SlideShare une entreprise Scribd logo

Collaborate, Innovate, Secure

W
wremes

Keynote as given at Security Zone in Cali, Colombia on December 6th 2012. Any comments are welcome. wremes-at-gmail-dot-com

1  sur  10
Télécharger pour lire hors ligne
Collaborate,  Innovate,  Secure   SecZone  2012  Keynote     The  problem  with  accepting  a  keynote  is  that  audiences  tend  to  come  to   your  talk  with  the  expectation  to  be  inspired,  impacted,  changed  even.   Starting  to  write  a  keynote  after  realizing  that  is,  to  say  the  least,  a  task  that   is  challenged  with  almost  nothing  that  I  have  ever  done  before.  Maybe   that's  a  good  point  to  start:  "What  have  I  done  before  Edgar  asked  me  to   come  out  here  and  talk  to  you?"  Or  should  I  say  "for  Edgar  to  ask  me"?     When  I  look  at  myself  I'm  just  a  crazy  guy  who's  passionate  about   information  security  and  eager  to  learn  every  single  day.  I've  spent  the  past   15  years  in  IT  in  different  functions  working  for  IT  Integrators,  hardware   and  software  manufacturers  and  big4  consultancies.  Currently  I  work  for   Ernst  and  Young.  In  my  spare  time  I'm  a  director  at  (ISC)2  and  I  organize   the  BruCON  conference.     It  is  an  honor  for  me  to  speak  here  and  I  can't  really  continue  without   thanking  Edgar  :  "muchas  gracias  por  la  invitación.  Me  siento  muy  honrado   de  estar  aquí.  Colombia  es  un  país  increíble  y  nunca  me  he  sentido  más   bienvenido  en  una  conferencia."     With  that  out  of  the  way,  let's  see  what  I  have  in  store  for  today.  2012  has   been  an  interesting  year  for  information  security,  wouldn't  you  agree?       We  have  been  shocked,  we  have  been  exhilerated,  we  have  been  depressed,   we  have  laughed  (hard!),  we  have  cried  and,  more  often  than  not,  we  have   sighed.  We  have  sighed  with  relief  because  the  worst  things  happened  to   somebody  else  and  not  us.  We  have  sighed  in  dismay  when  another   database  with  unsalted  hashes  appeared  on  Pastebin.         Where  Anonymous  was  omnipresent  in  2010-­‐2011,  we  seem  to  have  come   back  to  the  essence  of  information  security  in  2012.       The  same  questions  remain  :  "Do  we  want  to  do  business  in  a  secure   manner?  How  do  we  protect  our  most  valuable  assets?  How  do  we  ensure   that  we  protect  those  assets  to  an  acceptable  level?       And  ...  what  does  that  exactly  mean  for  us  an  acceptable  level?     I  am  thankful  to  be  active  in  a  community  that  gathers  some  of  the  smartest   people  in  the  world  around  the  most  challenging  problems.  For  the  record:  I  
don't  count  myself  among  that  group  of  smart  people.  I  am  but  a  blip  on   your  screen.  I  am  just  a  guy  with  an  opinion  who's  determined  to  try  to  do   something  right.  For  some  values  of  something.     What  I  want  to  address  today  are  the  following  three  points  :     1  -­‐  How  can  a  community  that  has  grown  explosively  and  changed  without   even  realizing  it  keep  collaborating  in  a  competitive  setting.       2  -­‐  Where  I  am  convinced  that  many  of  the  decisions  we  have  taken  and   supported  over  the  past  15  years  have  stiffled  innovation,  how  can  we   rekindle  that  innovative  spirit.     3  -­‐  And  finally,  when  we  have  created  a  collaborative  and  innovative   ecosystem,  how  can  we  secure  the  world  together.     Let  me  start  at  the  beginning.     In  the  past  decade,  the  'friendly'  hacking  and  security  community  has   evolved  into  an  eco-­‐system  where  individuals,  associations  and   organizations  are  eager  to  find  an  equilibrium  (or  balance)  that  allows  them   to  maintain  a  culture  of  information  sharing  and  at  the  same  time  permits   the  commercialization  of  a  legitimate  service  or  product  offering.       The  power  of  a  community  such  as  the  hacker/infosec  community  has   always  been  that  each  member  is  as  dedicated  to  giving  back  as  it  is  to   taking  from  it.  The  collective  knowledge  is  what  effectively  powers  the  eco-­‐ system  and  in  the  past  decades,  individuals  have  found  a  stable,  be  it  brittle,   equilibrium  that  allowed  them  to  exchange  knowledge  and  ideas.  It  wasn't   until  recently  (as  in  "the  last  5  years")  that  the  associations  of  the  involved   individuals  with  their  employers  have  become  an  additional  factor  in  this   eco-­‐system.     One  isn't  just  "John  Doe"  in  todays  world.  Like  I  am  never  just  "Wim   Remes".  Most  often  I  am  "Wim  Remes,  working  for  Ernst  and  Young"  or   "Wim  Remes,  Director  at  ISC2"  or  "Wim  Remes,  organizer  of  the  BruCON   conference"  or  a  combination  of  all  of  the  above  or  just  the  drunk  guy  at  the   party.  On  a  personal  level  the  most  unsettling  part  probably  is  that  I'm   never  in  control  of  what  cap  I  am  wearing.  It  comes  to  a  point  where  I   become  hesitant  to  share  my  ideas  and  projects  with  other,  interested,   parties.  Obviously  this  may  just  be  me  being  paranoid  but  when  looking  at   the  broader  picture,  you  will  see  that  the  whole  community  is  moving  
towards  a  state  where  information  is  no  longer  shared  in  large  groups.  The   community  gets  fragmented  and  loses  the  core  of  its  being.     In  the  past  half  decade  we  have  seen  a  dramatic  decline  of  "new  research"   being  presented  at  conferences.  We  have  reached  a  point  where  most  of  the   talks  are  about  "ideas  in  the  conceptual  state"  where  we  used  to  have   "finalized  research"  and  "knowledge  sharing"  before.  One  may  argue  that,   as  systems  become  more  secure  it  becomes  harder  to  find  0-­‐days.  I  would   even  find  this  reasoning  acceptable  were  it  not  for  the  data  from  vendors   that  shows  that  vulnerabilities  are  still  being  found  at  an  alarmingly  fast   rate.  So,  there  must  be    underlying  reasons  for  this  evolution.         We  have  moved  from  the  "no  bugs  for  free"  era,  where  security  researchers   were  glorified  hobbyists  who  were  expected  to  give  up  their  goods  for  a   plane  ticket  and  plenty  of  alcohol,  to  a  state  in  the  community  where   security  research  has  become  a  hard  currency.  Much  of  the  research  that   was  conducted  "independently"  a  few  years  ago,  is  now  being  performed   under  a  commercial  contract,  often  involving  a  Non  Disclosure  Agreement.   