Despite my intensive research into cryonics, I have to accept that someday I will die. Permanently. I don’t know when, where, or how, but someday I will cease to exist. Heck, even if I do manage to freeze myself (did you know one of the biggest cryonincs companies is only 20 minutes from my house?), get resurrected into a cloned 20-year-old version of myself, and eventually upload my consciousness into a supercomputer (so I can play Skynet, since I don’t really like most people) I have to accept that someday Mother Entropy will bitch slap me with the end of the universe.
There are many inevitabilities in life, and it’s often far easier to recognize these end results than the exact path that leads us to them. Denial is often closely tied to the obscurity of these journeys; when you can’t see how to get from point A to point B (or from Alice to Bob, for you security geeks), it’s all too easy to pretend that Bob Can’t Ever Happen. Thus we find ourselves debating the minutiae, since the result is too far off to comprehend.
(Note that I’d like credit for not going deep into an analogy about Bob and Alice inevitably making Charlie after a few too many mojitos).
Security includes no shortage of inevitabilities. Below are just a few that have been circling my brain lately, in no particular order. It’s not a comprehensive list, just a few things that come to mind (and please add your own in the comments). I may not know when they’ll happen, or how, but they will happen:
- Everyone will use some form of NAC on their networks.
- Despite PCI, we will move off credit card numbers to a more secure transaction system. It may not be chip and PIN, but it definitely won’t be magnetic strips.
- Everyone will use some form of DLP, we’ll call it CMP, and it will only include tools with real content analysis.
- Log management and SIEM will converge into single products. Completely.
- UTM will rule the day on the perimeter, and we won’t buy separate boxes for every function anymore.
- Virtualization and information-centric security will totally fuck up network security, especially internally.
- Any critical SCADA network will be pulled off the Internet.
- Database encryption will be performed inside the database with native functionality, with keys managed externally.
- The WAF vs. secure development debate will end as everyone buys/implements both.
- We’ll stop pretending web application and database security are different problems.
- We will encrypt all laptops. It will be built into the hardware.
- Signature AV will die. Mostly.
- Chris Hoff will break the cloud.
Reader interactions
12 Replies to “Security Inevitabilities”
Rich,
Agreed. I work with an org that’s been trying to roll out an application whitelisting app for a year. It’s more difficult than anyone imagined it would be. There’s a ton of push back from people in the organization, especially developers who want to try development tools du jour.
Your points about the browser and anti-exploitation stuff superseding is on the money. Chrome, for all the grief people have given it, does raise the bar. I hope Mozilla and MS adopt some of the better ideas from Google. It’s high time someone really moved the needle on browser security.
Dave,
Actually, I think it’s inevitable that whitelisting will never work- too many variables, and as we lose control of the application (because it’s all stuffed in the browser) it becomes far less useful anyway.
I think the anti-exploitation stuff will supersede whitelisting… it’s pretty darn interesting stuff.
What no white list application for controlling software in the enterprise?
Great article Rich, as usual.
The role of network security will move into availability and compliance. Internal networks become just an in-sourced ISP.
Confidentiality and integrity will be bound into the data itself.
@ds-
Yes, you identified a couple of key trends that feed this- consolidation, embedding of functionality, focus on business problems vs. technology issues.
And yep- the network is losing major visibility, and thus there’s no way it will (eventually) be able to offer much in terms of security. It won’t know the data, applications, or much of anything else.
@Nick-
You sue your vendor 🙂
Some corollaries:
>>Everyone will use some form of NAC on their networks.
…but no one will pay for it. Suspect it won’t be universal until it is embedded into the network and the OS in a transparent way. In fact, there is a theme:
>>
We will encrypt all laptops. It will be built into the hardware.
Database encryption will be performed inside the database with native functionality, with keys managed externally.
<< ...and that theme is that we can all say things like "baked in vs bolted on", but eventually vendors will understand what that means and include usable and flexible security components into their core products. >>Despite PCI, we will move off credit card numbers to a more secure transaction system. It may not be chip and PIN, but it definitely wont be magnetic strips.
…and we’ll still have CC Fraud because there won’t be an infrastructure to allow every possible transaction to be a cardholder present equivelant, so we will still need some way for credit card data to be human interpreted and communicated.
>>Log management and SIEM will converge into single products. Completely.
>>UTM will rule the day on the perimeter, and we won’t buy separate boxes for every function anymore.
…(the above two seem related) Summarize: Security will evolve to solve problems, not sell products.
>>Virtualization and information-centric security will totally fuck up network security, especially internally.
… by totally fuck up, you mean “make irrelevant”, which is where the industry needs to be. The perimiter will be so dialed into data, that even host firewalls will seem silly to have been a silly idea. This must be related to the DLP/CMF/CMP point above.
>>The WAF vs. secure development debate will end as everyone buys/implements both.
…or, developers learn defense in depth.
>>We’ll stop pretending web application and database security are different problems.
…The theme for 2011 RSA: “The shrinking application trust boundary”, a sad recast of the “shrinking perimeter” talks that have been ongoing for years now.
Good morning,
“UTM will rule the day on the perimeter, and we won’t buy separate boxes for every function anymore.”
Are you viewing this as a benefit?
What happens when your UTM box lose all “features” because the licensing server at the box developers end malfunctions?
http://isc.sans.org/diary.html?storyid=5419
Hey Christian,
1. Yep, WAFs will probably end up in UTMs… but I think that the UTM wit will be “dumb” and the WAF bit will tie closer to the app and database along the lines of ADMP (something we’ve talked about a bunch on the site).
2. I’m starting to think that SCADA will disconnect from the Internet… not even VPN connections. I’m probably wrong on this, but I know security-minded utilities are pulling back on connecting to the net. Among other things, there may be cost savings.
3. Yes on the business requirements- but I see the business requirements driving people to having NAC/CMP. Also, partly it’s because it will be hard *not* to have some of those technologies as they are combined/bundled in.
4. There are web app problems that don’t involve the DB, and DB problems that don’t involve the web app. What I meant to say is that our current method of treating them as totally separate disciplines will end, especially on the web app side.
5. Hoverboards. Love the hoverboards.
Not that I want to challenge any of these, as you said above re. denial. BUT…
Won’t WAFs be swallowed into the UTMs?
Also, won’t SCADA networks continue on the path their leading, and whilst not being connected to the Internet, they will probably be accessible via some VPN of sorts? Does that count?
Also (2), won’t NAC/CMP/ come down to business requirements? Unless it’s freely available in whatever technology you’re using to interconnect, and simple-simple-simple to use, there are definitely some situations where I can imagine businesses won’t use this technology. Perhaps if they don’t have a requirement to protect their information from losses of CIA.
Also (3), whilst Web app security and DB security are definitely related, it’s unfair to say that their completely mutually inclusive. For example, you can definitely have a web app security problem when the web app does not have a database.
Of course, instead of challenging these I should surrender to them as the inevitabilities you’ve said they are. In which case the only one I want to add is:
– Hoverboards