More posts by this contributor:
As the times change, the security community needs to adapt.
We live in an imperfect world, as Alex Stamos2, Chief Information Security Officer of Facebook pointed out in his recent BlackHat 2017 keynote address . Instead of trying to punish each other, hackers and innovators need to work closely to ensure a higher order.
Other security thought leaders have echoed similar sentiments.
Refreshingly, security thought leaders are driving cultural change from the top . Besides technological innovation, we are beginning to see changes in sales, diversity and culture . We are growing up, albeit slowly.
Product Innovation, Garbage and Lies
Ping Li, 5Partner at Accel Ventures reminded me that we are still in early innings of a long game . The security sector is evolving rapidly and we are still developing a common nomenclature, a lingua franca for our business . Visibility into systems, managing patches, vulnerabilities and security workflows are still being accomplished with rudimentary tools, Lu said.
Newcomers like Corelight6 (backed by Accel), Awake Networks7 (backed by Greylock Ventures) and EastWind Networks8 (backed by Signal Peak Ventures) are innovating on visibility of traffic and threats . In data security, ThinAir9 and Onapsis10 (securing ERP systems) have carved out an interesting niche in the market while Pwnie Express11 is positioning itself to win the IoT / ICS security market.
Empow Networks12, a Gartner Cool Vendor of 2017 wants to create a novel abstraction layer to manage all security tools effectively and Demisto13 (in which I am an investor) is bringing much needed automation to incident response. Nyotron14 just raised $21 million to redefine endpoint security . As drones grow from a mild nuisance to a significant headache, several security startups like Airspace15 and Dedrone16 have jumped in to protect the three dimensional perimeter.
Calling BS on the marketing hype, several presenters at BlackHat offer an unvarnished view of the state of technology .
In her talk, Garbage in Garbage out17 Hillary Sanders, a data scientist with Sophos18 pointed out that if ML models use sub-optimal training data, the reliability of the models will be questionable, possibly leading to catastrophic failures.
She trained models based on three separate data sources and found that if a model is tested on a different data set, the outcomes varied significantly (See 3 X 3 matrix) . Put it differently, if I was trained to recognize a cat in one school, and if I moved to a different school, my ability to identify a cat will drop dramatically.
Caveat Emptor: Do not believe the ML hype unless you have seen the results on your own data sets . Each vendor will train their models on different data sets, which may not be relevant to your environment . And then as new malware data is discovered, stuff gets stale . Chances are that the model may need to be trained or else could start to behave erratically . We live in an imperfect word indeed.
Feed me some garbage: ML Training and Test Data Variances (Image Courtesy: Hillary Sanders, Sophos Labs)
In another presentation aptly titled, Lies and Damn Lies19 Lidia Guiliano and Mike Spaulding presented an analysis of various endpoint marketing claims and debunked these systematically . They spent five months digging into various endpoint offerings and concluded that threat intelligence simply does not work . While endpoint solutions are better than signature based detection, they are no silver bullets.
When it came to drone security, Bishop Fox20, a security consulting firm took a Mythbusters approach to 21research 86 drone security products . Francis Brown, partner at Bishop Fox presented Game of Drones in which he concluded that the solutions are rife with marketing, but most of them are not yet available.
The study concluded that while the 1st generation drone defense solutions/products are being deployed, there are no best practices .
Everything from drone netting, shooting, confetti cannons, lasers and jammers was being used (including falcons) . The vendors have gone wild indeed . If lasers, missiles and falcons are being deployed, what s next?
BlackHat + DefCon may be the only conference in the world where the forces of creation and destruction operate at the same venue . The builders (Suits) show off their wares at briefings and the hackers (T-shirts) show off their arsenal of how they break stuff both mingle freely, challenge each other and do a thumbs-down / eyeroll at the other side . It s like a weird semi-drunk tribal war dance . And unless the elders of the tribe, like Stamos and Yoran, do not call BS on this childish behavior, we will never grow up.
Innovation in Go-To-Market tactics:
Ben Johnson, CTO of Obsidian Security22 recently raised $9.5 million from Greylock (and since the announcement, has been inundated with Series B interest) . In security, all revenues go to hire even more salespeople he says . Is that a healthy practice ? As co-founder of Carbon Black, Ben called upon over 600 enterprise customers and in his current role, is actively exploring more innovative ways to get the product out .
Indeed, when fear drives sales, innovation is harder . As an industry, we need to look at a better way of selling security products . However there is dearth of intelligent tactics . Partnerships with System Integrators (SIs), Channel Partners, Value added Resellers (VARs) and Managed Security Service Providers (MSSPs) are variants to the theme . Margins and accountability get slimmed down as the number of partners grows. Virgil Security23 a data security company (for which I am an advisor) has built a developer-first platform offering tools to build encryption seamlessly . Virgil offers its security platform as a service and the GTM approach can become highly efficient in such scenarios.
Purple Rain, Culture and Diversity
In his BlackHat keynote, Alex Stamos touched upon the importance of diversity of thought, gender and culture . His call to action included behaving responsibly (and not childishly) within a societal framework.
