1. Collaborate,
Innovate,
Secure
SecZone
2012
Keynote
The
problem
with
accepting
a
keynote
is
that
audiences
tend
to
come
to
your
talk
with
the
expectation
to
be
inspired,
impacted,
changed
even.
Starting
to
write
a
keynote
after
realizing
that
is,
to
say
the
least,
a
task
that
is
challenged
with
almost
nothing
that
I
have
ever
done
before.
Maybe
that's
a
good
point
to
start:
"What
have
I
done
before
Edgar
asked
me
to
come
out
here
and
talk
to
you?"
Or
should
I
say
"for
Edgar
to
ask
me"?
When
I
look
at
myself
I'm
just
a
crazy
guy
who's
passionate
about
information
security
and
eager
to
learn
every
single
day.
I've
spent
the
past
15
years
in
IT
in
different
functions
working
for
IT
Integrators,
hardware
and
software
manufacturers
and
big4
consultancies.
Currently
I
work
for
Ernst
and
Young.
In
my
spare
time
I'm
a
director
at
(ISC)2
and
I
organize
the
BruCON
conference.
It
is
an
honor
for
me
to
speak
here
and
I
can't
really
continue
without
thanking
Edgar
:
"muchas
gracias
por
la
invitación.
Me
siento
muy
honrado
de
estar
aquí.
Colombia
es
un
país
increíble
y
nunca
me
he
sentido
más
bienvenido
en
una
conferencia."
With
that
out
of
the
way,
let's
see
what
I
have
in
store
for
today.
2012
has
been
an
interesting
year
for
information
security,
wouldn't
you
agree?
We
have
been
shocked,
we
have
been
exhilerated,
we
have
been
depressed,
we
have
laughed
(hard!),
we
have
cried
and,
more
often
than
not,
we
have
sighed.
We
have
sighed
with
relief
because
the
worst
things
happened
to
somebody
else
and
not
us.
We
have
sighed
in
dismay
when
another
database
with
unsalted
hashes
appeared
on
Pastebin.
Where
Anonymous
was
omnipresent
in
2010-‐2011,
we
seem
to
have
come
back
to
the
essence
of
information
security
in
2012.
The
same
questions
remain
:
"Do
we
want
to
do
business
in
a
secure
manner?
How
do
we
protect
our
most
valuable
assets?
How
do
we
ensure
that
we
protect
those
assets
to
an
acceptable
level?
And
...
what
does
that
exactly
mean
for
us
an
acceptable
level?
I
am
thankful
to
be
active
in
a
community
that
gathers
some
of
the
smartest
people
in
the
world
around
the
most
challenging
problems.
For
the
record:
I
2. don't
count
myself
among
that
group
of
smart
people.
I
am
but
a
blip
on
your
screen.
I
am
just
a
guy
with
an
opinion
who's
determined
to
try
to
do
something
right.
For
some
values
of
something.
What
I
want
to
address
today
are
the
following
three
points
:
1
-‐
How
can
a
community
that
has
grown
explosively
and
changed
without
even
realizing
it
keep
collaborating
in
a
competitive
setting.
2
-‐
Where
I
am
convinced
that
many
of
the
decisions
we
have
taken
and
supported
over
the
past
15
years
have
stiffled
innovation,
how
can
we
rekindle
that
innovative
spirit.
3
-‐
And
finally,
when
we
have
created
a
collaborative
and
innovative
ecosystem,
how
can
we
secure
the
world
together.
Let
me
start
at
the
beginning.
In
the
past
decade,
the
'friendly'
hacking
and
security
community
has
evolved
into
an
eco-‐system
where
individuals,
associations
and
organizations
are
eager
to
find
an
equilibrium
(or
balance)
that
allows
them
to
maintain
a
culture
of
information
sharing
and
at
the
same
time
permits
the
commercialization
of
a
legitimate
service
or
product
offering.