Where  commercial  organisations  would  sometimes  'prevent'  research  from   being  presented  at  conferences  by  threatening  with  lawsuits  in  the  past,  we   now  see  them  hiring  the  same  researchers  and  blocking  them  even  before   the  research  starts.       This  isn't  necessarily  a  bad  thing  for  the  parties  involved.  It  could  be  that  it   is  a  bad  evolution  for  the  community  at  large  but  that  remains  to  be  seen.     What  we  see  today  is  that  the  larger  impact  of  commercial  entities  on  the   community  leads  to  polarization  as  organizations  are  antagonized  to   support  a  certain  idea  or  belief.    A  good  example  that  we  have  witnessed   over  the  past  year  is  the  debate  on  the  sale  of  0-­‐day  vulnerabilities  by   researchers  or  companies  to  government  entities.     I  am  not  inclined  to  use  this  venue  to  pass  judgement  on  the  ethical  nature   of  selling  vulnerabilities  for  undetermined  purposes  to  whomever  pays  the   most  money.  Most  notably,  a  French  company  called  VUPEN  has  become   the  pinnacle  of  this  debate.  I  don't  think  I  have  seen  a  commercial  company   being  publicly  called  out  as  much  as  I've  seen  VUPEN  being  called  out  and   blamed  for  all  our  collective  sins.  The  only  thing  they  have  done  to  deserve   this  is  refusing  to  hand  over  a  vulnerability  that  would  have  earned  them   50,000  dollars  in  a  bug-­‐finding  competition.  Everything  from  there  on   forward  has  been  bluff  and  marketing.  Where  VUPEN  has  claimed  that  they   can  earn  much  more  from  selling  the  exploit  to  their  customers.  The  proof  
of  that  remains  to  be  shown.  I  haven't  seen  it  yet,  have  you?  Or  maybe  we   have?     Like  all  (ok,  most)  "legitimate"  companies,  VUPEN  is  required  to  publish   their  yearly  revenue.    Publish  is  not  a  latin  word  :  it  means  that  their   numbers  are  made  public,  for  all  to  see!  It's  quite  strange  that  we  haven't   seen  those  numbers  in  any  of  the  articles  that  have  covered  the  topic  in  the   past  year.  For  the  Americans  in  the  debate,  there  may  be  a  first  problem.   VUPEN  numbers  are  published  in  French.  I'm  happy  to  provide  a  quick   break-­‐down  so  they  don't  have  to  learn  a  second  language.     Someone  who's  a  little  bit  interested  will  quickly  find  out  that  in  2010,   VUPEN  made  almost  €  600k  in  revenue  with  €325k  in  net  profits.  The  years   before  that,  the  company  made  LESS  than  €5k  in  profits  !!!       That  means  that  a  Pwn2Own  payout  of  $50.000  represents  almost  1/7th  -­‐   or  almost  15%  -­‐  of  VUPEN's  profit.  From  their  perspective  that  isn't   insignificant.         At  this  moment  there  isn't  a  single  indicator  that  selling  0-­‐day   vulnerabilities  OR  exploits  is  a  viable  business  model.  If  VUPEN  has  the   many  0-­‐day  vulnerabilities  that  they  claim  they  have  AND  the  clients  that   want  to  pay  the  premium  price  for  them,  it  surely  doesn't  reflect  in  their   business  numbers.       Granted,  VUPEN  has  not  published  any  recent  business  numbers,  and  I'm   looking  forward  to  seeing  them,  but  I'm  inclined  to  think  they  do  not  show  a   sharp  increase  from  the  2010  numbers.  I  have,  and  I  am  not  shitting  you  on   this  one,  talked  with  people  in  the  industry  that  actually  sell  0-­‐days  and  let   me  assure  you  that  it  is  not  their  core  business.  0-­‐day  sales  is  not  the   flourishing  market  that  some  make  it  out  to  be.     Allow  me  to  throw  out  an  interesting  comparison:     It  is  with  a  little  amusement  that  I  observe  that  established  'research'   organizations  such  as  Forrester  and  Gartner  produce  proprietary  'research'     and  sell  it  at  high  prices.  C-­‐level  executives  act  on  these  publications  and  the   impact  of  whatever  it  is  that  'industry  research  companies'  think  to  be   knowledgeable  about  today  is  rarely  measured.  As  an  example,  I  was   forwarded  a  short  research  note  from  a  well-­‐known  company  was  recently.   The  document  as  such  described  the  added  value  of  integrating   vulnerability  management  solutions  with  web  application  firewalls.  In  
itself,  the  idea  has  merit  but  this  kind  of  papers  rarely  take  into  account  the   grim  reality  that  is  a  company's  infrastructure,  silofication,  departemental   friction,  etc.  When  applied  to  "the  real  world"(tm),  the  whole  premise  of   such  a  paper  falls  flat  on  its  face.  It  becomes  a  ridiculous  idea  yet  executives   assign  valuable  resources  in  creating  gap  analysises,  estimating  cost,  etc.   etc.       "What  a  waste"  or,  if  I'm  allowed  to  paraphrase  an  esteemed  colleague  of   mine  :  "What  a  waste."     All  this  when  we  ridicule  true  researchers  that  investigate  the  infinitely   interesting  ways  in  which  software  (and  hardware,  but  everything  today  is   software)  breaks.  True  researchers  that  operate  on  the  edge  that  exists   between  engineering  and  art.  True  researchers  that  are  finding  ingenuous   ways  to  monetize  their  skill  and  efforts.  We  ridicule  them  and  expect  them   to  work  for  free.  For  what?  The  thought  alone  is  beyond  any  reasonable   argument.     I  would  like  to  ask  the  question  who  has,  in  the  long  run,  a  more  nefarious   impact  on  information  security?  The  established  'research'  institute  that  is   killing  trees  spreading  'advice'  that  lacks  even  the  most  remote  thought  of   implementability  or  the  researcher  who  discovers  oversight  by  industry   moguls  that  puts  companies  and  their  clients  at  risk?     Let's  elaborate  on  the  idea  of  selling  0-­‐day  as  a  business  model.     First  off  ,  let's  explore  the  position  of  the  seller  :     It  is  impossible  to  control  the  intellectual  property  of  a  0-­‐day  vulnerability   and  its  related  exploit.  A  company  may  have  spent  3  months  in  the   development  of  an  exploit,  preparing  it  for  sale  to  an  interested  third  party,   just  when  an  independent  researcher  subscribes  to  a  bounty  program  or   decides  to  throw  the  same  vulnerability  on  the  internet  for  free.  Any  which   way  you  take  it,  the  investment  is  immediately  nullified.  At  the  same  time,  it   is  impossible  to  determine  the  shelf-­‐life  of  a  0-­‐day  vulnerability.    A   vulnerability  may  exist  for  days,  months  or  years.  It  is,  with  that  knowledge,   impossible  to  determine  a  prize  of  a  vulnerability.  At  the  same  time  you  are,   with  a  unique  product,  playing  in  a  market  driven  by  demand  which  means   the  price  of  your  product  is  not  determined  by  the  intrinsic  value  of  the   product  you  ever  but  by  who  needs  the  product  at  any  given  time  and  with   what  urgency  they  need  it.      
From  a  customer  perspective,  the  situation  is  even  more  dire.  You  don't   want  to  stock  up  on  0-­‐day  that  you  may  or  may  not  use.  It  isn't  unthinkable   that  you  will  have  a  $100k  exploit  lying  around  that  is  then  published  on   pastebin  by  a  creative  teenager,  immediately  devaluating  the  bu.  You're   looking  for  exploits  when  you  need  them  and  custom  developed  for  you  at   that  specific  time.     I  am,  for  the  sake  of  not  boring  you  to  death,  not  even  digging  into  the   details  of  how  reliability  of  an  exploit  impacts  its  value.  Imagine  that  you   are  a  buyer,  how  much  are  you  willing  to  pay  for  an  exploit  that  only  works   3  out  of  10  times?  How  much  for  an  unreliable  vulnerability  that  leaves  a   machine  in  an  unstable  state  and  how  much  for  one  that  doesn't  impact  the   state  of  a  machine  noticeably?  In  most  cases,  very  little,  but  if  you  really   need  to  bring  down  that  Iranian  nuclear  plant  ...  it  may  be  worth  a  million   dollars.     Taking  all  that  in  regard  I  would  dare  to  claim  that  the  market  for  0-­‐day   vulnerabilities  and  exploits  is  very  small  (to  the    level  of  unviable  in  the   long  term)  and  highly  unstable.  At  the  same  time  the  market  for  specialized   skills  and  vulnerability  research  seems  to  be  large  enough  and  continues  to   grow.       I  think  that,  in  the  case  of  0-­‐day  sales,  we  are  looking  for  an  imaginative   800lbs  gorilla  and  I  don't  believe  we  will  find  it.     One  possible  -­‐and  for  a  change  believable  -­‐  scenario  where  someone  may  be   interested  to  buy  0-­‐day  is  from  a  defensive  perspective.  It  is  as  important  to   know  the  tools  your  enemy  has  available  as  it  is  to  sharpen  your  own  tools.   Buying  0-­‐day  gives  you  a  perspective  on  what  is  available  in  the   underground  market.  What  you  may  or  may  not  need  to  defend  against  and   how  you  may  or  may  not  be  attacked.     The  whole  0-­‐day  sales  debate  being  fought  out  in  public  is,  in  my  opinion,   little  more  than  politics.  It  isn't  new  for  pressure  groups  to  create  an   alternate  reality  to  forward  their  own  agenda.     What  it  shows  to  me  though  is  that  we  are  becoming  particularly  good  at   throwing  out  peers  under  the  train  for  little  or  no  reason  at  all.     If  we  want  to  stop  doing  that,  I  believe  we  can  start  by  focusing  on  our  own   strengths.  Instead  of  pointing  out  our  competitors  weaknesses  (whether   that's  selling  0-­‐day  exploits  or  offering  vulnerability  assessments  as  
penetration  tests),  we  should  aim  our  sights  on  performing  the  best  we  can   in  our  space.  This  would  be  a  first  change  that  can  lead  us  to  a  collaborative,   innovative,  security  industry.  When  we  all  aim  to  be  better,  we  collectively   move  forward.     -­‐-­‐-­‐     Not  so  long  ago  someone  suggested  that  I  should  watch  a  short  movie  called   'Jiro  dreams  of  sushi'.  I  am  forever  grateful.The  documentary  (it's  a  true   story,  not  fiction)  digs  into  the  life  of  Jiro,  the  head  chef  of  a  three  star   restaurant  in  Tokyo.  His  restaurant,  with  no  more  than  10  seats,  has   reached  the  ultimate  recognition  in  the  culinary  world.  Being  awarded   three  stars  is  not  something  that's  easy  to  do.  At  a  time  where  he  should  be   enjoying  retirement,  living  the  life  of  a  recognized  hero  and  watching  his  2   sons  carry  on  his  legacy,  he  gets  up  in  the  morning  every  single  day.  To   make  sushi.  To  work  with  ingredients  so  simple  and  pure  that  one  would   wonder  if  there  really  is  anything  special  about  it.  Now,  the  question  is  why   would  Jiro  do  that  and  ...  obviously  ...  what  is  the  lesson  we  can  learn  from   it?     Jiro  is  a  very  simple  man.  His  only  goal  is  to  make  the  perfect  piece  of  sushi.   To  do  that,  he  goes  through  every  single  detail.  The  rice  he  uses,  the  fish,   manually  roasting  the  nori  sheets,  using  (or  not  using)  condiments.  Those   seem  obvious  but  where  any  ordinary  chef  would  stop,  Jiro  pushes  forward.   He  learns  his  customers,  he  knows  who  will  sit  where  and  whether  they  are   left-­‐  or  right-­‐handed.  He  is  so  engaged  in  the  process  of  creating  a  piece  of   sushi  that  one  would  wonder  if  it  is  still  healthy  for  him  but  he  doesn't   mind.  His  only  goal  is  to  make  the  perfect  piece  of  sushi.  His  love  for  the  raw   products  he  works  with  is  only  surpassed  by  his  love  for  his  customers  and   his  quest  to  make  the  perfect.  Jiro's  perfect,  according  to  world  standards,   can  not  be  expressed  in  Michelin  stars,  yet  he  keeps  pushing  the   boundaries.     Over  the  past  few  months,  in  different  settings,  we  have  heard  the  following   being  said  :       *  let's  not  aim  for  the  stars  if  we  want  to  shoot  the  moon.     *  sometimes  good  enough  is  perfect     *  nobody  needs  perfect  if  good  enough  suffices     Voltaire  (a  French  writer/poet)  had  an  interesting  idiom  about  that   understanding  :  "le  mieux  est  l'ennemi  du  bien"  "the  better  is  the  enemy  of  
the  good".    The  original  meaning  of  this  phrase  has  been  redefined  over   time,  so  much  that  I  feel  it  is  important  that  we  go  back  to  the  original.       What  Voltaire  meant  or,  maybe  better,  what  I  believe  he  meant  is  that   people  intend  to  set  lofty  goals  and  get  lost  in  their  attempt  to  reach  those   goals.  This  finally  results  in  not  reaching  any  goals  at  all.  A  solution,  a   situation  or  a  product  can  be  "good  enough"  and  "good  enough"  can  be  a   state  we  can  live  with  in  our  quest  for  "perfect".     I  predict  that  Voltaire  is  going  to  surpass  Sun  Tzu  as  the  most  quoted  dead   guy  at  information  security  conferences  so  when  you  hear  him  again,  please   think  back  of  what  I  said  here.  Voltaire  does  not  tell  us  that  "good  enough"   is  in  itself  an  end  goal,  it  is  an  acceptable  state  for  a  finite  amount  of  time  as   we  figure  out  our  next  steps.     A  few  years  ago  executives  that  I  talked  to  often  countered  my  push  for   better  security  by  saying  "we  are  not  Fort  Knox"  or  "nobody  wants  to  hack   us".  