I don’t have to tell you things are bad. Everybody knows things are bad. It feels we are losing. Everybody’s breached, or getting breached. The NGFW cannot stop the attacks, the endpoint anti-virus is useless, and we sit there staring at our iPads as some pundit tells us we deserve to give up our private data to the NSA, as if that’s the way its supposed to be.
We know things are bad, they are worse than bad. They are crazy. We sit in our cubicles all day desperately trying to align our security programs with obtuse long-winded and utterly impractical standards written by stiff consortiums who have never touched a single piece of IT infrastructure in their lives. All we say is just leave me alone. Let me have my certifications and trips to SANS training. Let me check off PCI compliance and go to another drunken RSA party. Let me just feel better about what I am doing because none of it matters any more.
Well, I am not going to leave you alone. I want you to get MAD. I don’t want you to protest. I don’t want you to tweet. I don’t want you to take another selfie, because I wouldn’t know what to tell you to do in that selfie. All I know is that first you’ve got to get mad. You’ve got to say: “I’m a decent human being who wants to do the right things, dammit! My data has value!”
So, I want you to get up now. I want all of you to get up out of your seats. I want you to get up right now and go to Moscone. Throw open your laptop and yell: “I’m as mad as hell, and I’m not gonna take this anymore!’ Get up, now, and tell the world – I’M AS MAD AS HELL, AND I’M NOT GOING TO TAKE THIS ANYMORE!
Now go back to your offices next week. Throw away the internationally approved standard. Tell the checkbox auditor to pound sand. Burst your way into the next board meeting and let them feel your fury: YOU HAVE MEDDLED WITH THE PRIMAL FORCES OF TECHNOLOGY, MR CEO AND YOU WILL ATONE! You will support real security. You will embrace open standards, collaboration, and NGFW that automatically blocks malicious traffic. You will show vision and leadership. You will get out of my way, and let me do what must be done to protect this company.
It is Wednesday at RSA, and we are going off the rails here. After two days of incessant blathering, the rage comes out. Why me, you might ask? Because you can read everybody’s email, dummy.
(Pop Culture Reference: If this intro sounds familiar, it borrows heavily from the late Peter Finch’s famous rant in the 1976 movie Network. Arguably one of the most prophetic movies ever made.)
Makers vs. Breakers
Somehow I managed to stumble my bleary, coffee stained self into this session. I flopped down in the chair and immediately saw Robert Graham on stage. Hey! I worked with Robert at Network General and then Network ICE in the late 90s. Robert taught me a lot of the basics of information security. Joining Robert on stage was Joshua Corman and Evan Prodromou. Finally, some people who know a thing or two about security.
What followed was a truly engaging discussion on software development, bug bounties, and third party libraries. The core message: have a welcome mat for security researchers and hackers via a bug bounty. This changes the nature of the relationship from adversarial to collaborative. Corman had some particularly insightful ideas here.
Maybe we could make a difference after all? Maybe this is not a losing battle? Maybe we did not need to get mad, just get smarter approaches to security? I bounced out of this session feeling refreshed.
Next up was the keynote address from the StoryCorps people. They record people’s stories and archive them in the Library of Congress and have a regular spot on NPR.
These “human interest” presentations have become a tradition at RSA, and they are usually the best presentations of the show. This year was no exception.
The core message I heard was: hate is louder than love. Our world (and IT security is no exception) is extremely fond of defining what we hate. We can talk endlessly about everything we find bad, wrong, and unjust. We are equally quick to pin blame on others, especially the weak.
However, we have little time in our day to talk about those we love, what we believe, or who we trust. Hate is potent and addictive, like heroin. Once we shoot hate into our heads, it spreads to the rational mind. There it festers and takes hold of our mind, convincing us that it is perfectly normal to belittle, blame, and bully the weak and desperate for our problems. Hate also makes us seek constant validation for our hate. It drives us to social media and television to hear other hate-filled pundits and blowhards who tell us that our hate is good, and right, and part of our heritage.
Hate is a sickness that wants to get sicker.
All security is human. Software, hardware, and networks all require people to design, build, and maintain them. It is foolish to think we can slap arbitrary frameworks or sets of controls on an environment and security will spontaneously arise from that. Security requires people. But more importantly, it requires people who care. We cannot hate our way to care, compassion, and decently. People who focus on hate, are ultimately incapable of doing the right things.
Ascending the Path to Effective Security
Okay, I admit, I am a Marty Roesch fanboy. Now, admittedly, Roesch is not the most dynamic speaker. He comes off a bit awkward and nerdy, but that is what I like about him. He is genuine. I do not feel like I am being sold something. He talks about big ideas and conspicuously rejects common platitudes. He is an ideal face for Cisco’s security because he gives them so much credibility, when for so long, Cisco had none.
The first platitude he challenged is this idea that complexity is the enemy of good security. This took the form of addressing the problem of proliferating technologies. As we add new technologies to an environment the management complexity increases on a linear scale, but the analytical complexity increases on a geometric scale. That means, for each new next-generation threat intelligence behavior-based hacker-stop box we buy, the costs and complexity of analyzing the output of those devices increases significantly faster. This is because the data from these devices must be analyzed in relation to each other. Roesch calls this the Security Effectiveness Gap. The more tech you add, the less effective it all becomes.
He then when on to cite all the breaches of recent history where the companies had a sophisticated collection of technologies, but nobody was doing anything about it. We echo this point to clients all the time. Target had all the whiz-bang cool latest stuff, and they still got hacked. The primary failure at Target, and everywhere else was that intelligence was not getting in the hands of people who could affect change.
So what is the answer to this dilemma? Roesch’s answer is the exact same answer we arrived at in 2014: integration, consolidation, automation. We need more tightly integrated components (SIEM, NGFW, SWG, etc.) Fewer devices that do more, which is why NGFW has consumed the security market. And lastly, we need to automate the reaction and coordination of these devices.
What Roesch is promoting is exactly what this blog defined as Security Analytics over a year ago. Cisco, is in the ideal position to build a true security analytics platform. They have not only the security technologies, but also the network and virtualization capabilities as well. Their role in the infrastructure allows them to address some of the more complex challenges
The other players in this space, like Blue Coat, IBM, or Raytheon (ForcePoint) have disadvantages in this market because they do not have the infrastructure experience or positioning.
Given Cisco’s appetite for security firms, I suspect they will continue this march toward a true converged analytics platform through additional acquisitions. They may make a SIEM buy at some point. I would not be surprised if they went for Splunk. It would put them in a very strong position to realize more of Roesch’s ideas. However, they may be able to do a lot of this coordination without actually owning a SIEM.
The Inevitable Decline of the Digital Age
As much as I am a Martin Roesch fanboy, I am also a Mark McLaughin fanboy. If Martin speaks to the nerdy security guy in me, Mark speaks to the business person within me.
McLaughlin’s presentation was a fascinating exploration of the challenges of trust in a world where it can be damaged quickly.
However, what really caught my attention, was when McLaughin said “It’s important for the security industry to move on and get into the future. Security companies should not complete on what we know, but complete on what we can do with it (security intelligence) for you.” I completely agree with this, but it was a surprising thing to hear the head of Palo Alto Networks say this. Back in 2012 I challenged PAN on the fact that they isolated themselves from the industry with their messaging. They acted as if their technology was so great, it did not have to compete with anybody else. It was unfair and disingenuous. Gartner was patently behind them on this notion, which is why we called PAN a cult.
Now we hear a PAN that is decidedly embracing their competitors. They are openly collaborating with them, and even promoting the idea of competing on technical capability, not merely messaging. This is an impressive maturation for PAN. They are no longer the arrogant show-off, but a responsible member of the information security community. This deepens my respect for McLaughin. Although I am not sure I want to give up my Fortinet quite yet.
Incidentally, why wasn’t Fortinet on stage? We have Cisco and PAN back to back, where is Fortinet? Instead, we had HP Enterprise. Why is HP even here? They sold off TippingPoint and their other security properties. How did they manage to get a keynote, and Fortinet did not? HPs keynote was dumb. It was simplistic. They promoted their ability to monitor for “known good state” as if that was some amazing new discovery. I guess they missed the news on that invention Gene Kim and Eugene Spafford made in 1992 called Tripwire.
Fear In the Face of Certain Breach
The last keynote of the day was David Rothkopf’s meandering discussion on fear and how the very fabric of civilization is unraveling because of interconnectedness. This keynote was interesting, in the same way a PBS Frontline episode is interesting: tons of thought-provoking ideas that make you feel dumb and powerless.
The message that resonated with me is that we cannot surround ourselves with enablers of our bad habits. Interconnectedness has caused people to seek out groups, tribes, and communities that echo and support whatever they already believe. These are enablers. Now if the community is one that enables eating healthy or reading books, that can be good. However, many of the communities merely reinforce bad habits, like hate, blame, and narcissism. Information security is not immune from this. This blog is routinely critical of RSA for this very problem. The endless and obsessive focus on hacking creates a perception that the only way to understand security is to be a hacker. This community too often teaches young security people the wrong habits. You do not need to be a hacker, to implement good information security.
Those of us who have done security for a long time have a responsibility to enable good habits among new professionals. I believe that is reinforcing the notion of doing the right thing, always.
We ended the day at Anitian’s reception at Jamber. We packed the room this year. We had many of our long-time and more recent clients. The conversations were lively. Special thanks to my partners at TrueBit for stopping in. The crowd ended up being a very diverse group of customers, partners, investors, and analysts. It is moments like last night that remind me of why I love what I do. I get to hang around super-intelligent people and talk about Star Trek and penetration testing. Big thank you to Megan Lotzenhiser for making the night happen.
RSA is not over yet. We still have Sean Penn on Friday. If that does not make you run to the window and scream I’M AS MAD AS HELL AND I’M NOT GOING TO TAKE THIS ANYMORE…I am not sure what would.
This blog entry is not a psychotic episode. This is a cleansing moment of clarity. It is time for all of us to take a stand. Maybe screaming at the board is not the answer (but it is satisfying), but we need to stand up for what we know to be right, good, and correct. We cannot keep forcing formality for the sake of formality. We cannot keep buying new technologies, using the same practices. We cannot keep lying to ourselves and our co-workers that it is all okay because we passed some scan.
Kick the VAR out of your office. Fire the checkbox auditor. Throw away the compliance books. Do what you know is right. And if your employer will not let you do what is right, then leave. Find a place that actually lives those core values and mission statements plastered on the walls.
People love to echo that platitude; the price of freedom is eternal vigilance. Its not. We do not need more righteous vigilance and posturing. We do not need more insecure tough-guys strutting around in their hacker camos blathering about the preciousness of their rights while simultaneously blaming others for their inadequacies. We do not need any more cybersecurity bullies.
Information security happens when smart people are allowed to care and do what is right. If you do not have smart people who care, then all the posturing, posing, hacking, cracking, snacking, and hardware stacking will not get you there.
It is time to roll up our sleeves and get the job done. We need to be the change we want to see so that we can truly change the fabric of civilization.