The
power
of
a
community
such
as
the
hacker/infosec
community
has
always
been
that
each
member
is
as
dedicated
to
giving
back
as
it
is
to
taking
from
it.
The
collective
knowledge
is
what
effectively
powers
the
eco-‐
system
and
in
the
past
decades,
individuals
have
found
a
stable,
be
it
brittle,
equilibrium
that
allowed
them
to
exchange
knowledge
and
ideas.
It
wasn't
until
recently
(as
in
"the
last
5
years")
that
the
associations
of
the
involved
individuals
with
their
employers
have
become
an
additional
factor
in
this
eco-‐system.
One
isn't
just
"John
Doe"
in
todays
world.
Like
I
am
never
just
"Wim
Remes".
Most
often
I
am
"Wim
Remes,
working
for
Ernst
and
Young"
or
"Wim
Remes,
Director
at
ISC2"
or
"Wim
Remes,
organizer
of
the
BruCON
conference"
or
a
combination
of
all
of
the
above
or
just
the
drunk
guy
at
the
party.
On
a
personal
level
the
most
unsettling
part
probably
is
that
I'm
never
in
control
of
what
cap
I
am
wearing.
It
comes
to
a
point
where
I
become
hesitant
to
share
my
ideas
and
projects
with
other,
interested,
parties.
Obviously
this
may
just
be
me
being
paranoid
but
when
looking
at
the
broader
picture,
you
will
see
that
the
whole
community
is
moving
3. towards
a
state
where
information
is
no
longer
shared
in
large
groups.
The
community
gets
fragmented
and
loses
the
core
of
its
being.
In
the
past
half
decade
we
have
seen
a
dramatic
decline
of
"new
research"
being
presented
at
conferences.
We
have
reached
a
point
where
most
of
the
talks
are
about
"ideas
in
the
conceptual
state"
where
we
used
to
have
"finalized
research"
and
"knowledge
sharing"
before.
One
may
argue
that,
as
systems
become
more
secure
it
becomes
harder
to
find
0-‐days.
I
would
even
find
this
reasoning
acceptable
were
it
not
for
the
data
from
vendors
that
shows
that
vulnerabilities
are
still
being
found
at
an
alarmingly
fast
rate.
So,
there
must
be
underlying
reasons
for
this
evolution.
We
have
moved
from
the
"no
bugs
for
free"
era,
where
security
researchers
were
glorified
hobbyists
who
were
expected
to
give
up
their
goods
for
a
plane
ticket
and
plenty
of
alcohol,
to
a
state
in
the
community
where
security
research
has
become
a
hard
currency.
Much
of
the
research
that
was
conducted
"independently"
a
few
years
ago,
is
now
being
performed
under
a
commercial
contract,
often
involving
a
Non
Disclosure
Agreement.
Where
commercial
organisations
would
sometimes
'prevent'
research
from
being
presented
at
conferences
by
threatening
with
lawsuits
in
the
past,
we
now
see
them
hiring
the
same
researchers
and
blocking
them
even
before
the
research
starts.
This
isn't
necessarily
a
bad
thing
for
the
parties
involved.
It
could
be
that
it
is
a
bad
evolution
for
the
community
at
large
but
that
remains
to
be
seen.
What
we
see
today
is
that
the
larger
impact
of
commercial
entities
on
the
community
leads
to
polarization
as
organizations
are
antagonized
to
support
a
certain
idea
or
belief.
A
good
example
that
we
have
witnessed
over
the
past
year
is
the
debate
on
the
sale
of
0-‐day
vulnerabilities
by
researchers
or
companies
to
government
entities.
I
am
not
inclined
to
use
this
venue
to
pass
judgement
on
the
ethical
nature
of
selling
vulnerabilities
for
undetermined
purposes
to
whomever
pays
the
most
money.
Most
notably,
a
French
company
called
VUPEN
has
become
the
pinnacle
of
this
debate.
I
don't
think
I
have
seen
a
commercial
company
being
publicly
called
out
as
much
as
I've
seen
VUPEN
being
called
out
and
blamed
for
all
our
collective
sins.