In  a  Voltaire  world,  these  people  are  saying  that  we  don't  have  to  be   perfect  and  aim  their  sights  at  "good  enough".  It  is  our  task  to  drive   innovation  by  setting  intermediate  "good  enough"  goals  and  using  our   magician's  force  on  the  way  to  perfect.  The  concept  of  the  magician's  force   in  itself  is  interesting.       (provide  example)  .       As  the  magician  you  give  your  subjects  the  idea  that  they  have  been  given  a   choice  while,  in  the  end,  they  had  no  choice  at  all.     Compliance  may  be  an  example  of  an  area  where  your  use  of  the  magician's   force  is  very  much  needed.  At  this  very  moment  colleagues  in  industries  like   healthcare  and  finance  are  swamped  with  regulatory  requirements:   HIPPAA,  PCI-­‐DSS,  local  banking  regulations,  local  and  international  privacy   regulations,  you  name  it.  All  of  those  'frameworks'  set  a  bar  that  we  now   perceive  as  'perfect'  security.  Most  of  us  agree  that  the  combination    of  the   recommendations  we  read  in  those  frameworks  all  together  would  may  not   even  be  'good  enough'.       To  innovate  security,  we  have  an  obligation  to  be  passionate  about  what  we   are  doing  and  aim  to  be  better  tomorrow  than  we  are  today.  We  need  to  be   a  little  bit  more  Jiro  and  care  about  our  products  and  clients  as  much  as  we   care  about  the  money  we  are  making.    
Through  my  work  for  (ISC)2  I  am  allowed  to  talk  to  information  security   professionals  around  the  globe,  from  South-­‐America  to  Japan  and  Australia.     Executives  often  tell  me  that  they  don't  find  the  right  people  to  fill  in   extremely  important  positions.  I  think  this  is  an  important  problem  that  we   need  to  solve.  and  the  first  thought  that  always  comes  to  mind  is  how  we   can  improve  the  knowledge  transfer  and  build  a  pipeline  of  professionals   that  can  support  our  organisations  to  do  business  securely.  I  know  several   people,  ranging  from  my  fellow  board  members  at  (ISC)2  that  are  active  in   the  academic  world  to  people  like  Dan  Guido  who  is  a  "resident  hacker"  at   NYPoly.  They  do  groundbreaking  work  to  fill  the  pipeline  of  information   security  workers  we  need  so  much  but  I  don't  believe  that:     a)  we  can  solve  the  lack  of  skills  by  training  people  that  have  little  or     no  experience  to  begin  with.     b)  we  should  expect  all  our  solutions  for  this  problem  to  come  from     academia.       I  believe  we  need  significant  investments  to  build  IT  Security  into  the   existing  Computer  Science  curriculums  and  much  more  integration  of  the   efforts  that  are  made  by  private  sector,  government  and  academia  alike.   It  is  quite  awesome  to  see  that  an  event  like  SecZone  provides  a  venue  for   such  collaboration  and  integration  here  in  Colombia.       Firstly  we  need  to  make  sure  that  the  skilled  people  we  train  are  ready  for   the  reality  they  will  be  functioning  in.  That  means  that  we  don't  only  have   to  prepare  them  for  the  technical  challenges  they  will  face  but  also  for  the   business  challenges  they  will  face.  And  then,  when  they  enter  the  labor   market.  When  they  are  finally  ready  we  need  to  make  sure  that  those   people  also  choose  a  career  in  information  security.     Very  often  we  discuss  the  "skills  gap",  it  seems  impossible  to  find  the   security  workers  that  we  are  needing  so  badly  in  our  organisations.  When   Isee  another  job  announcement  describing  a  profile  that  looks  like  only   someone  with  30  years  of  experience  can  truthfully  claim  to  fit  in  but  the   company  looking  for  that  profile  only  offers  a  wage  equivalent  to  that  of  a   senior  IT  administrator,  I  often  wonder:  How  do  we  expect  someone  who   can  earn  an  equivalent  pay  as  an  IT  admin,  probably  working  more  regular   hours  and  certainly  not  suffering  a  150%  workload,  to  choose  entering  the   information  security  industry?     "Hiring  high-­‐skilled  resources  at  rock  bottom  pay  IS  NOT  A  SKILLS  GAP."    
If  we  ourselves  misconstrue  the  problem,  we  set  ourselves  up  to  fail  in   finding  the  solution  to  the  problem.     What  we  also  shouldn't  forget  is  that  the  security  team  from  today  looks   very  much  different  than  the  security  team(s)  10  years  ago.  The  teams  10   years  from  now  will  look  totally  different  than  those  today.  Your  team   members  will  possess  a  variety  of  skills  complementary  to  their  security   skills  that  should  enable  them  to  address  the  problems.  If  you  lead  a   security  team  today,  my  advise  would  be  to  look  at  the  variety  of  skillsets   you  need  to  keep  up  and  hire  accordingly.       Assuming  that  we  achieve  to  both  maintain  a  collaborative  environment   and  bring  back  innovation  to  the  information  security  industry,  how  will  we   progress  in  securing  our  infrastructures  ?       I'm  certainly  not  the  first  to  say  that  it  is  safe  to  assume  that  you  will,  at  a   certain  point  in  time,  be  hacked.  It  is  just  a  matter  of  when,  if  it  didn't   already  happen.  The  big  question  then  is  how  you  will  be  able  to  detect  it,   how  will  you  be  able  to  react  to  it  and  how  you  will  prevent  it  from   happening  in  the  future.       First  and  foremost  I  believe  that  our  security  models  need  to  become  more  -­‐ not  attacker-­‐centric-­‐  but  attacker  aware.  This  means  that  we  need  to  collect   more  reliable  data  on  attackers,  attacker  groups,  their  methods,   interactions  and  why  they  attack.  Analysis  of  this  data  will  help  us  to   become  better  defenders.  But  only  if  we  are  also  able  to  share  this  data.   Whether  this  happens  through  a  public  forum,  local  and  global  CERTs  or   through  industry  groups  doesn't  really  matter.  We  need  to  move  away  from   the  idea  that  we  are  fighting  this  fight  alone.       If  we  can  bring  collaboration  into  our  daily  operations,  we  benefit  from   both  the  strengths  of  an  industry  and  those  of  a  community.       I  hope  that  through  this  talk,  I've  been  able  to  share  some  of  my  thoughts  on   the  security  community,  the  security  industry  and  our  collective  challenges.   I'm  happy  to  explore  these  ideas  further  here  at  the  conference  or  later,  via   email  on  wremes-­‐at-­‐gmail-­‐dot-­‐com  or  on  twitter  @wimremes.  

