Crowd- and OpenSourced Cybersecurity: an oxymoron no more
The most telling aspect of the Structure Security conference came in the form of back-to-back panels on Tuesday afternoon. The first comprised of Qualcomm, Intel, and ARM; and the second: Facebook, Uber, and Slack. The contrast in these two panels titled ‘Defining what it Means to be Trusted’ and ‘To Secure It, Open It Up’ respectively, embodies the massive changes that are underway in cybersecurity. It was incredibly noticeable how differently companies like ARM and Intel think about and approach security as compared to the Facebook’s and Uber’s of the world. Granted, right out of the gate there’s a huge distinction between hardware and software (in a word: permanence), but in the suited, serious demeanor of got-to-keep-your-cards-close versus a completely open and genuine conversation about collective best practices, is the difference I speak of. A great example being the significant contributions Facebook has made to opensource security, but also the fact that the panelists didn’t hesitate to praise Yelp’s either (a company not in the room). I for one am very excited about this shift in thinking. Not only from a performance standpoint where function is still the key, but also for the implications it has on where the -Net will go when you incentivize good rather than rely on protection from bad. [And on a lighter note, just envision all those security guys that they’re finally letting out of the building!]
…but also for the implications it has for where the -Net will go when you incentivize good rather than rely on protection from the bad.
‘With many eyes all bugs are shallow’, and so are security vulnerabilities is what the world is realizing. It may be Linus Law’ and last millennium in inception, but make no mistake, the adoption of security democratization is a shift of momentous proportion. Shifting the financial incentives away from criminal activity and towards protecting people’s work and livelihoods will arguably clean up the Internet more than anything. BugCrowd and HackerOne get it, they’re even profiting from it. What kind of growth are we forecasting here? Bugcrowd has grown from less than 20 to almost 100 in a year. Granted that doesn’t correlate directly to the sector overall, but it’s not a bad proxy. Another stat that adds color to the opportunity, Marten Mickos’ HackerOne has awarded over $10M for the bounties it’s issued, including clients like no other than the Pentagon. If THE security agencies are getting into this, shouldn’t your company at least take a look? The answer is probably yes.
Secret Service mentality.
Another ‘illuminating’ session came from Nathaniel Gleicher who runs cybersecurity strategy for Illumio. He hails from the halls of DC, the National Security Council in the White House and the U.S. Department of Justice to be specific. Does he have ample ‘security clearance’? You could say that, and the fact he is now using it in the private sector is encouraging. His talk was entitled ‘What the Secret Service can teach us about Cybersecurity’ and in the ‘1) visualize, 2) control, 3) secure, 4) respond’ framework he presented, I at least felt better in hearing about some of the preventative measures and technology pouring into steps 1-3. Pouring? Ok, maybe not pouring, but their are distinctly big and powerful entities working on these problems. And you might be thinking ‘obviously’, but there is far more to consider here than blind assumptions. The current system gets exploited because in billions of line of code (some of which written decades ago) there will always be bugs and vulnerabilities. And as our ‘big data’ capabilities continue to grow more sophisticated, identifying them is growing easier for all involved. There are simply too many to lock down though, so how do you deploy contingency plans that can be enacted on the global stage at massive scale in a minute or two, sometimes faster? Seconds and minutes versus hours and days (let alone weeks and months) ain’t a bad place to start. Adaptive security is where we’re headed in the orchestration and automation age, and dare I say name-dropping #machinelearning is even justified in this case. Companies like Google and Palantir certainly know this to be true, and regardless of how you feel about them specifically, they are elevating the conversation and State-of-Play in security among other areas. They should be recognized for their contributions in the courts of public opinion, just as they are for the growing funds in their bank accounts.
Adaptive security is where we’re headed in the orchestration and automation age.
Latest breaches and attacks.
And speaking of teams like ‘Delta Sierra’ and ‘Project Shield’, Akamai was on one of the panels, and so of course the vDos attack on Brian Krebs came up. Due to the large costs associated with large scale DDoS attacks, Akamai had to drop Krebs as a customer, at which point Google’s Jigsaw and ‘Project Shield’ teams intervened. It creates a very interesting precedent, if not protocol, for how security may be conducted moving forward. Google as a safety net? Apparently so. Another recent breach that was front-and-center stage came in the form of the Yahoo’s recent troubles. Immense respect to Bob Lord (Yahoo CISO) for honoring his commitment to speak despite all that is going on related to the breach. He was forthright and honest despite this calculated attack magnifying an already difficult time as the company is acquired by Verizon. It does kind of raise the question though, ‘what is Verizon doing differently that scared these guys out of hiding?’ For another day …
Most importantly for today: