Blog

Security Inevitabilities

By Rich

Despite my intensive research into cryonics, I have to accept that someday I will die. Permanently. I don’t know when, where, or how, but someday I will cease to exist. Heck, even if I do manage to freeze myself (did you know one of the biggest cryonincs companies is only 20 minutes from my house?), get resurrected into a cloned 20-year-old version of myself, and eventually upload my consciousness into a supercomputer (so I can play Skynet, since I don’t really like most people) I have to accept that someday Mother Entropy will bitch slap me with the end of the universe.

There are many inevitabilities in life, and it’s often far easier to recognize these end results than the exact path that leads us to them. Denial is often closely tied to the obscurity of these journeys; when you can’t see how to get from point A to point B (or from Alice to Bob, for you security geeks), it’s all too easy to pretend that Bob Can’t Ever Happen. Thus we find ourselves debating the minutiae, since the result is too far off to comprehend.

(Note that I’d like credit for not going deep into an analogy about Bob and Alice inevitably making Charlie after a few too many mojitos).

Security includes no shortage of inevitabilities. Below are just a few that have been circling my brain lately, in no particular order. It’s not a comprehensive list, just a few things that come to mind (and please add your own in the comments). I may not know when they’ll happen, or how, but they will happen:

  • Everyone will use some form of NAC on their networks.
  • Despite PCI, we will move off credit card numbers to a more secure transaction system. It may not be chip and PIN, but it definitely won’t be magnetic strips.
  • Everyone will use some form of DLP, we’ll call it CMP, and it will only include tools with real content analysis.
  • Log management and SIEM will converge into single products. Completely.
  • UTM will rule the day on the perimeter, and we won’t buy separate boxes for every function anymore.
  • Virtualization and information-centric security will totally fuck up network security, especially internally.
  • Any critical SCADA network will be pulled off the Internet.
  • Database encryption will be performed inside the database with native functionality, with keys managed externally.
  • The WAF vs. secure development debate will end as everyone buys/implements both.
  • We’ll stop pretending web application and database security are different problems.
  • We will encrypt all laptops. It will be built into the hardware.
  • Signature AV will die. Mostly.
  • Chris Hoff will break the cloud.
No Related Posts
Comments

We are missing Biometric science here which will definitely acquire important place in security in coming time

By Saggi


Dave- I’m so glad you posted that. I’ve been railing against whitelisting for years, and for some reason people ignore the practicalities of using it in the real world. I blame the vendors and VCs on this one.

By Rich


Rich,

Agreed. I work with an org that’s been trying to roll out an application whitelisting app for a year. It’s more difficult than anyone imagined it would be. There’s a ton of push back from people in the organization, especially developers who want to try development tools du jour.

Your points about the browser and anti-exploitation stuff superseding is on the money. Chrome, for all the grief people have given it, does raise the bar. I hope Mozilla and MS adopt some of the better ideas from Google. It’s high time someone really moved the needle on browser security.

By Dave Hull


Dave,

Actually, I think it’s inevitable that whitelisting will never work- too many variables, and as we lose control of the application (because it’s all stuffed in the browser) it becomes far less useful anyway.

I think the anti-exploitation stuff will supersede whitelisting… it’s pretty darn interesting stuff.

By Rich


What no white list application for controlling software in the enterprise?

Great article Rich, as usual.

By Dave Hull


The role of network security will move into availability and compliance. Internal networks become just an in-sourced ISP.
Confidentiality and integrity will be bound into the data itself.

By Andrew Yeomans


@ds-

Yes, you identified a couple of key trends that feed this- consolidation, embedding of functionality, focus on business problems vs. technology issues.

And yep- the network is losing major visibility, and thus there’s no way it will (eventually) be able to offer much in terms of security. It won’t know the data, applications, or much of anything else.

By Rich


@Nick-

You sue your vendor :)

By Rich


Some corollaries:

>>Everyone will use some form of NAC on their networks.

...but no one will pay for it.  Suspect it won’t be universal until it is embedded into the network and the OS in a transparent way.  In fact, there is a theme:

>>
We will encrypt all laptops. It will be built into the hardware.

Database encryption will be performed inside the database with native functionality, with keys managed externally.
<<

...and that theme is that we can all say things like “baked in vs bolted on”, but eventually vendors will understand what that means and include usable and flexible security components into their core products. 

>>Despite PCI, we will move off credit card numbers to a more secure transaction system. It may not be chip and PIN, but it definitely wont be magnetic strips.

...and we’ll still have CC Fraud because there won’t be an infrastructure to allow every possible transaction to be a cardholder present equivelant, so we will still need some way for credit card data to be human interpreted and communicated. 

>>Log management and SIEM will converge into single products. Completely.
>>UTM will rule the day on the perimeter, and we won’t buy separate boxes for every function anymore.

...(the above two seem related) Summarize: Security will evolve to solve problems, not sell products. 

>>Virtualization and information-centric security will totally fuck up network security, especially internally.

... by totally fuck up, you mean “make irrelevant”, which is where the industry needs to be.  The perimiter will be so dialed into data, that even host firewalls will seem silly to have been a silly idea.  This must be related to the DLP/CMF/CMP point above.

>>The WAF vs. secure development debate will end as everyone buys/implements both.

...or, developers learn defense in depth. 

>>We’ll stop pretending web application and database security are different problems.

...The theme for 2011 RSA: “The shrinking application trust boundary”, a sad recast of the “shrinking perimeter” talks that have been ongoing for years now.

By ds


Good morning,
“UTM will rule the day on the perimeter, and we won’t buy separate boxes for every function anymore.”

Are you viewing this as a benefit?
What happens when your UTM box lose all “features” because the licensing server at the box developers end malfunctions?
http://isc.sans.org/diary.html?storyid=5419

By Nick


If you like to leave comments, and aren’t a spammer, register for the site and email us at info@securosis.com and we’ll turn off moderation for your account.