Recommandé

Getting Real About Enterprise 2.0
Getting Real About Enterprise 2.0Getting Real About Enterprise 2.0
Getting Real About Enterprise 2.0Acando Consulting
 
Leveraging Networks Teigland Aug 2011 GEM64
Leveraging Networks Teigland Aug 2011 GEM64Leveraging Networks Teigland Aug 2011 GEM64
Leveraging Networks Teigland Aug 2011 GEM64Robin Teigland
 
Digital Revolution Alert
Digital Revolution AlertDigital Revolution Alert
Digital Revolution AlertSei Mani
 
Disruptive Trends Affecting Human Capital Strategies
Disruptive Trends Affecting Human Capital StrategiesDisruptive Trends Affecting Human Capital Strategies
Disruptive Trends Affecting Human Capital StrategiesSynchronous
 
The digital self
The digital selfThe digital self
The digital self8jt43
 
Legal Tech 2009 Social Media Presentation
Legal Tech 2009 Social Media PresentationLegal Tech 2009 Social Media Presentation
Legal Tech 2009 Social Media PresentationLeader Networks
 
Emerging Social Business Strategies in 2010 | Social Business Summit 2010
Emerging Social Business Strategies in 2010 | Social Business Summit 2010Emerging Social Business Strategies in 2010 | Social Business Summit 2010
Emerging Social Business Strategies in 2010 | Social Business Summit 2010Dion Hinchcliffe
 
Bridging the Gap: Youth Information Online
Bridging the Gap: Youth Information OnlineBridging the Gap: Youth Information Online
Bridging the Gap: Youth Information OnlinePatrick Daniels
 

Recommandé

Getting Real About Enterprise 2.0
Getting Real About Enterprise 2.0Getting Real About Enterprise 2.0
Getting Real About Enterprise 2.0Acando Consulting
 
Leveraging Networks Teigland Aug 2011 GEM64
Leveraging Networks Teigland Aug 2011 GEM64Leveraging Networks Teigland Aug 2011 GEM64
Leveraging Networks Teigland Aug 2011 GEM64Robin Teigland
 
Digital Revolution Alert
Digital Revolution AlertDigital Revolution Alert
Digital Revolution AlertSei Mani
 
Disruptive Trends Affecting Human Capital Strategies
Disruptive Trends Affecting Human Capital StrategiesDisruptive Trends Affecting Human Capital Strategies
Disruptive Trends Affecting Human Capital StrategiesSynchronous
 
The digital self
The digital selfThe digital self
The digital self8jt43
 
Legal Tech 2009 Social Media Presentation
Legal Tech 2009 Social Media PresentationLegal Tech 2009 Social Media Presentation
Legal Tech 2009 Social Media PresentationLeader Networks
 
Emerging Social Business Strategies in 2010 | Social Business Summit 2010
Emerging Social Business Strategies in 2010 | Social Business Summit 2010Emerging Social Business Strategies in 2010 | Social Business Summit 2010
Emerging Social Business Strategies in 2010 | Social Business Summit 2010Dion Hinchcliffe
 
Bridging the Gap: Youth Information Online
Bridging the Gap: Youth Information OnlineBridging the Gap: Youth Information Online
Bridging the Gap: Youth Information OnlinePatrick Daniels
 
What is Digital Culture?
What is Digital Culture?What is Digital Culture?
What is Digital Culture?Remi Otani
 
Dodging the Digital Creep Factor | Shelley Evenson | FJORD
Dodging the Digital Creep Factor | Shelley Evenson | FJORDDodging the Digital Creep Factor | Shelley Evenson | FJORD
Dodging the Digital Creep Factor | Shelley Evenson | FJORDShelley Evenson
 
Are You Designing for engagement or interaction?
Are You Designing for engagement or interaction?Are You Designing for engagement or interaction?
Are You Designing for engagement or interaction?Patrizia Bertini
 
Online Reputation Management Etourism forum
Online Reputation Management Etourism forumOnline Reputation Management Etourism forum
Online Reputation Management Etourism forumPatrick Heuchenne
 
Social Media and Public Transportation Associations
Social Media and Public Transportation AssociationsSocial Media and Public Transportation Associations
Social Media and Public Transportation AssociationsRobin Teigland
 
The Clothesline Paradox and the Sharing Economy (Keynote file)
The Clothesline Paradox and the Sharing Economy (Keynote file)The Clothesline Paradox and the Sharing Economy (Keynote file)
The Clothesline Paradox and the Sharing Economy (Keynote file)Tim O'Reilly
 
Social media security users guide edited
Social media security users guide editedSocial media security users guide edited
Social media security users guide editedSergey Miller
 
Towards Digital Fluency
Towards Digital FluencyTowards Digital Fluency
Towards Digital FluencyAlec Couros
 
Cil containers
Cil containersCil containers
Cil containersStephen Abram
 
Revisiting the affordances and consequences of digital interconnectedness and...
Revisiting the affordances and consequences of digital interconnectedness and...Revisiting the affordances and consequences of digital interconnectedness and...
Revisiting the affordances and consequences of digital interconnectedness and...Sue Beckingham
 
