LAS VEGAS - BLACK HAT USA - A panel of security and privacy experts engaged in a free-wheeling discussion of how enterprises have invested in security over the years and beefed up their defenses, but there was still a long way to go.
Jeff Moss, founder of Black Hat, Adam Shostack, senior program manager at Microsoft's Trustworthy Computing Group, Marcus Ranum, chief security officer at Tenable Security, and Bruce Schneier, chief security technologist at BT, talked bluntly about their mistrust of government, changing nature of cyber-attacks and exploits, and the future of security at a panel on the first day of the Black Hat security conference at Las Vegas. Jennifer Granick, director of civil liberties at the Stanford Law School Center for Internet and Society, acted as a moderator of the panel.
The panelists had all spoken at the original Black Hat conference in 1997 and were reunited in this session to discuss what had happened in security over the years, and what the future would look like for security.
There were some successes. Malware analysis and detection has made it possible for enterprises to block recognized and known threats effectively, Ranum said. Spam was another area, as “I almost never see spam in my inbox,” Schneier said. Enterprises have improved their defenses to be able to analyze and detect broad-based attacks, even as they struggle to defend against targeted attacks, he said.
However, there was a lot of to be worried about, and the panel did not pull any punches in who they thought was to blame. The government wasn't doing its job in providing businesses with valuable intelligence on breaches and threats, the panelists agreed.
Ranum criticized the point made earlier by the keynote speaker, Shawn Henry, a former FBI-official and currently president of CrowdStrike Services, that the private sector firms bore the brunt of protecting against sophisticated cyber-threats and nation-state attacks. “I lose my cool when I hear people from the government saying that the private sector needs to step up,” Ranum said. “I am not qualified to carry out counter-intelligence against China, that is what the government is for.”
In fact, despite the insistence on information-sharing, the process has been decidedly one-way, Ranum said. Moss agreed, saying how federal officials are very open and excited about the kind of information businesses can share, but the second they are asked what the businesses can receive in return, they clam up.
“The security community is flying in the dark on a 'trust us' model while we hand over all this information,” Ranum ranted.
Instead of legislating security policy and breach notification, the government would be better off to use their wallet to encourage companies to change their security practices, Schneier said. The NSA can define a security standard, and go to the various vendors—the cloud, database, and software providers-- and inform that if they want government business, they have to adhere to that standard, Schneier suggested.
Schneier took that a step further, saying that contractual arrangements could begin to drive security and privacy between people and companies. These contracts can specify what the security expectations are and what information and control the customer retains.
People are increasingly putting their information and infrastructure in the cloud for convenience, but as a result, relinquish all control, Moss said.
The government wasn't all bad. The government can jump-start technology research, drive adoption of technology within agencies and departments, and in turn force the security market to create new products, Moss said. For example, the government has played a significant role is in the development of DNSSEC and secure BGP, which is critical for the future and security of the Internet and online communications, but has almost no commercial interest, Moss said.
When the panel discussed where companies should focus their security spending , Moss was unequivocal.
“The best return is on your employees, Moss said, to cheers and applause from the audience. “I rely on people, not on a widget. I can get all the widgets I need for free from the open source community,” Moss said.
Good security staff are important, but the company needs to also invest in managers who can understand how to put people in the right roles and get the best effort. Ranum agreed with Moss, saying that while forensics and malware specialists were critical to the security fight, generalists were also very important in order to see the bigger picture. As more and more companies outsource aspects of their business to third-party providers, such as payroll, there needs to be a generalist on staff who understands how the service will interact with other on-premise software, not a specialist in that payroll system, Ranum said.
Schneier pointed out that staff needs to be familiar with the legal and regulatory environment, as well.
Granick asked the panelists to weigh in on whether security will be better or worse in the future. The response was decidedly pessimistic across the board, as things will be “the same.”
“We’ll get better at running,” Moss said.
Schneier responded, “The bad guys will always run faster.”