The
only
thing
they
have
done
to
deserve
this
is
refusing
to
hand
over
a
vulnerability
that
would
have
earned
them
50,000
dollars
in
a
bug-‐finding
competition.
Everything
from
there
on
forward
has
been
bluff
and
marketing.
Where
VUPEN
has
claimed
that
they
can
earn
much
more
from
selling
the
exploit
to
their
customers.
The
proof
4. of
that
remains
to
be
shown.
I
haven't
seen
it
yet,
have
you?
Or
maybe
we
have?
Like
all
(ok,
most)
"legitimate"
companies,
VUPEN
is
required
to
publish
their
yearly
revenue.
Publish
is
not
a
latin
word
:
it
means
that
their
numbers
are
made
public,
for
all
to
see!
It's
quite
strange
that
we
haven't
seen
those
numbers
in
any
of
the
articles
that
have
covered
the
topic
in
the
past
year.
For
the
Americans
in
the
debate,
there
may
be
a
first
problem.
VUPEN
numbers
are
published
in
French.
I'm
happy
to
provide
a
quick
break-‐down
so
they
don't
have
to
learn
a
second
language.
Someone
who's
a
little
bit
interested
will
quickly
find
out
that
in
2010,
VUPEN
made
almost
€
600k
in
revenue
with
€325k
in
net
profits.
The
years
before
that,
the
company
made
LESS
than
€5k
in
profits
!!!
That
means
that
a
Pwn2Own
payout
of
$50.000
represents
almost
1/7th
-‐
or
almost
15%
-‐
of
VUPEN's
profit.
From
their
perspective
that
isn't
insignificant.
At
this
moment
there
isn't
a
single
indicator
that
selling
0-‐day
vulnerabilities
OR
exploits
is
a
viable
business
model.
If
VUPEN
has
the
many
0-‐day
vulnerabilities
that
they
claim
they
have
AND
the
clients
that
want
to
pay
the
premium
price
for
them,
it
surely
doesn't
reflect
in
their
business
numbers.
Granted,
VUPEN
has
not
published
any
recent
business
numbers,
and
I'm
looking
forward
to
seeing
them,
but
I'm
inclined
to
think
they
do
not
show
a
sharp
increase
from
the
2010
numbers.
I
have,
and
I
am
not
shitting
you
on
this
one,
talked
with
people
in
the
industry
that
actually
sell
0-‐days
and
let
me
assure
you
that
it
is
not
their
core
business.
0-‐day
sales
is
not
the
flourishing
market
that
some
make
it
out
to
be.
Allow
me
to
throw
out
an
interesting
comparison:
It
is
with
a
little
amusement
that
I
observe
that
established
'research'
organizations
such
as
Forrester
and
Gartner
produce
proprietary
'research'
and
sell
it
at
high
prices.
C-‐level
executives
act
on
these
publications
and
the
impact
of
whatever
it
is
that
'industry
research
companies'
think
to
be
knowledgeable
about
today
is
rarely
measured.
As
an
example,
I
was
forwarded
a
short
research
note
from
a
well-‐known
company
was
recently.
The
document
as
such
described
the
added
value
of
integrating
vulnerability
management
solutions
with
web
application
firewalls.
In
5. itself,
the
idea
has
merit
but
this
kind
of
papers
rarely
take
into
account
the
grim
reality
that
is
a
company's
infrastructure,
silofication,
departemental
friction,
etc.
When
applied
to
"the
real
world"(tm),
the
whole
premise
of
such
a
paper
falls
flat
on
its
face.
It
becomes
a
ridiculous
idea
yet
executives
assign
valuable
resources
in
creating
gap
analysises,
estimating
cost,
etc.
etc.
"What
a
waste"
or,
if
I'm
allowed
to
paraphrase
an
esteemed
colleague
of
mine
:
"What
a
waste."
