and industry sponsors, supported by an advisory board of establishment figures. So don't expect to see anything that is left-field, long term or high risk.

The problem is that government research bodies don't like to fund anything that looks remotely like a product: the closer you get to anything practical the quicker the funding tails off. In contrast vendors and venture capitalists tend not to fund anything that takes more than 18 months to develop. They are only interested in money or new features for their products. That's why we have so few innovative security technologies. New approaches tend to disappear down the gap between blue sky research and product development.

Fifteen years ago I sponsored the development of a model of the human immune system for fraud detection. It worked but needed further development. The concept died when the funding ran out. A similar fate killed another promising research project to detect human behaviour of security interest in digital networks. No less than a decade of funding is required to take a new technology from the drawing board to the market place. In the case of cryptography it can be even longer, as new approaches take many years to be accepted and implemented.   

Groundbreaking ideas rarely result from themed research. Creativity requires a high level of freedom coupled with a clear focus on a challenging problem - the more impossible-sounding the better. NASA research works because it focuses relentlessly on solving problems. MIT Media Lab works because it recruits students with creative ideas and gives them freedom to choose and direct their own work. MIT Media Lab researchers can develop a magic trick, design a new musical instrument or tackle a seemingly-unsolvable problem. Sponsors can visit and discuss their business requirements with researchers but they have to "charm" the researchers into cooperating. Promising projects will run for many years. That's how to encourage and enable real innovation. Anything less is merely jobs for the research boys.  

Enhanced by Zemanta

Qualys - A force to be reckoned with

| No Comments | No TrackBacks
| More

Last week I attended a sneak preview of the latest Qualys product road map. I was impressed, not so much by the functionality of the products - which is not especially original - as by the ambition and architecture of the new product range.

While other security vendors have been extending their products through acquisitions of best of breed point solutions, Qualys have been quietly re-engineering their services around a unified, secure, cloud architecture, avoiding the patchwork quilt of products that other vendors have inherited.

Qualys are also extending their product portfolio to match those of their competitors. It's a move that presents a potential competitive edge in economy and speed of maintenance, which is good news for a marketplace that needs low cost, up-to-the-minute security defences.

Enhanced by Zemanta

APT Protection via Data-Centric Security

| No Comments | No TrackBacks
| More
I'll be contributing to a Webinar on APT Protection via Data-Centric Security next Thursday. Given the progressive erosion of corporate perimeter security it's about time we switched our attention to hardening our applications and data.The Jericho Forum have been preaching this for more than a decade. The message is finally getting through though its implementation has a long way to go.     
Enhanced by Zemanta

How to manage the risks of Advanced Persistent Threats (APTs)

| No Comments | No TrackBacks
| More

My new ISACA book on Advanced Persistent Threats has now been published. It's an excellent guide for any Business, IT, Security or Audit Manager responsible for safeguarding critical, sensitive or valuable intellectual assets.

In particular, it advocates a higher level response by enterprises at risk, based on a coordinated response and a range of enhanced security processes, awareness and technologies.  

It's free for members of ISACA and $60 for everyone else. At that price you would be well advised to join ISACA and gain the advantage of discounts of research reports and cheaper access to ISACA events.    

Enhanced by Zemanta

More on the history of BS7799

| No Comments | No TrackBacks
| More

Anthony Freed has been publishing further historical information on the true background of BS7799 on his Tripwire blog. There are some important learning points from these postings. It's particularly interesting to note that new standards are not taken up immediately but can have a major impact after a decade, by which time they may are likely to be out of date. 

Enhanced by Zemanta

It was 20 years ago today...

| No Comments | No TrackBacks
| More

Well not quite today, but at the end of September it will be exactly 20 years since the original text of text of BS7799 (now ISO 27002) was published in the form of BSI document DISC PD0003. The history of how the standard was developed has never been accurately documented until now. Anthony Freed has just published the first of three postings covering the background on his Tripwire blog. It's essential reading for any student of the history of information security. Don't believe what you read on Wikipedia. It's not all correct.

Enhanced by Zemanta

SCADA security requires a better understanding of how plants work

| No Comments | No TrackBacks
| More

I do worry about the security of our industrial control and SCADA systems. I have been for the last 24 years in fact, ever since I first encountered them. In my view the real problem has always been bridging the gap between the theoretical vulnerabilities of these systems and the everyday business reality of managing a process plant.

Seen from the plant manager's perspective it's very simple. There are pressures to cut costs, sweat assets and provide round-the-clock connectivity to remote or mobile engineers. These systems are rarely (if ever) brought down by a hacker or malware. But every now or then an auditor, IT or security person who knows next to nothing about how the plant works comes round and tells you to either disconnect the contractors who keep the plant running, or to rip out and rebuild all the instrumentation at enormous cost.

Not very compelling is it?  Unfortunately the security community have learned very little over the last 20 years about how to solve the problem. The first SCADA systems emerged in the late 1980s and many were quickly hacked through insecure public network connections. We designed makeshift firewalls to protect them (in those days we called them "relays" because the term hadn't been invented) but we failed to keep up with all the connectivity requirements and many early implementations were  disconnected or by-passed.

Two decades later we face the same problem though the threat has become much more serious: professional attackers with sinister motives rather than casual teenage hackers. But many security professionals still don't understand the business environment. Penetration testers turn up, conduct a few network scans and then recommend hardening or disconnecting insecure platforms. The problem is you can't disconnect or patch essential platforms that need to run and be managed 24 hours a day.

A few years ago Idaho National Labs blew up an Aurora power generator through a hacking attack. Security professionals made a big deal about it, many suggesting we should disconnect them, though I have a suspicion that this particular attack could have been prevented by a $10 dollar hardware enhancement. Why did nobody suggest that?

This week I see that Trend Micro have published a report on the security of Industrial Control Systems. Not surprisingly they found that there are lots of insecure platforms connected to the Internet. The answer? Disable Internet access and apply patches.

Am I alone in thinking that the answer should be to look at the methods of operation and the real potential hazards, and then come up with secure solutions that actually fit the operational requirements? Unfortunately we seem to have evolved a tick-box, commodity-based security profession that can do little more than point out the blindingly obvious. 

Enhanced by Zemanta

Ditch the Triangle and use more technology

| 3 Comments | No TrackBacks
| More

Big Data might be the big thing this year, but it's just one step in the evolution of enterprise information systems. Each year they become more powerful. As do the capabilities of their users. Forget the 'least privilege' principle. It's only Data Protection law that limits what they can access.

Such a landscape can no longer be policed by humans and procedures. Technology is needed to leverage security controls. The Golden Triangle of people, process and technology needs to be rebalanced in favour of automation. And I'm speaking as a pioneer and highly experienced expert in process and human factors.

You may wonder where the Triangle originated. Contrary to popular opinion it was not invented by Bruce Schneier. I can't help you before 1990, which is when I first encountered it in Shell. At that time it was being used in operational research circles. 

I first used it in 1991 to help balance the content of the Shell baseline security controls, the forerunner of BS7799 and ISO 27002. Back then we wanted to embed procedures to support ISO 9000 adoption. We also wanted to place more on user awareness. We sought in fact a perfect balance of controls for people, process and technology.

Today I'd ditch the Triangle. It's become an argument against excessive focus on technology. Yet that's what we now need. There's nowhere near enough exploitation of technology in our security controls. We rely far too much on policy and people, neither of which are reliable, especially when dealing with fast-changing, large scale infrastructures.

What's needed to correct the balance? The answer lies in the use of 'Big Data' analysis engines, scalable Cloud services and artificial life intelligence. These technologies are available now but our usage of them is still in its infancy. Ten years ago I experimented with data mining and computational immunology. They worked but it was a major challenge to maintain a positive business case. Funding dried up as the gloss wore off the digital revolution.

It's now time to get serious with technology and develop the automated solutions needed to meet today's challenges. Policy and education measures might get you through an audit but they won't stop an advanced persistent threat.   

Enhanced by Zemanta

Towards real -time security

| No Comments | No TrackBacks
| More

I've commented many times that cyber security management today is far too slow. It's the result of many factors: the treacle of standards and compliance; the need to gain business case approval for security investments; the influence of quality management concepts that promote long-term process improvement at the expense of short-term action.

This situation will not be changed by security managers, They are under mounting pressure to demonstrate compliance with established standards. Nor will it be fixed by security institutes who tend to have a substantial investment in traditional practices. The reality is that it will only be through the emergence of disruptive technologies that deliver a step change in the speed of incident detection and response.  

Fortunately we are now seeing faster security services emerge, as vendors embrace the Cloud and explore the potential for managing big data. I've long been a fan of Qualys and their innovative products which transformed vulnerability assessment from an expensive, infrequent exercise to a fast, frequent and universally-available process.

A few weeks ago I was fortunate to get a briefing from Sourcefire on their latest technology (announced last week) and I was very pleased to see that their new products enable much faster and more reliable malware detection, transforming the detection process from a once-off perimeter check to an internal, always-on process.  

