The 8th Annual ISSA Los Angeles Information Security Summit was back at the Universal City Hilton again this year, drawing well over 700 registrants from all over Southern California, Arizona and Nevada, and beyond. After ISSA-LA President, Richard Greenberg, welcomed attendees, InfoSec celebrity Jack Daniel took over the controls. Mr. Daniel, with a look that some say resembles Professor Albus Percival Wulfric Brian Dumbledore, the fictional character from J. K. Rowling's Harry Potter series, actually wore a pair of Dumbledore socks! But most surprising to those that know and love him was a sports jacket.
Starting the Audience Engines with InfoSec Burnout
Mixing things up a bit, Mr. Daniel didn’t take to the tech talk in his opening keynote. Rather, he shed some light on what appears to be a growing concern for most in the industry: InfoSec burnout.
Daniel spoke to long hours, a lack of appreciation, high stress, and a constant sense of pending doom (the inevitable security breach), which have seemingly led to professional burnout for many. Daniel shared some results from research he conducted via Twitter, noting that most deal with the possibility of burnout by investing in some sort of physical activity, oftentimes outdoors; activities such as walking, jogging, and even Jiu-Jitsu (pointing to fellow speaker, Jeremiah Grossman, who was sitting in the audience).
“We hear a lot about how hard it is to find good people and to break into the InfoSec community,” said Daniel. “No one ever really talks about how hard it is to get out.”
Cyber Insurance—with a Side of Software Guarantee, Please
The day moved on with a number of tracks: a CISO forum, an executive forum, a healthcare forum, and two security tracks. In one of the security tracks, Jeremiah Grossman, Founder of WhiteHat Security, shared his thoughts on the state of cybersecurity, security technologies and cyberinsurance. In summary, the story goes a little something like this:
- There are a lot of websites and a lot of vulnerabilities.
- We can continue to identify 100s or even 1,000s of new vulnerabilities, but it already takes six months on average to patch the vulnerabilities we already know about.
- Even with huge investments in security technologies and services, companies are still getting hacked.
- Many fear and expect they will get hacked (perhaps again?).
To counter this doom-and-gloom message, Grossman suggests we begin to focus on remediation. “It’s a remediation problem,” Grossman said. “To make an impact in cybersecurity, innovation is required in remediation.”
When Grossman says remediation, he also means cyber insurance coverage to help close the gap on losses when technology lets us down and a breach occurs. In addition to promoting cyber insurance as a critical element within every InfoSec program, Grossman is also on a mission to extend his success at WhiteHat Security, which offers product guarantees.
“Banks somehow offer security guarantees, using products from vendors that don’t offer guarantees for their products,” said Grossman. “Buying products in cybersecurity is like a $75b garage sale... products are sold ‘as-is’—it’s time to get the vendors to guarantee their products. Ask your vendors to guarantee their work and their products—if they can’t or won’t, their products probably [aren’t very good].”
While a big part of this push for security software guarantees is to put some ownership back onto the vendors, Grossman also suggests that companies should marry the guarantee to their insurance coverage. When they do, they can actually drive up product quality and improve security across the board.
Grossman’s full slide share can be found here:
Successful Women in InfoSec Share Their Experiences
For the third year in a row, the ISSA-LA Summit brought together a group of successful women to share their thoughts on the state of women in cybersecurity:
- Pamela Fusco, Founding Partner, Gid Grid
- Stephanie Douglas, Senior Advisor of Safety and Security for RANE (Risk Assistance Network and Exchange)
- Andrea Hoy, President/Founder & Virtual CISO/CRO, A. Hoy & Associates
- Cheryl Santor, Information Security Manager, Metropolitan Water District of Southern California
- Chenxi Wang, Chief Strategy Officer, Twistlock
The panelists pretty much all agreed that we are in a constant battle of privacy vs. security vs. convenience. “We are on the cusp of a digital revolution,” said Wang. “We now have a digital identity that we didn’t have before—living a Silicon Valley lifestyle means I have a very big digital footprint.”
Hoy asked, “Are you comfortable with Google looking at your calendar, identifying your current location, and then telling you that you need to leave now to make it to your next appointment on-time, given the traffic conditions?”
As we open our lives in new ways to new technologies, we are sure to exacerbate this problem of finding the right balance. To learn more about what these amazing women had to say, read the detailed recap of this session as captured by Selena Templeton.
Software-Defined Security Is the Future of Security
Mark Weatherford, SVP and Chief Cybersecurity Strategist at vArmour, set the record straight for the cloud: most of the systems used for business will be cloud-based. “As a CISO, you have (or will be) asked the question at some point in your career: Is it safe?” said Weatherford. “Remember, while you can transfer some but not all responsibility to the cloud provider, you can’t transfer accountability.”
He also noted that while the cloud could potentially be a much safer environment in which to operate, most companies are not instrumented for visibility into east/west traffic in the cloud. Virtual machines come-and-go in hours, sometimes minutes—what are the apps doing inside the cloud? How are the users and systems traversing the network, accessing data and moving data?
