[Dailydave] "The Future of Security" (Symantec RSA 2014 Keynote)

[Andreas Lindh]

In Stephen’s world, all the problems defenders are facing with being “drowned by data", administration of products, integration of security products, etc., will be solved by more black box automation. What he is missing is that it isn’t the large amount of data or the lack of integration between security products that is the problem, it’s the lack of knowledge among defenders. If you know what your are looking for and have your priorities straight, there is no way that large amounts of data can ever be a problem. I know it isn’t for me.

Automation is great, but you can’t *start* by automating, you have to understand it first. If you rely on something automated that you don’t even understand, good luck catching the more advanced stuff.

And more thing; enough of the “advanced attacks are the new normal” talk please.

Andreas

On 2 apr 2014, at 22:07, Dave Aitel <dave at immunityinc.com> wrote:

> http://www.rsaconference.com/videos/125/the-future-of-security
> by
> Stephen Trilling
> Symantec
> SVP Security Intelligence and Technology
> 
> (This post continues the tradition of summarizing and peer reviewing all the RSA Keynotes every year. More here.) .
> 
> So again I want to point out that presentation matters - and this is by far the best presented keynote of the year.  It was practiced. It was organized. It had a lot of similar themes from the other keynotes but it went further and was more fleshed out and logical and even the slides made sense.  
> 
> But the best presentation is not always the best thinking. People forget that too easily, I think. 
> 
> So to summarize:
> We are fighting an asymmetric battle because attackers can buy security products and learn their weaknesses
> We are still not catching targeted attacks. This is super bad.
> Because we want to have some level of hope that we will, we use defense in depth strategies
> Companies will continue to need to deploy endpoint security, firewalls, and other point solutions (because they have to)
> But each point solution is an island and is myopic and they don't interact with one another (and making them all interact with one another is an exponentially painful problem)
> Even storage of the data from these point solutions is a problem, as is administrating them
> Each enterprise is also an island.
> Stephen continues to define the current product landscape and is relatively pessimistic about SIEM:
> Why not just use a SIEM? (Security Incident and Event Monitor). SIEMS are only as good as the data they ingest.
> They are designed to correlate a series of events that fit within a limited time window of a few hours...so indicators that are spread out over time don't get correlated.
> Or we could have all security products talk to each other. Tight integration across all point products. But this doesn't scale. 
> But why not just a bigger, better, local SIEM? It comes down to the desire for economies of scale across multiple customers and a huge managed security push from Symantec. The hole in this argument is that big companies (who are the ones with the money to afford this stuff in the first place) are already diverse enough to not really get many advantages from multi-tenant offerings necessarily. 
> 
> Stephen's Ideal Future State (as stated in his talk):
> Managed security providers who leverage economies of scale.
> Integrated automatically by your provider
> No Enterprise is An Island
> Magically complex attacks will be discovered within minutes or hours!
> He develops scenarios based on these ideas:
> What if local system agents recorded logins and network connections and web pages visited and everything possible?
> Then you forward all that data to the cloud where your managed service provider took care of it for you.
> For example, what if the  agents recorded that it connected to a particular FTP server. Then later on, some other random person figures out that that FTP server is evil.
> Automatically and continuously look for patterns of anomalous activity across all of our collected telemetry.
> Secure marketplace for analytic applications which you can have run on your data (sample pricepoint: 10K USD for a C&C detector)
> A lot of this feeds into the same theme that Dan Geer echoed during his talk with Hugh Thompson, which is (shortly paraphrased): "We no longer have to be drowned by data". 
> 
> The marketplace for analytic applications is pretty genius, I have to admit. Who wouldn't pay 10K to find a new malware C2C connection on their network? 
> 
> The issues with the model are of course:
> Attackers can send fake data into the cloud, ruining your analytics
> The correlation part is not nearly as trivial as they're making it look
> Most of it is vaporware other than "what binaries did we run" which is already essentially being done by AV
> Essentially, just because we have the "cloud" now and are no longer being drowned by data does not mean we have the RIGHT data, or that we are not being drowned, in turn, by analytics!
> -dave
> P.S. One thing this talk failed at was putting his email address in the slides, so someone from Symantec will  have to forward this to him. :>
> _______________________________________________
> Dailydave mailing list
> Dailydave at lists.immunityinc.com
> https://lists.immunityinc.com/mailman/listinfo/dailydave

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20140403/9a410059/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20140403/9a410059/attachment.sig>