A large number of people in emerging markets will be using $50 phone, not $800 iPhones how do we protect this new wave of digital citizens ? What is the role of a security professional in the context of law enforcement ? Can we learn to empathize with the product builders, the users, the government?
To the security nihilists, Stamos reminded them that not everyone is out to get you . At a more fundamental level, Caroline Wong, VP of Security Strategy at Cobalt24 presented the security professional s guide to hacking office politics .
Security teams need to know more about the business challenges, not just technology . We should be able to understand the flow of money, not just data she pointed out.
The debates have just started in an open honest fashion and IMHO, culture changes slowly . For now, we have added a new color there were Red Teams and Blue Teams . The offense and the defense . Like two sides of security at a perpetual war . At BlackHat 2017, the concept of Purple Teams was introduced by April Wright, who hopes the two warring factions should cooperate and work well together . And yes she also suggested that security should never be an afterthought to which we all say Amen!
Featured Image: Bryce Durbin/TechCrunch
- ^ Secure Octane (www.secureoctane.com)
- ^ Alex Stamos (www.facebook.com)
- ^ Amit Yoran (en.wikipedia.org)
- ^ Tenable Networks (www.tenable.com)
- ^ Ping Li, (www.accel.com)
- ^ Corelight (www.corelight.com)
- ^ Awake Networks (awakesecurity.com)
- ^ EastWind Networks (www.eastwindnetworks.com)
- ^ ThinAir (www.thinair.com)
- ^ Onapsis (www.onapsis.com)
- ^ Pwnie Express (www.pwnieexpress.com)
- ^ Empow Networks (www.empownetworks.com)
- ^ Demisto (www.demisto.com)
- ^ Nyotron (nyotron.com)
- ^ Airspace (airspace.co)
- ^ Dedrone (techcrunch.com)
- ^ Garbage in Garbage out (www.blackhat.com)
- ^ Sophos (www.sophos.com)
- ^ Lies and Damn Lies (www.blackhat.com)
- ^ Bishop Fox (www.bishopfox.com)
- ^ a Mythbusters approach to (www.bishopfox.com)
- ^ Obsidian Security (www.obsidiansecurity.com)
- ^ Virgil Security (virgilsecurity.com)
- ^ Cobalt (cobalt.io)
Technology is making it easier to trust strangers
Or, at least, they used to . As memes go, that image macro of a pup propped up with its paws on a keyboard, masquerading nominally as human, sits somewhere on the Venn diagram between twee , nostalgic and things from the internet your kids don t remember and will judge you for . The 1993 New Yorker cartoonist originally responsible for the gag, Peter Steiner, couldn t possibly have guessed more how hot-button an issue anonymity and trust online would become: as bored script-kiddies, organised crime gangs and multi-billion-dollar government agencies sprouted, flowered and burst like cyber-spores onto an unsuspecting internet targeting everyone and their nan (especially the nans) with schemes designed to exploit trust . The more we rely on devices for the day-to-day running of our lives, the lower we dangle like fruit for criminals. Folks who have been tasked with cybersecurity have been, for the past few decades, building defences using a model of isolation, says Allison Miller, product manager in security and privacy at Google . But what s happening with technology today particularly consumer technology is that we are becoming interconnected.. . People have become the new target . As opposed to, for example, all attackers focusing on getting into sensitive enterprises to get their corporate data, there s a lot of bad behaviour that ends up getting focused on users.
Miller and the Google security team are building the tools that gently (or in some cases, urgently) steer users safely away from sites that might have been designed or compromised to install malware or phish for personal data . Perhaps the most readily familiar example of the team s work is the joltingly all-red Chrome warning screen: the page a user is diverted to should they stray, unwittingly, into dangerous territory. It s an example of why internet users need unseen security teams working on their behalf: as online attack vectors become more and more numerous and sophisticated, the average user can t keep up.
And that s a problem that doesn t just apply to individuals: while the enormous, household-name internet companies can afford to throw diamond after gold brick at protecting their data (even then not always successfully), smaller companies rely just as heavily on consumer trust, and have to decide how much budget to allocate to it from comparatively thimble-sized pots.
“Institutional trust was not designed for the digital age”
That s the question of the ages: how do you determine how much to invest in security ? says Miller, of the line between protection and paranoia for smaller companies . And that is not something I can answer simply.. . It s worth it to sit down and figure out what is most valuable to you, what you have that might be most valuable to folks who would do ill or might potentially take advantage of you.
The complexity rises as you go from being an individual to being an organisation, but unfortunately.. . I think large enterprises are in the best position to find experts who will help them identify what s at risk and how to protect it. Whatever their size, companies that misjudge the allocation of resources for security (or are just unlucky) stand to lose more than just client information and money . Data dumps of user info as any former Ashley Madison3 member might tell you also cost companies a second digital currency: trust .
Human nature doesn t scale up well to the company that, through bad luck or negligence, is ultimately responsible for your credit card details ending up on a mile-long list of account numbers and sort codes swapping back and forth on the dark web . We trust companies like we trust friends: you get screwed over once, and it s an uphill battle to win you back. Institutional trust was not designed for the digital age, says Rachel Botsman, author of What s Mine is Yours and the upcoming Who Can You Trust?, on how trust translates into the digital world . If you think of risk mechanisms, whether that be the way we think about government, or regulation, or insurance contracts, they were all designed during the industrial revolution and haven t really evolved that much . So when we talk about institutions rebuilding trust, there is this belief that we can go back to this institutional era of trust that was very opaque, very top-down and very decentralised. The interim solution is already here, albeit in nascent form: trust scores . Ebay, Amazon, Airbnb and TripAdvisor already rely on them . In lieu of knowing a stranger in person, we trust a combination of star ratings, reviews and numbers . The mass decentralisation of the internet forces us not to trust a single stranger, but an aggregate of them: a web of dozens, hundreds or thousands of strangers .
As it is now with the auctioning of celebrity autographs or the buying of an impregnable sub- 20 pop-up tent, so it will be with banks, public institutions maybe even governments. I think these rate and review systems are inevitable, and I think these will be the tools that we use to assess trustworthiness, Botsman says . I m not saying that should be the goal . Trust is highly contextual.
If the goal is to increase trustworthiness, whether that s a corporation or an individual, you ve basically got two ways of doing that . The old way was through legislation and regulation, which led to more standards and more compliance . I m not saying that s going to go away . But the other option is: how do you provide information that empowers individuals to assess trustworthiness themselves ? And that s what I think we re in the very, very early stages of figuring out. All of which neatly covers two extremes on a spectrum .
If you re a one-person business a consultant or freelance-anything your trust score will be on your CV right below your name . At the other end: if you re a million-or-billion pound enterprise and slip up, there s no cushion like cash . The question is: what about the people in the middle ? Where is the room for experimentation, failure, progress, if the internet s web of strangers turns against your company in its first week? I think that small businesses are in an interesting spot, because they don t necessarily have the investment or the technical expertise of an enterprise, but they have to think like an organisation, says Miller . They have to think in a different way to individuals, and to me: that s where the biggest gap or question mark in cybersecurity is today.
Want to know more about the cyber threats of the future ? WIRED Security 2017 returns to London on September 28 to discuss the latest innovations, trends and threats in enterprise cyber defence, security intelligence and cybersecurity .
A pair of quick-thinking security guards at a Solihull shopping centre helped to evacuate terrified residents after a fire tore through the roof of a nearby tower block . The fearless guards at Chelmsley Wood1 Shopping Centre were on patrol when they spotted the flames and smoke coming from the top of the building in nearby Moorend Avenue. As shoppers watched the drama in horror, the brave duo sprinted across to the block, which is managed by Solihull 2Community Housing (SCH) and alerted the concierge to the danger.
Smoke from the fire in Chelmsley Wood
The plucky twosome, who would not be named, swiftly took to the stairs and banged on the doors of the flats in the 10 storey building. Residents told the Birmingham Mail they had been unaware of the blaze which could be seen for miles away after the fire took hold at around 1.45pm. Twenty-five firefighters3 tackled the incident and gave oxygen therapy to one man who was injured.
Residents from the top two floors were evacuated.
The fire at the block of flats in Moorend Avenue Chelmsley Wood (Photo: Handout)
One of the security guards said: There didn t seem to be a fire alarm in the block.
We tried to find one so that we could actually hit a panic button.
My colleague went to the top floor and I started on the fifth so we worked it between us.
We were there for about five to 10 minutes but it seemed longer.
We didn t think about it, we just went in to help . Then the fire brigade took over. Liberty Chester, who has a four year old daughter Lacie, said she didn t feel safe.
I m just glad Lacie wasn t there, she said.
If she had been she would not have gone back into the flat. The 24-year-old added: It was the security guards from the shopping centre who saw the smoke and ran over to tell us.
They tried to find the fire alarm but couldn t.
Then they began banging on all the doors to tell us.
We were waiting outside for maybe half an hour to 45 minutes.
We weren t told anything . Nobody knew what was going on.
One man was treated for minor burns and smoke inhalation.
Residents were allowed to return to their homes after the blaze was extinguished at about 3pm.
Chloe Moore, 18 and her mum Michelle Thomas at the scene of the fire in Chelmsley Wood
Michelle Thomas lives on the third floor and her daughter Chloe Moore lives on the top floor of the building. Michelle said: When I got there I saw a roofer who was working there . He tried to put it out himself and his arm was covered in bandages.
Chelsea Lee has lived in the block for 3 years . The 23-year-old said: Everyone looks out for each other here. Peter Stoate, a spokesman for SCH, said: We are pleased to report that the fire on the roof of Cheshunt House was quickly extinguished by the fire services .
One contractor working on the roof was treated at the scene but no tenants were injured.
Some tenants had to leave their homes for a couple of hours while safety procedures were followed but all were able to return soon afterwards.