All
this
when
we
ridicule
true
researchers
that
investigate
the
infinitely
interesting
ways
in
which
software
(and
hardware,
but
everything
today
is
software)
breaks.
True
researchers
that
operate
on
the
edge
that
exists
between
engineering
and
art.
True
researchers
that
are
finding
ingenuous
ways
to
monetize
their
skill
and
efforts.
We
ridicule
them
and
expect
them
to
work
for
free.
For
what?
The
thought
alone
is
beyond
any
reasonable
argument.
I
would
like
to
ask
the
question
who
has,
in
the
long
run,
a
more
nefarious
impact
on
information
security?
The
established
'research'
institute
that
is
killing
trees
spreading
'advice'
that
lacks
even
the
most
remote
thought
of
implementability
or
the
researcher
who
discovers
oversight
by
industry
moguls
that
puts
companies
and
their
clients
at
risk?
Let's
elaborate
on
the
idea
of
selling
0-‐day
as
a
business
model.
First
off
,
let's
explore
the
position
of
the
seller
:
It
is
impossible
to
control
the
intellectual
property
of
a
0-‐day
vulnerability
and
its
related
exploit.
A
company
may
have
spent
3
months
in
the
development
of
an
exploit,
preparing
it
for
sale
to
an
interested
third
party,
just
when
an
independent
researcher
subscribes
to
a
bounty
program
or
decides
to
throw
the
same
vulnerability
on
the
internet
for
free.
Any
which
way
you
take
it,
the
investment
is
immediately
nullified.
At
the
same
time,
it
is
impossible
to
determine
the
shelf-‐life
of
a
0-‐day
vulnerability.
A
vulnerability
may
exist
for
days,
months
or
years.
It
is,
with
that
knowledge,
impossible
to
determine
a
prize
of
a
vulnerability.
At
the
same
time
you
are,
with
a
unique
product,
playing
in
a
market
driven
by
demand
which
means
the
price
of
your
product
is
not
determined
by
the
intrinsic
value
of
the
product
you
ever
but
by
who
needs
the
product
at
any
given
time
and
with
what
urgency
they
need
it.
6. From
a
customer
perspective,
the
situation
is
even
more
dire.
You
don't
want
to
stock
up
on
0-‐day
that
you
may
or
may
not
use.
It
isn't
unthinkable
that
you
will
have
a
$100k
exploit
lying
around
that
is
then
published
on
pastebin
by
a
creative
teenager,
immediately
devaluating
the
bu.
You're
looking
for
exploits
when
you
need
them
and
custom
developed
for
you
at
that
specific
time.
I
am,
for
the
sake
of
not
boring
you
to
death,
not
even
digging
into
the
details
of
how
reliability
of
an
exploit
impacts
its
value.
Imagine
that
you
are
a
buyer,
how
much
are
you
willing
to
pay
for
an
exploit
that
only
works
3
out
of
10
times?
How
much
for
an
unreliable
vulnerability
that
leaves
a
machine
in
an
unstable
state
and
how
much
for
one
that
doesn't
impact
the
state
of
a
machine
noticeably?
In
most
cases,
very
little,
but
if
you
really
need
to
bring
down
that
Iranian
nuclear
plant
...
it
may
be
worth
a
million
dollars.
Taking
all
that
in
regard
I
would
dare
to
claim
that
the
market
for
0-‐day
vulnerabilities
and
exploits
is
very
small
(to
the
level
of
unviable
in
the
long
term)
and
highly
unstable.
At
the
same
time
the
market
for
specialized
skills
and
vulnerability
research
seems
to
be
large
enough
and
continues
to
grow.
I
think
that,
in
the
case
of
0-‐day
sales,
we
are
looking
for
an
imaginative
800lbs
gorilla
and
I
don't
believe
we
will
find
it.
One
possible
-‐and
for
a
change
believable
-‐
scenario
where
someone
may
be
interested
to
buy
0-‐day
is
from
a
defensive
perspective.
