<html>
<head>
<meta http-equiv="content-type" content="text/html;
charset=ISO-8859-1">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<a
href="http://www.rsaconference.com/videos/127/the-cloud-security-nightmare-or-our-next-great">http://www.rsaconference.com/videos/127/the-cloud-security-nightmare-or-our-next-great</a><br>
<br>
Thoughts on Philippe Courtot's RSAC 2014 keynote.<br>
<br>
One thing I notice about these keynotes as I go through them is that
there is a common issue with having the CEO of a company give a
talk: nobody tells them any bad news ever. So when they give talks,
they are likely to hear that the talk is amazing, and they practice
it less, and they don't edit them. I usually listen to each talk
twice before I write one of these review emails, and frankly, if
anyone had done that with the keynotes this or last year, they would
have cut many minutes out of them, and replaced them with the actual
vision these executives are trying to get across - which I guess is
what I'm trying to do here, in these emails. <br>
<br>
So let's cut to the chase, which for Philippe's talk is about ten
minutes in:<br>
<ul>
<li> "Because we have IPS/IDS, they have to scan very slowly, and
so because we are doing continuous scanning and our scanners are
white-listed, we can find vulnerabilities before they do". This
is an interesting point. I think one problem is of course that
continuous external scanning is false positive heavy. Attackers
have no false positives - they either got inside the network or
they didn't. It's a hole in Qualys's strategy that Rapid7
definitely saw - to integrate exploitation into scanning.<br>
</li>
<li> "Next-Gen firewalls brought application awareness, we need to
bring in endpoint and threat awareness." (Yes, but easier said
than done - this could probably have been expanded a lot during
the talk at the expense of the first ten minutes!)<br>
</li>
<li> "Without Chip and Pin the hackers could re-invest part of
their gains into automating their attacks"</li>
<li> With security we need real-time. ("Real-time" gets a lot of
play in this talk. He's not wrong there, but real-time reporting
is not going to solve anything. You have to layer on a level of
automated response, which means a language of which machines and
networks can be turned off or disconnected, or just disinfected.
This is a huge task and I don't know any company on it at all.
Qualys would be a good fit probably because it feeds into their
asset management strengths.)</li>
<li> "Insist from the vendors that they have open architectures"</li>
<li> Brain in the cloud -> Significant advantage. There was a
lot of "let's put smaller agents back on all the endpoints and
roll all that data into the cloud and then magic analysis
happens!"<br>
</li>
<li> There was a lot of talk of exfiltration filters, network
sniffing and "open ports" which frankly I think is a bit old
fashioned, or perhaps just focused more on effective network
configuration management than security per-se. Hackers don't
open ports any more. And modern implants (like INNUENDO) exfil
over the protocols that you use.<br>
</li>
<li>Cost effective scalability by trimming down the complexity of
OpenIOC</li>
</ul>
Also, I have to admit, I love that he puts his own email in the
talk. Not many CEOs do that. I CCed him on this email. :><br>
<br>
From a vision and strategy standpoint there are perhaps a few
interesting areas. First of all, what Qualys excels at is "Security
at Cost-effective Scale". You can feel this current throughout the
talk. But there is no magic security data analysis brain in the
cloud, and it's not clear there WILL be for some time. What data you
capture, and when, and how you format that data, and how that data
changes over time, is all a very complex subject matter. Do you
capture what binaries are running, like <a
href="https://www.immunityinc.com/products-eljefe.shtml">El Jefe</a>
does? Do you capture what web sites people visit? Do you capture
every system call or file the endpoints access? Do you just capture
everything willy nilly and send that data as unstructured text to
the cloud for processing?<br>
<br>
Likewise, Mandiant and Crowdstrike and Terremark and every other
company selling or using Indications of Compromise have explicit and
deep reasons to avoid cooperating on OpenIOC, and I don't see that
changing any time soon. Because they know the minute they do, Qualys
is going to eat their lunch. <br>
<br>
After watching a lot of these talks I think what you have to do is
ask each executive at RSA how their vision differs from modern
reputation-system, brain-in-the-cloud, heuristics-based AV. <br>
<br>
-dave<br>
<br>
<br>
</body>
</html>