<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<a
href="http://www.rsaconference.com/videos/125/the-future-of-security">http://www.rsaconference.com/videos/125/the-future-of-security</a><span
style="color: rgb(53, 53, 53); font-family: Tahoma, Arial,
sans-serif; font-size: 14px; font-style: normal; font-variant:
normal; font-weight: normal; letter-spacing: normal; line-height:
21px; orphans: auto; text-align: start; text-indent: 0px;
text-transform: none; white-space: normal; widows: auto;
word-spacing: 0px; -webkit-text-stroke-width: 0px;
background-color: rgb(231, 229, 225); display: inline !important;
float: none;"><br>
</span>by<br>
Stephen Trilling<br>
Symantec<br>
SVP Security Intelligence and Technology<span style="color: rgb(53,
53, 53); font-family: Tahoma, Arial, sans-serif; font-size: 14px;
font-style: normal; font-variant: normal; font-weight: normal;
letter-spacing: normal; line-height: 21px; orphans: auto;
text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px; background-color: rgb(231, 229,
225); display: inline !important; float: none;"><br>
</span><br>
(This post continues the tradition of summarizing and peer reviewing
all the RSA Keynotes every year. More <a
href="https://lists.immunityinc.com/pipermail/dailydave/2014-March/thread.html">here</a>.)
.<br>
<br>
So again I want to point out that presentation matters - and this is
by far the best presented keynote of the year. It was practiced. It
was organized. It had a lot of similar themes from the other
keynotes but it went further and was more fleshed out and logical
and even the slides made sense. <span style="color: rgb(53, 53,
53); font-family: Tahoma, Arial, sans-serif; font-size: 14px;
font-style: normal; font-variant: normal; font-weight: normal;
letter-spacing: normal; line-height: 21px; orphans: auto;
text-align: start; text-indent: 0px; text-transform: none;
white-space: normal; widows: auto; word-spacing: 0px;
-webkit-text-stroke-width: 0px; background-color: rgb(231, 229,
225); display: inline !important; float: none;"><br>
</span><br>
But the best presentation is not always the best thinking. People
forget that too easily, I think. <br>
<br>
So to summarize:<br>
<ul>
<li>We are fighting an asymmetric battle because attackers can buy
security products and learn their weaknesses</li>
<li>We are still not catching targeted attacks. This is super bad.<br>
</li>
<li>Because we want to have some level of hope that we will, we
use defense in depth strategies</li>
<li>Companies will continue to need to deploy endpoint security,
firewalls, and other point solutions (because they have to)<br>
</li>
<li>But each point solution is an island and is myopic and they
don't interact with one another (and making them all interact
with one another is an exponentially painful problem)<br>
</li>
<li>Even storage of the data from these point solutions is a
problem, as is administrating them</li>
<li>Each enterprise is also an island.</li>
</ul>
<p>Stephen continues to define the current product landscape and is
relatively pessimistic about SIEM:<br>
</p>
<ul>
<li>Why not just use a SIEM? (Security Incident and Event
Monitor). SIEMS are only as good as the data they ingest.</li>
<li>They are designed to correlate a series of events that fit
within a limited time window of a few hours...so indicators that
are spread out over time don't get correlated.</li>
<li>Or we could have all security products talk to each other.
Tight integration across all point products. But this doesn't
scale. <br>
</li>
</ul>
But why not just a bigger, better, local SIEM? It comes down to the
desire for economies of scale across multiple customers and a huge
managed security push from Symantec. The hole in this argument is
that big companies (who are the ones with the money to afford this
stuff in the first place) are already diverse enough to not really
get many advantages from multi-tenant offerings necessarily. <br>
<br>
Stephen's Ideal Future State (as stated in his talk):<br>
<ul>
<li>Managed security providers who leverage economies of scale.</li>
<li>Integrated automatically by your provider </li>
<li>No Enterprise is An Island</li>
<li>Magically complex attacks will be discovered within minutes or
hours!</li>
</ul>
He develops scenarios based on these ideas:<br>
<ul>
<li>What if local system agents recorded logins and network
connections and web pages visited and everything possible?</li>
<li>Then you forward all that data to the cloud where your managed
service provider took care of it for you.</li>
<li>For example, what if the agents recorded that it connected to
a particular FTP server. Then later on, some other random person
figures out that that FTP server is evil. </li>
<li>Automatically and continuously look for patterns of anomalous
activity across all of our collected telemetry.</li>
<li>Secure marketplace for analytic applications which you can
have run on your data (sample pricepoint: 10K USD for a C&C
detector)</li>
</ul>
A lot of this feeds into the same theme that Dan Geer echoed during
<a
href="http://www.rsaconference.com/videos/130/hugh-thompson-and-guests">his
talk</a> with Hugh Thompson, which is (shortly paraphrased): "We
no longer have to be drowned by data". <br>
<br>
The marketplace for analytic applications is pretty genius, I have
to admit. Who wouldn't pay 10K to find a new malware C2C connection
on their network? <br>
<br>
The issues with the model are of course:<br>
<ul>
<li>Attackers can send fake data into the cloud, ruining your
analytics</li>
<li>The correlation part is not nearly as trivial as they're
making it look</li>
<li>Most of it is vaporware other than "what binaries did we run"
which is already essentially being done by AV</li>
</ul>
<p>Essentially, just because we have the "cloud" now and are no
longer being drowned by data does not mean we have the RIGHT data,
or that we are not being drowned, in turn, by analytics!<br>
</p>
-dave<br>
P.S. One thing this talk failed at was putting his email address in
the slides, so someone from Symantec will have to forward this to
him. :><br>
</body>
</html>