Weatherford then offered a number of key takeaways. The first was to implement all of the SANS CIS Critical Security Controls. When an audience member asked which controls to focus on, he chuckled and said the person should know the answer (suggesting all audience members should also know, I suspect). Weatherford then said, “We routinely figure organizations can address 80% of their risk by focusing on the top four controls.”
Here are the four controls Weatherford was referring to:
- CSC 1: Inventory of Authorized and Unauthorized Devices
- CSC 2: Inventory of Authorized and Unauthorized Software
- CSC 3: Secure Configurations for Hardware and Software on Mobile Device Laptops, Workstations and Servers
- CSC 4: Continuous Vulnerability Assessment and Remediation
However, Weatherford also made one additional comment that should stick with most of the audience: “Segmentation: if you’re not doing it, you’re dumb. You don’t want production talking to development. Employ micro-segmentation in your environment; segment the VM at the workload level.”
The Continuing Battle of Privacy vs. Security
In what was certainly one of the most engaging sessions of the day, “Privacy vs Security: Apple and the FBI” drew a huge audience, exposed a lot of passion, and curated a tremendous amount of emotion from the panelists and the audience. The discussion was moderated by ISSA-LA President Richard Greenberg and included the following panelists:
Fagan set the stage with a very emotional opening statement: “We had 14 people that were murdered, 22 wounded, and many more were hurt. This is very real to us—some of our own people were in the room. Corporations shouldn’t be able to thumb their nose at the government just because the request is too cumbersome or not in the best interest of their business.”
For Bibring, it’s not about whether a corporation can thumb its nose or not. It’s really an issue of a case that starts as a national terrorist case, then turns into a felony criminal case, then a small crime case, and then a tax evasion case. “Where does it end?” hazarded Bibring. “Changing the way the phone worked so the FBI could break the encryption isn’t a huge burden for a company of Apple’s size: 10 people, 4-6 weeks. It’s not that they didn’t want to spend the money to do it; they didn’t want to break the security systems that they spent millions building.”
As Bibring stated his position, Fagan was noticeably itching to respond. So much so, that the audience could feel it, and the fellow panelist at the table to his right (Raether) commented on his visible agitation.
Fagan got his chance to respond. “Criminals communicate through technology,” he said. “They conduct cyberbullying and record crimes on video—we find evidence on phones like nowhere else.”
Fagan’s main point about the evidence is that, if it exists, it should be used. Telling a story to get his point across, Fagan addressed the panelists and the audience: “Suppose you have a daughter and she is abducted. You’re lucky enough to find her phone, but you don’t know the passcode. That phone could include data about her whereabouts and photos of the abductor. Unlocking that phone could be the difference between seeing your daughter alive or never seeing her again.”
Even with all of this on the table, the opposing panelists don’t believe the government should be able to force companies to disable or undermine their encryption mechanism: “Forcing one company to do it doesn’t mean that every company would do it,” said Bibring. “Moving in this direction essentially outlaws encryption, which means only outlaws will have encryption.”
Added Crocker, “You can’t build a back door that only the good guys can access.”
The conversation could have gone on for hours, but time had run out. Greenberg then urged the ISSA-LA audience to get involved: “Our community should be talking to the politicians. We are the experts in security, and our voices need to be heard.”
Rectal Thermometer Slide Presentation Ends the Day
Cory Doctorow, a science fiction novelist and Special Consultant to the Electronic Frontier Foundation, held the mic for the closing keynote; he had the audience in the palm of his hands as he told interesting and funny story after story.
Doctorow used a handful of slides to help tell his stories, landing on one slide showing a “smart thermometer” that evidently recorded the user’s rectal temperature and transferred the results to their smartphone. This slide remained on the screen for the remainder of Doctorow’s keynote—a full 45 minutes!
The relationship between each of Doctorow’s stories was one of connecting the dots between the intellectual property protections afforded by digital rights management—via the Digital Millennium Copyright Act—and the ability for manufacturers to overextend/abuse these rights. Manufacturers could potentially collect inappropriate private information and prevent the responsible disclosure of product vulnerabilities.
In the first case, Doctorow told a story about a case where John Deere used Internet-connected sensors on the tractors (owned by the farmers that purchased the tractors) to collect farming data from the farmers’ daily activities. This allowed John Deere to analyze and create futures information that could be sold for millions (or even billions?) to those interested in investing in the futures market.
In the second case, Doctorow referenced a story about mistakes made in product designs and implementation—where the disclosure of the vulnerabilities was impeded: such as Jay Radcliffe’s (of Rapid7) insulin pump disclosure.
Stay tuned to this article for a link to Doctorow’s session recording.
What Are Your Thoughts?
If you were at the conference, the ISSA-LA Summit team would like to know what you thought of the sessions and the event as a whole.
Summit8 Conference Overall: http://bit.ly/s8conference