Friday Summary: August 23, 2013By Adrian Lane
With seven trips in the last eight weeks – and I would have been 8 for 8 had I not been sick one week – I’d have been out of the office the entire last two months. It almost feels weird blogging again but there is going to be a lot to write about in the coming weeks given the huge amount of research underway.
Something really hit home the other day when I was finishing up a research project. Every day I learn more about computer security, yet every day – on a percentage basis – I know less about computer security. Despite continuous research and learning, the field grows what seems like an exponential rate. The number of new subject areas, threats and response techniques grows faster than any person can keep up with. I was convinced that in the 90s I could ‘know’ pretty much all you needed to know about computer security; that concept is now laughable. Every new thing that has electrons running through it creates a new field for security. Hacking pacemakers and power meters and vehicle computer is not surprising, and along with it the profession continues to grow far beyond a single topic to hundreds of sciences, with different distinct attack and defense perspectives. No person has a hope of being an expert in more than a couple sub-disciplines. And I think that is awesome! Every year there is new stuff to learn, both the ‘shock and awe’ attack side, as well as the eternally complex side of defense.
What spawned this train of thought was Black Hat this year, where I saw genuine enthusiasm for security, and in many cases for some very esoteric fields of study. My shuttle bus on the way to the airport was loaded with newbie security geeks talking about how quantum computing was really evolving and going to change security forever. Yeah, whatever; the point was the passion and enthusiasm they brought to Black Hat and BSides. Each conversation I overheard was focused on one specific area of interest, but the discussions quickly led them into other facets of security they may not know anything about - social engineering, encryption, quantum computing, browser hacking, app sec, learning languages and processors and how each subsystem works together … and on and on. Stuff I know nothing about, stuff I will never know about, yet many of the same type of attacks and vulnerabilities against a new device.
Since most of us here at Securosis are now middle-aged and have kids, it’s fun for me to see how each parent is dealing with the inevitability of their kids growing up with the Internet of Things. Listening to Jamie and Rich spin different visions of the future where their kids are surrounded by millions of processors all trying to alter their reality in some way, and how they want to teach their kids to hack as a way to learn, as a way to understand technology, and as a way to take control of their environment.
I may know less and less, but the community is growing vigorously, and that was a wonderful thing to witness.
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
- Rich on Threatpost- How I Got Here. I got to do my third favorite thing, talk about myself.
- Dave Mortman on Big Data Security Challenges.
- Mike’s DR column “Prohibition for 0-day Exploits”.
- Mike quoted in CRN about Proofpoint/Armorize deal.
Favorite Securosis Posts
- Rich: The CISO’s Guide to Advanced Attackers. Mike’s latest paper is great. Especially because I keep having people thank me for writing it when he did all the work. And no, I don’t correct them.
- Adrian Lane: Hygienically Challenged. After 10 weeks of travel, I’m all too familiar with this element of travel. But after 3 days fishing and hiking in the Sierra’s I was one of these people. Sorry to the passengers on that flight.
- David Mortman: Research Scratchpad: Stateless Security.
- Mike Rothman: Lockheed-Martin Trademarks “Cyber Kill Chain”. “Cyberdouche” Still Available. A post doesn’t have to be long to be on the money, and this one is. I get the need to protect trademarks, but for that right you’ll take head shots. Cyberdouche FTW.
Other Securosis Posts
- “Like” Facebook’s response to Disclosure Fail.
- Research Scratchpad: Stateless Security.
- New Paper: The 2014 Endpoint Security Buyer’s Guide.
- Incite 8/21/2013 — Hygienically Challenged.
- Two Apple Security Tidbits.
- Lockheed-Martin Trademarks “Cyber Kill Chain”. “Cyberdouche” Still Available.
- IBM/Trusteer: Shooting Across the Bow of the EPP Suites.
- New Paper: The CISO’s Guide to Advanced Attackers.
Favorite Outside Posts
- Adrian Lane: Making Sense of Snowden. Look at my comments in Incite a couple weeks back and then read this. Chris Pepper: Darpa Wants to Save Us From Our Own Dangerous Data.
- Rich: Facebook’s trillion-edge, Hadoop-based and open source graph processing engine.
- David Mortman: Looking inside the (Drop) box.
- Mike Rothman: WRITERS ON WRITING; Easy on the Adverbs, Exclamation Points and Especially Hooptedoodle. Elmore Leonard died this week. This article he wrote for the NYT sums up a lot about writing. Especially this: “If it sounds like writing, I rewrite it.”
Research Reports and Presentations
- The 2014 Endpoint Security Buyer’s Guide.
- The CISO’s Guide to Advanced Attackers.
- Defending Cloud Data with Infrastructure Encryption.
- Network-based Malware Detection 2.0: Assessing Scale, Accuracy and Deployment.
- Quick Wins with Website Protection Services.
- Email-based Threat Intelligence: To Catch a Phish.
- Network-based Threat Intelligence: Searching for the Smoking Gun.
- Understanding and Selecting a Key Management Solution.
- Building an Early Warning System.
- Implementing and Managing Patch and Configuration Management.
Top News and Posts
- Hackers for Hire.
- Bradley Manning Sentenced to 35 Years in Prison
- Declassified Documents Prove NSA Is Tapping the Internet
- ‘Next Big’ Banking Trojan Spotted In Cybercrime Underground
- How the US (probably) spied on European allies’ encrypted faxes
- Researcher finds way to commandeer any Facebook account from his mobile phone
Blog Comment of the Week
This week’s best comment goes to michael hyatt, in response to Research Scratchpad: Stateless Security.
I think we’re working our way in that direction, though not as explicitly as you define it. But while we’re still running security analytics against a set of data resources, were beginning to run those analytics against the data in real time, allowing us to keep the results rather than the data. So as in your example for server management, we can keep a years of user activity as a profile rather than ten million discrete events, and alert on an outlier when it happens.
In the future it will be more stored analysis and less stored events, until we can ultimately see everything and store nothing.