Connect with us

Hi, what are you looking for?


Black Hat

Smashing the Future: A Look Back, and the Future of Security

Black Hat 2012

LAS VEGAS – BLACK HAT USA – A panel of security and privacy experts engaged in a free-wheeling discussion of how enterprises have invested in security over the years and beefed up their defenses, but there was still a long way to go.

Black Hat 2012

LAS VEGAS – BLACK HAT USA – A panel of security and privacy experts engaged in a free-wheeling discussion of how enterprises have invested in security over the years and beefed up their defenses, but there was still a long way to go.

Jeff Moss, founder of Black Hat, Adam Shostack, senior program manager at Microsoft’s Trustworthy Computing Group, Marcus Ranum, chief security officer at Tenable Security, and Bruce Schneier, chief security technologist at BT, talked bluntly about their mistrust of government, changing nature of cyber-attacks and exploits, and the future of security at a panel on the first day of the Black Hat security conference at Las Vegas. Jennifer Granick, director of civil liberties at the Stanford Law School Center for Internet and Society, acted as a moderator of the panel.

The panelists had all spoken at the original Black Hat conference in 1997 and were reunited in this session to discuss what had happened in security over the years, and what the future would look like for security.

Bruce Schneier at Black Hat USA 2012There were some successes. Malware analysis and detection has made it possible for enterprises to block recognized and known threats effectively, Ranum said. Spam was another area, as “I almost never see spam in my inbox,” Schneier said. Enterprises have improved their defenses to be able to analyze and detect broad-based attacks, even as they struggle to defend against targeted attacks, he said.

However, there was a lot of to be worried about, and the panel did not pull any punches in who they thought was to blame. The government wasn’t doing its job in providing businesses with valuable intelligence on breaches and threats, the panelists agreed.

Ranum criticized the point made earlier by the keynote speaker, Shawn Henry, a former FBI-official and currently president of CrowdStrike Services, that the private sector firms bore the brunt of protecting against sophisticated cyber-threats and nation-state attacks. “I lose my cool when I hear people from the government saying that the private sector needs to step up,” Ranum said. “I am not qualified to carry out counter-intelligence against China, that is what the government is for.”

In fact, despite the insistence on information-sharing, the process has been decidedly one-way, Ranum said. Moss agreed, saying how federal officials are very open and excited about the kind of information businesses can share, but the second they are asked what the businesses can receive in return, they clam up.

“The security community is flying in the dark on a ‘trust us’ model while we hand over all this information,” Ranum ranted.

Advertisement. Scroll to continue reading.

Instead of legislating security policy and breach notification, the government would be better off to use their wallet to encourage companies to change their security practices, Schneier said. The NSA can define a security standard, and go to the various vendors—the cloud, database, and software providers– and inform that if they want government business, they have to adhere to that standard, Schneier suggested.

Schneier took that a step further, saying that contractual arrangements could begin to drive security and privacy between people and companies. These contracts can specify what the security expectations are and what information and control the customer retains.

People are increasingly putting their information and infrastructure in the cloud for convenience, but as a result, relinquish all control, Moss said.

The government wasn’t all bad. The government can jump-start technology research, drive adoption of technology within agencies and departments, and in turn force the security market to create new products, Moss said. For example, the government has played a significant role is in the development of DNSSEC and secure BGP, which is critical for the future and security of the Internet and online communications, but has almost no commercial interest, Moss said.

Black Hat 2012

When the panel discussed where companies should focus their security spending , Moss was unequivocal.

“The best return is on your employees, Moss said, to cheers and applause from the audience. “I rely on people, not on a widget. I can get all the widgets I need for free from the open source community,” Moss said.

Good security staff are important, but the company needs to also invest in managers who can understand how to put people in the right roles and get the best effort. Ranum agreed with Moss, saying that while forensics and malware specialists were critical to the security fight, generalists were also very important in order to see the bigger picture. As more and more companies outsource aspects of their business to third-party providers, such as payroll, there needs to be a generalist on staff who understands how the service will interact with other on-premise software, not a specialist in that payroll system, Ranum said.

Schneier pointed out that staff needs to be familiar with the legal and regulatory environment, as well.

Granick asked the panelists to weigh in on whether security will be better or worse in the future. The response was decidedly pessimistic across the board, as things will be “the same.”

“We’ll get better at running,” Moss said.

Schneier responded, “The bad guys will always run faster.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Black Hat

Black Hat 2019 recently wrapped in Las Vegas, where somewhere between 15,000 and 20,000 experts descended to experience the latest developments in the world...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...