It
is
as
important
to
know
the
tools
your
enemy
has
available
as
it
is
to
sharpen
your
own
tools.
Buying
0-‐day
gives
you
a
perspective
on
what
is
available
in
the
underground
market.
What
you
may
or
may
not
need
to
defend
against
and
how
you
may
or
may
not
be
attacked.
The
whole
0-‐day
sales
debate
being
fought
out
in
public
is,
in
my
opinion,
little
more
than
politics.
It
isn't
new
for
pressure
groups
to
create
an
alternate
reality
to
forward
their
own
agenda.
What
it
shows
to
me
though
is
that
we
are
becoming
particularly
good
at
throwing
out
peers
under
the
train
for
little
or
no
reason
at
all.
If
we
want
to
stop
doing
that,
I
believe
we
can
start
by
focusing
on
our
own
strengths.
Instead
of
pointing
out
our
competitors
weaknesses
(whether
that's
selling
0-‐day
exploits
or
offering
vulnerability
assessments
as
7. penetration
tests),
we
should
aim
our
sights
on
performing
the
best
we
can
in
our
space.
This
would
be
a
first
change
that
can
lead
us
to
a
collaborative,
innovative,
security
industry.
When
we
all
aim
to
be
better,
we
collectively
move
forward.
-‐-‐-‐
Not
so
long
ago
someone
suggested
that
I
should
watch
a
short
movie
called
'Jiro
dreams
of
sushi'.
I
am
forever
grateful.The
documentary
(it's
a
true
story,
not
fiction)
digs
into
the
life
of
Jiro,
the
head
chef
of
a
three
star
restaurant
in
Tokyo.
His
restaurant,
with
no
more
than
10
seats,
has
reached
the
ultimate
recognition
in
the
culinary
world.
Being
awarded
three
stars
is
not
something
that's
easy
to
do.
At
a
time
where
he
should
be
enjoying
retirement,
living
the
life
of
a
recognized
hero
and
watching
his
2
sons
carry
on
his
legacy,
he
gets
up
in
the
morning
every
single
day.
To
make
sushi.
To
work
with
ingredients
so
simple
and
pure
that
one
would
wonder
if
there
really
is
anything
special
about
it.
Now,
the
question
is
why
would
Jiro
do
that
and
...
obviously
...
what
is
the
lesson
we
can
learn
from
it?
Jiro
is
a
very
simple
man.
His
only
goal
is
to
make
the
perfect
piece
of
sushi.
To
do
that,
he
goes
through
every
single
detail.
The
rice
he
uses,
the
fish,
manually
roasting
the
nori
sheets,
using
(or
not
using)
condiments.
Those
seem
obvious
but
where
any
ordinary
chef
would
stop,
Jiro
pushes
forward.
He
learns
his
customers,
he
knows
who
will
sit
where
and
whether
they
are
left-‐
or
right-‐handed.
He
is
so
engaged
in
the
process
of
creating
a
piece
of
sushi
that
one
would
wonder
if
it
is
still
healthy
for
him
but
he
doesn't
mind.
His
only
goal
is
to
make
the
perfect
piece
of
sushi.
His
love
for
the
raw
products
he
works
with
is
only
surpassed
by
his
love
for
his
customers
and
his
quest
to
make
the
perfect.
Jiro's
perfect,
according
to
world
standards,
can
not
be
expressed
in
Michelin
stars,
yet
he
keeps
pushing
the
boundaries.
Over
the
past
few
months,
in
different
settings,
we
have
heard
the
following
being
said
:
*
let's
not
aim
for
the
stars
if
we
want
to
shoot
the
moon.
*
sometimes
good
enough
is
perfect
*
nobody
needs
perfect
if
good
enough
suffices
Voltaire
(a
French
writer/poet)
had
an
interesting
idiom
about
that
understanding
:
"le
mieux
est
l'ennemi
du
bien"
"the
better
is
the
enemy
of
8. the
good".