Social Media in Law - "Flash in the Pan" or Competitive Advantage?
Social Media in Law - "Flash in the Pan" or Competitive Advantage?Social Media in Law - "Flash in the Pan" or Competitive Advantage?
Social Media in Law - "Flash in the Pan" or Competitive Advantage?Erik Schmidt
 
Boostzone Institute - Web Review - June 2011
Boostzone Institute - Web Review - June 2011Boostzone Institute - Web Review - June 2011
Boostzone Institute - Web Review - June 2011Boostzone Institute
 
Law co2012
Law co2012Law co2012
Law co2012Stephen Abram
 
Brands And Digital Culture: It Doesn't Have To Suck
Brands And Digital Culture: It Doesn't Have To SuckBrands And Digital Culture: It Doesn't Have To Suck
Brands And Digital Culture: It Doesn't Have To SuckAvin Narasimhan
 
Leveraging social-networks-for-results-13338
Leveraging social-networks-for-results-13338Leveraging social-networks-for-results-13338
Leveraging social-networks-for-results-13338Spreeas
 
Leveraging Social Networks For Results 13338
Leveraging Social Networks For Results 13338Leveraging Social Networks For Results 13338
Leveraging Social Networks For Results 13338Mohammed Hayath Nisar Ahmed
 
Web 2.0 Creating Value Through Social Networks And Virtual Worlds
Web 2.0 Creating Value Through Social Networks And Virtual WorldsWeb 2.0 Creating Value Through Social Networks And Virtual Worlds
Web 2.0 Creating Value Through Social Networks And Virtual WorldsRobin Teigland
 
Facebook Generation For The Bits Foundation November 12 2009
Facebook Generation For The Bits Foundation November 12 2009Facebook Generation For The Bits Foundation November 12 2009
Facebook Generation For The Bits Foundation November 12 2009raglandpark
 
Building Professional Peer Communities
Building Professional Peer CommunitiesBuilding Professional Peer Communities
Building Professional Peer CommunitiesLeader Networks
 
зимний букет
зимний букетзимний букет
зимний букетJulia Voronova
 
Cbre artemov ekbpromo_moscow
Cbre artemov ekbpromo_moscowCbre artemov ekbpromo_moscow
Cbre artemov ekbpromo_moscowekbpromo
 
Day 4 LAYER 2 SWITCHING
Day 4 LAYER 2 SWITCHINGDay 4 LAYER 2 SWITCHING
Day 4 LAYER 2 SWITCHINGanilinvns
 

Contenu connexe

Tendances

What is Digital Culture?
What is Digital Culture?What is Digital Culture?
What is Digital Culture?Remi Otani
 
Dodging the Digital Creep Factor | Shelley Evenson | FJORD
Dodging the Digital Creep Factor | Shelley Evenson | FJORDDodging the Digital Creep Factor | Shelley Evenson | FJORD
Dodging the Digital Creep Factor | Shelley Evenson | FJORDShelley Evenson
 
Are You Designing for engagement or interaction?
Are You Designing for engagement or interaction?Are You Designing for engagement or interaction?
Are You Designing for engagement or interaction?Patrizia Bertini
 
Online Reputation Management Etourism forum
Online Reputation Management Etourism forumOnline Reputation Management Etourism forum
Online Reputation Management Etourism forumPatrick Heuchenne
 
Social Media and Public Transportation Associations
Social Media and Public Transportation AssociationsSocial Media and Public Transportation Associations
Social Media and Public Transportation AssociationsRobin Teigland
 
The Clothesline Paradox and the Sharing Economy (Keynote file)
The Clothesline Paradox and the Sharing Economy (Keynote file)The Clothesline Paradox and the Sharing Economy (Keynote file)
The Clothesline Paradox and the Sharing Economy (Keynote file)Tim O'Reilly
 
Social media security users guide edited
Social media security users guide editedSocial media security users guide edited
Social media security users guide editedSergey Miller
 
Towards Digital Fluency
Towards Digital FluencyTowards Digital Fluency
Towards Digital FluencyAlec Couros
 
Revisiting the affordances and consequences of digital interconnectedness and...
Revisiting the affordances and consequences of digital interconnectedness and...Revisiting the affordances and consequences of digital interconnectedness and...
Revisiting the affordances and consequences of digital interconnectedness and...Sue Beckingham
 
Social Media in Law - "Flash in the Pan" or Competitive Advantage?
Social Media in Law - "Flash in the Pan" or Competitive Advantage?Social Media in Law - "Flash in the Pan" or Competitive Advantage?
Social Media in Law - "Flash in the Pan" or Competitive Advantage?Erik Schmidt
 
Boostzone Institute - Web Review - June 2011
Boostzone Institute - Web Review - June 2011Boostzone Institute - Web Review - June 2011
Boostzone Institute - Web Review - June 2011Boostzone Institute
 
Brands And Digital Culture: It Doesn't Have To Suck
Brands And Digital Culture: It Doesn't Have To SuckBrands And Digital Culture: It Doesn't Have To Suck
Brands And Digital Culture: It Doesn't Have To SuckAvin Narasimhan
 
Leveraging social-networks-for-results-13338
Leveraging social-networks-for-results-13338Leveraging social-networks-for-results-13338
Leveraging social-networks-for-results-13338Spreeas
 
Web 2.0 Creating Value Through Social Networks And Virtual Worlds
Web 2.0 Creating Value Through Social Networks And Virtual WorldsWeb 2.0 Creating Value Through Social Networks And Virtual Worlds
Web 2.0 Creating Value Through Social Networks And Virtual WorldsRobin Teigland
 
Facebook Generation For The Bits Foundation November 12 2009
Facebook Generation For The Bits Foundation November 12 2009Facebook Generation For The Bits Foundation November 12 2009
Facebook Generation For The Bits Foundation November 12 2009raglandpark
 
Building Professional Peer Communities
Building Professional Peer CommunitiesBuilding Professional Peer Communities
Building Professional Peer CommunitiesLeader Networks
 

Tendances (19)

What is Digital Culture?
What is Digital Culture?What is Digital Culture?
What is Digital Culture?
 
Dodging the Digital Creep Factor | Shelley Evenson | FJORD
Dodging the Digital Creep Factor | Shelley Evenson | FJORDDodging the Digital Creep Factor | Shelley Evenson | FJORD
Dodging the Digital Creep Factor | Shelley Evenson | FJORD
 
Are You Designing for engagement or interaction?
Are You Designing for engagement or interaction?Are You Designing for engagement or interaction?
Are You Designing for engagement or interaction?
 
