[Dailydave] "The Future of Security" (Symantec RSA 2014 Keynote)

Dave Aitel dave at immunityinc.com
Wed Apr 2 16:07:07 EDT 2014


http://www.rsaconference.com/videos/125/the-future-of-security
by
Stephen Trilling
Symantec
SVP Security Intelligence and Technology

(This post continues the tradition of summarizing and peer reviewing all
the RSA Keynotes every year. More here
<https://lists.immunityinc.com/pipermail/dailydave/2014-March/thread.html>.)
.

So again I want to point out that presentation matters - and this is by
far the best presented keynote of the year.  It was practiced. It was
organized. It had a lot of similar themes from the other keynotes but it
went further and was more fleshed out and logical and even the slides
made sense. 

But the best presentation is not always the best thinking. People forget
that too easily, I think.

So to summarize:

  * We are fighting an asymmetric battle because attackers can buy
    security products and learn their weaknesses
  * We are still not catching targeted attacks. This is super bad.
  * Because we want to have some level of hope that we will, we use
    defense in depth strategies
  * Companies will continue to need to deploy endpoint security,
    firewalls, and other point solutions (because they have to)
  * But each point solution is an island and is myopic and they don't
    interact with one another (and making them all interact with one
    another is an exponentially painful problem)
  * Even storage of the data from these point solutions is a problem, as
    is administrating them
  * Each enterprise is also an island.

Stephen continues to define the current product landscape and is
relatively pessimistic about SIEM:

  * Why not just use a SIEM? (Security Incident and Event Monitor).
    SIEMS are only as good as the data they ingest.
  * They are designed to correlate a series of events that fit within a
    limited time window of a few hours...so indicators that are spread
    out over time don't get correlated.
  * Or we could have all security products talk to each other. Tight
    integration across all point products. But this doesn't scale.

But why not just a bigger, better, local SIEM? It comes down to the
desire for economies of scale across multiple customers and a huge
managed security push from Symantec. The hole in this argument is that
big companies (who are the ones with the money to afford this stuff in
the first place) are already diverse enough to not really get many
advantages from multi-tenant offerings necessarily.

Stephen's Ideal Future State (as stated in his talk):

  * Managed security providers who leverage economies of scale.
  * Integrated automatically by your provider
  * No Enterprise is An Island
  * Magically complex attacks will be discovered within minutes or hours!

He develops scenarios based on these ideas:

  * What if local system agents recorded logins and network connections
    and web pages visited and everything possible?
  * Then you forward all that data to the cloud where your managed
    service provider took care of it for you.
  * For example, what if the  agents recorded that it connected to a
    particular FTP server. Then later on, some other random person
    figures out that that FTP server is evil.
  * Automatically and continuously look for patterns of anomalous
    activity across all of our collected telemetry.
  * Secure marketplace for analytic applications which you can have run
    on your data (sample pricepoint: 10K USD for a C&C detector)

A lot of this feeds into the same theme that Dan Geer echoed during his
talk <http://www.rsaconference.com/videos/130/hugh-thompson-and-guests>
with Hugh Thompson, which is (shortly paraphrased): "We no longer have
to be drowned by data".

The marketplace for analytic applications is pretty genius, I have to
admit. Who wouldn't pay 10K to find a new malware C2C connection on
their network?

The issues with the model are of course:

  * Attackers can send fake data into the cloud, ruining your analytics
  * The correlation part is not nearly as trivial as they're making it look
  * Most of it is vaporware other than "what binaries did we run" which
    is already essentially being done by AV

Essentially, just because we have the "cloud" now and are no longer
being drowned by data does not mean we have the RIGHT data, or that we
are not being drowned, in turn, by analytics!

-dave
P.S. One thing this talk failed at was putting his email address in the
slides, so someone from Symantec will  have to forward this to him. :>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20140402/2b5e9df7/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 196 bytes
Desc: OpenPGP digital signature
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20140402/2b5e9df7/attachment.sig>


More information about the Dailydave mailing list