It's the type of breakthrough we need to see more often. Security managers cannot counter emerging threats though people and processes. We also need real-time, pervasive protection though vigilant technology.   

Enhanced by Zemanta

Reflections on RSA Europe 2012

| No Comments | No TrackBacks
| More

For those of you who couldn't make RSA's latest thrash in London I can report that there were, as expected, no real surprises. It's a shame as cyber security is booming at a time when emerging technology promises possibilities to transform the solution space in ways that should blow the minds of traditional practitioners.

Unfortunately such a change demands original thinking, smart investment and a buccaneering appetite for risk taking that is sadly lacking in both the public and private sectors. I know from personal experience that if you develop novel ideas for creative product development they are unlikely to gain much traction in a blinkered research and business environment that prefers to focus and build on established practices and cash cows. (I've been forced myself to abandon projects to build solutions based on models of the human immune system and imaginative analysis of network data through lack of UK Government funding.)    

The end result is that new products tend to be little more than incremental improvements of long established solutions. In the past thirty years I've encountered as many new breakthroughs as you can count on one hand. There is always however a new fashion or spin to place on new releases or product variations each year.

If last year's trend was BYOD, then this season's buzz phrase is Big Data. This particular one is very significant as it really does herald something new, though its inspiration is no more than a reflection of contemporary business trends in data mining coupled with the existence of growing audit logs, rather than the outcome of any serious problem-solving analysis.

Take Splunk for example who were promoting their latest Big Data security solution. Splunk is clearly a leading engine for data miners and I'm a big fan, but the security application looks like it's been put together by a firewall administrator rather than an experienced data miner. I met more than one colleague who told me their company was investing in the tool for business applications though not for security. But watch this space. Solutions will evolve beyond all expectations.

Several other products on display exhibited that not-quite-thought-through-or-finished-off quality, such as technologies that lacked a hardware root-of-trust or other products that were clearly designed by ad hoc security folk rather than subject matter experts. But there were some interesting products on display. I liked for example the concepts behind Bromium, an imaginative virtualisation-based solution, and Mykonos, a honey-trap technology that encapsulates the new spirit of deception that will progressively underpin security in the new information age.         

All new products need improvement of course and the RSA Conference is a good opportunity to delivering essential feedback because it's attended by leading users as well as senior vendor executives and their research and marketing teams. The development of new products is often locked in an inevitable conflict between the road map drawn up by the CTO and the conflicting demands of early customers. RSA Conference provides a useful forum for helping to settle the arguments.   

And this year's conference proved to be an excellent environment for networking. The new layout of the exhibition area - with smaller stands and more seating - encouraged visitors to relax and interact with their colleagues between sessions rather than stand in a corner checking their email and missed calls. On one day for example I sat down with a venture capital colleague to have lunch and we were immediately immersed in a facilitated debate on social media. We both enjoyed it.

I thought the new layout was a move in the right direction: more customer engagement and discussion about the relative merits of the technologies on display, and less direct product promotion. Let's face it if you want to buy a product, you're much more likely to be influenced by the opinions of another user you've met rather than the pitch of a salesman on a stand. Too many conferences waste energy on big stands, free gifts, loud music and tacky promotions, rather than creating a calm environment to engage people and discuss how to use and improve products.

What of the presentations themselves? The track sessions were too numerous to cover. There were some good debates but nothing really new, and they left me with an impression that many speakers spend more effort on the presentation title than the actual content.

The keynote addresses were generally lacklustre, clichéd and short of new ideas or compelling rhetoric. We need more than abstract pronouncements on the wonders of Cloud Services, Big Data and Intelligence-led Security. Philippe Courtot of Qualys always comes across as the most visionary and authoritative vendor but this year he gave us nothing new. MIsha Gleny had a fascinating tale to tell of hackers, criminals and spies, though I was left with the impression that he was largely reading from his book.

Jimmy Wales was the undoubted star of the show, and came across as a jolly nice chap with healthy, balanced views. I offered my congratulations on his new marital status but he reacted as though I'd taken the wind out of his own announcement. In fact for the first half of his talk, the lack of any mention of his celebrity-studded wedding seemed to be the elephant in room. But Jimmy's important closing point was to remind us that the biggest threat to Freedom of Speech is well-meaning but misguided legislation. Even in a world of fast changing risks, some things never change. 

Enhanced by Zemanta

About Archives

This page contains links to all the archived content.

Find recent content on the main index.

Archives

 

-- Advertisement --