Online Reputation Management Etourism forum
Online Reputation Management Etourism forumOnline Reputation Management Etourism forum
Online Reputation Management Etourism forum
 
Social Media and Public Transportation Associations
Social Media and Public Transportation AssociationsSocial Media and Public Transportation Associations
Social Media and Public Transportation Associations
 
The Clothesline Paradox and the Sharing Economy (Keynote file)
The Clothesline Paradox and the Sharing Economy (Keynote file)The Clothesline Paradox and the Sharing Economy (Keynote file)
The Clothesline Paradox and the Sharing Economy (Keynote file)
 
Social media security users guide edited
Social media security users guide editedSocial media security users guide edited
Social media security users guide edited
 
Towards Digital Fluency
Towards Digital FluencyTowards Digital Fluency
Towards Digital Fluency
 
Cil containers
Cil containersCil containers
Cil containers
 
Revisiting the affordances and consequences of digital interconnectedness and...
Revisiting the affordances and consequences of digital interconnectedness and...Revisiting the affordances and consequences of digital interconnectedness and...
Revisiting the affordances and consequences of digital interconnectedness and...
 
Social Media in Law - "Flash in the Pan" or Competitive Advantage?
Social Media in Law - "Flash in the Pan" or Competitive Advantage?Social Media in Law - "Flash in the Pan" or Competitive Advantage?
Social Media in Law - "Flash in the Pan" or Competitive Advantage?
 
Boostzone Institute - Web Review - June 2011
Boostzone Institute - Web Review - June 2011Boostzone Institute - Web Review - June 2011
Boostzone Institute - Web Review - June 2011
 
Law co2012
Law co2012Law co2012
Law co2012
 
Brands And Digital Culture: It Doesn't Have To Suck
Brands And Digital Culture: It Doesn't Have To SuckBrands And Digital Culture: It Doesn't Have To Suck
Brands And Digital Culture: It Doesn't Have To Suck
 
Leveraging social-networks-for-results-13338
Leveraging social-networks-for-results-13338Leveraging social-networks-for-results-13338
Leveraging social-networks-for-results-13338
 
Leveraging Social Networks For Results 13338
Leveraging Social Networks For Results 13338Leveraging Social Networks For Results 13338
Leveraging Social Networks For Results 13338
 
Web 2.0 Creating Value Through Social Networks And Virtual Worlds
Web 2.0 Creating Value Through Social Networks And Virtual WorldsWeb 2.0 Creating Value Through Social Networks And Virtual Worlds
Web 2.0 Creating Value Through Social Networks And Virtual Worlds
 
Facebook Generation For The Bits Foundation November 12 2009
Facebook Generation For The Bits Foundation November 12 2009Facebook Generation For The Bits Foundation November 12 2009
Facebook Generation For The Bits Foundation November 12 2009
 
Building Professional Peer Communities
Building Professional Peer CommunitiesBuilding Professional Peer Communities
Building Professional Peer Communities
 

En vedette

зимний букет
зимний букетзимний букет
зимний букетJulia Voronova
 
Cbre artemov ekbpromo_moscow
Cbre artemov ekbpromo_moscowCbre artemov ekbpromo_moscow
Cbre artemov ekbpromo_moscowekbpromo
 
Day 4 LAYER 2 SWITCHING
Day 4 LAYER 2 SWITCHINGDay 4 LAYER 2 SWITCHING
Day 4 LAYER 2 SWITCHINGanilinvns
 
Resume - Angga Yudistira
Resume - Angga YudistiraResume - Angga Yudistira
Resume - Angga YudistiraAngga Yudistira
 
Generations Climbing to Heaven
Generations Climbing to HeavenGenerations Climbing to Heaven
Generations Climbing to HeavenBijit Saha
 
Treatment of familial mediterranean fever: colchicine and beyond
Treatment of familial mediterranean fever: colchicine and beyondTreatment of familial mediterranean fever: colchicine and beyond
Treatment of familial mediterranean fever: colchicine and beyondJosé Luis Moreno Garvayo
 
моу речушинская сош усынина ирина
моу речушинская сош усынина иринамоу речушинская сош усынина ирина
моу речушинская сош усынина иринаGalina Mishina
 

En vedette (14)

зимний букет
зимний букетзимний букет
зимний букет
 
Cbre artemov ekbpromo_moscow
Cbre artemov ekbpromo_moscowCbre artemov ekbpromo_moscow
Cbre artemov ekbpromo_moscow
 
Day 4 LAYER 2 SWITCHING
Day 4 LAYER 2 SWITCHINGDay 4 LAYER 2 SWITCHING
Day 4 LAYER 2 SWITCHING
 
Inbrtgsneft
InbrtgsneftInbrtgsneft
Inbrtgsneft
 
Jpeg!
Jpeg!Jpeg!
Jpeg!
 
Resume - Angga Yudistira
Resume - Angga YudistiraResume - Angga Yudistira
Resume - Angga Yudistira
 
Generations Climbing to Heaven
Generations Climbing to HeavenGenerations Climbing to Heaven
Generations Climbing to Heaven
 
Шилдэг тохижилттой цэмцгэр аж ахуй нэгж шалгаруулах болзолт уралдаан
Шилдэг тохижилттой цэмцгэр аж ахуй нэгж шалгаруулах болзолт уралдаанШилдэг тохижилттой цэмцгэр аж ахуй нэгж шалгаруулах болзолт уралдаан
Шилдэг тохижилттой цэмцгэр аж ахуй нэгж шалгаруулах болзолт уралдаан
 
EMC Levels Up
EMC Levels UpEMC Levels Up
EMC Levels Up
 
Treatment of familial mediterranean fever: colchicine and beyond
Treatment of familial mediterranean fever: colchicine and beyondTreatment of familial mediterranean fever: colchicine and beyond
Treatment of familial mediterranean fever: colchicine and beyond
 
моу речушинская сош усынина ирина
моу речушинская сош усынина иринамоу речушинская сош усынина ирина
моу речушинская сош усынина ирина
 
Strata jem pty ltd
Strata jem pty ltdStrata jem pty ltd
Strata jem pty ltd
 
Oli
OliOli
Oli
 
De ce ?
De ce ?De ce ?
De ce ?
 