The
original
meaning
of
this
phrase
has
been
redefined
over
time,
so
much
that
I
feel
it
is
important
that
we
go
back
to
the
original.
What
Voltaire
meant
or,
maybe
better,
what
I
believe
he
meant
is
that
people
intend
to
set
lofty
goals
and
get
lost
in
their
attempt
to
reach
those
goals.
This
finally
results
in
not
reaching
any
goals
at
all.
A
solution,
a
situation
or
a
product
can
be
"good
enough"
and
"good
enough"
can
be
a
state
we
can
live
with
in
our
quest
for
"perfect".
I
predict
that
Voltaire
is
going
to
surpass
Sun
Tzu
as
the
most
quoted
dead
guy
at
information
security
conferences
so
when
you
hear
him
again,
please
think
back
of
what
I
said
here.
Voltaire
does
not
tell
us
that
"good
enough"
is
in
itself
an
end
goal,
it
is
an
acceptable
state
for
a
finite
amount
of
time
as
we
figure
out
our
next
steps.
A
few
years
ago
executives
that
I
talked
to
often
countered
my
push
for
better
security
by
saying
"we
are
not
Fort
Knox"
or
"nobody
wants
to
hack
us".
In
a
Voltaire
world,
these
people
are
saying
that
we
don't
have
to
be
perfect
and
aim
their
sights
at
"good
enough".
It
is
our
task
to
drive
innovation
by
setting
intermediate
"good
enough"
goals
and
using
our
magician's
force
on
the
way
to
perfect.
The
concept
of
the
magician's
force
in
itself
is
interesting.
(provide
example)
.
As
the
magician
you
give
your
subjects
the
idea
that
they
have
been
given
a
choice
while,
in
the
end,
they
had
no
choice
at
all.
Compliance
may
be
an
example
of
an
area
where
your
use
of
the
magician's
force
is
very
much
needed.
At
this
very
moment
colleagues
in
industries
like
healthcare
and
finance
are
swamped
with
regulatory
requirements:
HIPPAA,
PCI-‐DSS,
local
banking
regulations,
local
and
international
privacy
regulations,
you
name
it.
All
of
those
'frameworks'
set
a
bar
that
we
now
perceive
as
'perfect'
security.
Most
of
us
agree
that
the
combination
of
the
recommendations
we
read
in
those
frameworks
all
together
would
may
not
even
be
'good
enough'.
To
innovate
security,
we
have
an
obligation
to
be
passionate
about
what
we
are
doing
and
aim
to
be
better
tomorrow
than
we
are
today.
We
need
to
be
a
little
bit
more
Jiro
and
care
about
our
products
and
clients
as
much
as
we
care
about
the
money
we
are
making.
9. Through
my
work
for
(ISC)2
I
am
allowed
to
talk
to
information
security
professionals
around
the
globe,
from
South-‐America
to
Japan
and
Australia.
Executives
often
tell
me
that
they
don't
find
the
right
people
to
fill
in
extremely
important
positions.
I
think
this
is
an
important
problem
that
we
need
to
solve.
and
the
first
thought
that
always
comes
to
mind
is
how
we
can
improve
the
knowledge
transfer
and
build
a
pipeline
of
professionals
that
can
support
our
organisations
to
do
business
securely.
I
know
several
people,
ranging
from
my
fellow
board
members
at
(ISC)2
that
are
active
in
the
academic
world
to
people
like
Dan
Guido
who
is
a
"resident
hacker"
at
NYPoly.
They
do
groundbreaking
work
to
fill
the
pipeline
of
information
security
workers
we
need
so
much
but
I
don't
believe
that:
a)
we
can
solve
the
lack
of
skills
by
training
people
that
have
little
or
no
experience
to
begin
with.
b)
we
should
expect
all
our
solutions
for
this
problem
to
come
from
academia.
I
believe
we
need
significant
investments
to
build
IT
Security
into
the
existing
Computer
Science
curriculums
and
much
more
integration
of
the
efforts
that
are
made
by
private
sector,
government
and
academia
alike.
It
is
quite
awesome
to
see
that
an
event
like
SecZone
provides
a
venue
for
such
collaboration
and
integration
here
in
Colombia.
Firstly
we
need
to
make
sure
that
the
skilled
people
we
train
are
ready
for
the
reality
they
will
be
functioning
in.
That
means
that
we
don't
only
have
to
prepare
them
for
the
technical
challenges
they
will
face
but
also
for
the
business
challenges
they
will
face.
And
then,
when
they
enter
the
labor
market.
When
they
are
finally
ready
we
need
to
make
sure
that
those
people
also
choose
a
career
in
information
security.
Very
often
we
discuss
the
"skills
gap",
it
seems
impossible
to
find
the
security
workers
that
we
are
needing
so
badly
in
our
organisations.
When
Isee
another
job
announcement
describing
a
profile
that
looks
like
only
someone
with
30
years
of
experience
can
truthfully
claim
to
fit
in
but
the
company
looking
for
that
profile
only
offers
a
wage
equivalent
to
that
of
a
senior
IT
administrator,
I
often
wonder:
How
do
we
expect
someone
who
can
earn
an
equivalent
pay
as
an
IT
admin,
probably
working
more
regular
hours
and
certainly
not
suffering
a
150%
workload,
to
choose
entering
the
information
security
industry?
"Hiring
high-‐skilled
resources
at
rock
bottom
pay
IS
NOT
A
SKILLS
GAP."
10. If
we
ourselves
misconstrue
the
problem,
we
set
ourselves
up
to
fail
in
finding
the
solution
to
the
problem.
What
we
also
shouldn't
forget
is
that
the
security
team
from
today
looks
very
much
different
than
the
security
team(s)
10
years
ago.
The
teams
10
years
from
now
will
look
totally
different
than
those
today.
Your
team
members
will
possess
a
variety
of
skills
complementary
to
their
security
skills
that
should
enable
them
to
address
the
problems.
If
you
lead
a
security
team
today,
my
advise
would
be
to
look
at
the
variety
of
skillsets
you
need
to
keep
up
and
hire
accordingly.
Assuming
that
we
achieve
to
both
maintain
a
collaborative
environment
and
bring
back
innovation
to
the
information
security
industry,
how
will
we
progress
in
securing
our
infrastructures
?
I'm
certainly
not
the
first
to
say
that
it
is
safe
to
assume
that
you
will,
at
a
certain
point
in
time,
be
hacked.
It
is
just
a
matter
of
when,
if
it
didn't
already
happen.
The
big
question
then
is
how
you
will
be
able
to
detect
it,
how
will
you
be
able
to
react
to
it
and
how
you
will
prevent
it
from
happening
in
the
future.
First
and
foremost
I
believe
that
our
security
models
need
to
become
more
-‐
not
attacker-‐centric-‐
but
attacker
aware.
This
means
that
we
need
to
collect
more
reliable
data
on
attackers,
attacker
groups,
their
methods,
interactions
and
why
they
attack.
Analysis
of
this
data
will
help
us
to
become
better
defenders.
But
only
if
we
are
also
able
to
share
this
data.
Whether
this
happens
through
a
public
forum,
local
and
global
CERTs
or
through
industry
groups
doesn't
really
matter.
We
need
to
move
away
from
the
idea
that
we
are
fighting
this
fight
alone.
If
we
can
bring
collaboration
into
our
daily
operations,
we
benefit
from
both
the
strengths
of
an
industry
and
those
of
a
community.
I
hope
that
through
this
talk,
I've
been
able
to
share
some
of
my
thoughts
on
the
security
community,
the
security
industry
and
our
collective
challenges.
I'm
happy
to
explore
these
ideas
further
here
at
the
conference
or
later,
via
email
on
wremes-‐at-‐gmail-‐dot-‐com
or
on
twitter
@wimremes.