Similaire à Collaborate, Innovate, Secure

Networking; past present and future; and the importance of personality
Networking; past present and future; and the importance of personalityNetworking; past present and future; and the importance of personality
Networking; past present and future; and the importance of personalityEd Mitchell
 
The other world of it
The other world of itThe other world of it
The other world of itFing
 
Business considerations for privacy and open data: how not to get caught out
Business considerations for privacy and open data: how not to get caught outBusiness considerations for privacy and open data: how not to get caught out
Business considerations for privacy and open data: how not to get caught outtheODI
 
Privacy vs personalization: advisory for brand and comms practitioners into 2...
Privacy vs personalization: advisory for brand and comms practitioners into 2...Privacy vs personalization: advisory for brand and comms practitioners into 2...
Privacy vs personalization: advisory for brand and comms practitioners into 2...Dave Holland
 
I Still Haven't Found What I'm Looking For
I Still Haven't Found What I'm Looking ForI Still Haven't Found What I'm Looking For
I Still Haven't Found What I'm Looking ForStephen Collins
 
Change Management - History and Future
Change Management - History and FutureChange Management - History and Future
Change Management - History and FutureHolger Nauheimer
 
Privacy, Transparency and Trust in a Digital World
Privacy, Transparency and Trust in a Digital WorldPrivacy, Transparency and Trust in a Digital World
Privacy, Transparency and Trust in a Digital Worldbetterplace lab
 
April Virtual Series: What Happens in Austin, Doesn't Stay in Austin
April Virtual Series: What Happens in Austin, Doesn't Stay in AustinApril Virtual Series: What Happens in Austin, Doesn't Stay in Austin
April Virtual Series: What Happens in Austin, Doesn't Stay in AustinDigitalMoguls
 
The Trust Paradox
The Trust ParadoxThe Trust Paradox
The Trust ParadoxCognizant
 
KSEI ENTREPRENEUR INTERVIEW
KSEI ENTREPRENEUR INTERVIEWKSEI ENTREPRENEUR INTERVIEW
KSEI ENTREPRENEUR INTERVIEWCarmarley Dennis
 
Printable Fairy Tale Writing Paper
Printable Fairy Tale Writing PaperPrintable Fairy Tale Writing Paper
Printable Fairy Tale Writing PaperRhonda Cetnar
 
Behind the Curtain of a Hyper-Social Business
Behind the Curtain of a Hyper-Social Business Behind the Curtain of a Hyper-Social Business
Behind the Curtain of a Hyper-Social Business Human 1.0
 
A would-be nanopreneur's Thinkerings on Knowledge
A would-be nanopreneur's Thinkerings on KnowledgeA would-be nanopreneur's Thinkerings on Knowledge
A would-be nanopreneur's Thinkerings on KnowledgenanoKnowledge
 

Similaire à Collaborate, Innovate, Secure (20)

Networking; past present and future; and the importance of personality
Networking; past present and future; and the importance of personalityNetworking; past present and future; and the importance of personality
Networking; past present and future; and the importance of personality
 
The other world of it
The other world of itThe other world of it
The other world of it
 
Wemagazine
WemagazineWemagazine
Wemagazine
 
Blog 10
Blog 10Blog 10
Blog 10
 
Business considerations for privacy and open data: how not to get caught out
Business considerations for privacy and open data: how not to get caught outBusiness considerations for privacy and open data: how not to get caught out
Business considerations for privacy and open data: how not to get caught out
 
Privacy vs personalization: advisory for brand and comms practitioners into 2...
Privacy vs personalization: advisory for brand and comms practitioners into 2...Privacy vs personalization: advisory for brand and comms practitioners into 2...
Privacy vs personalization: advisory for brand and comms practitioners into 2...
 
I Still Haven't Found What I'm Looking For
I Still Haven't Found What I'm Looking ForI Still Haven't Found What I'm Looking For
I Still Haven't Found What I'm Looking For
 
Change Management - History and Future
Change Management - History and FutureChange Management - History and Future
Change Management - History and Future
 
Privacy, Transparency and Trust in a Digital World
Privacy, Transparency and Trust in a Digital WorldPrivacy, Transparency and Trust in a Digital World
Privacy, Transparency and Trust in a Digital World
 
Unbundling Governance
Unbundling GovernanceUnbundling Governance
Unbundling Governance
 
April Virtual Series: What Happens in Austin, Doesn't Stay in Austin
April Virtual Series: What Happens in Austin, Doesn't Stay in AustinApril Virtual Series: What Happens in Austin, Doesn't Stay in Austin
April Virtual Series: What Happens in Austin, Doesn't Stay in Austin
 
Career 3.0
Career 3.0Career 3.0
Career 3.0
 
Tethered to Technology
Tethered to TechnologyTethered to Technology
Tethered to Technology
 
Arts adminsocialmediamasterclassmar2016 day1-160207192550
Arts adminsocialmediamasterclassmar2016 day1-160207192550Arts adminsocialmediamasterclassmar2016 day1-160207192550
Arts adminsocialmediamasterclassmar2016 day1-160207192550
 
From Profit to Purpose
From Profit to PurposeFrom Profit to Purpose
From Profit to Purpose
 
The Trust Paradox
The Trust ParadoxThe Trust Paradox
The Trust Paradox
 
KSEI ENTREPRENEUR INTERVIEW
KSEI ENTREPRENEUR INTERVIEWKSEI ENTREPRENEUR INTERVIEW
KSEI ENTREPRENEUR INTERVIEW
 
Printable Fairy Tale Writing Paper
Printable Fairy Tale Writing PaperPrintable Fairy Tale Writing Paper
Printable Fairy Tale Writing Paper
 
Behind the Curtain of a Hyper-Social Business
Behind the Curtain of a Hyper-Social Business Behind the Curtain of a Hyper-Social Business
Behind the Curtain of a Hyper-Social Business
 
A would-be nanopreneur's Thinkerings on Knowledge
A would-be nanopreneur's Thinkerings on KnowledgeA would-be nanopreneur's Thinkerings on Knowledge
A would-be nanopreneur's Thinkerings on Knowledge
 

Plus de wremes

Distributed Denial Of Service Introduction
Distributed Denial Of Service IntroductionDistributed Denial Of Service Introduction
Distributed Denial Of Service Introductionwremes
 
Intro to Malware Analysis
Intro to Malware AnalysisIntro to Malware Analysis
Intro to Malware Analysiswremes
 
Crème Brulée :-)
Crème Brulée :-)Crème Brulée :-)
Crème Brulée :-)wremes
 
Vinnes jayson koken
Vinnes jayson kokenVinnes jayson koken
Vinnes jayson kokenwremes
 
Build Your Own Incident Response
Build Your Own Incident ResponseBuild Your Own Incident Response
Build Your Own Incident Responsewremes
 
Secure Abu Dhabi talk
Secure Abu Dhabi talkSecure Abu Dhabi talk
Secure Abu Dhabi talkwremes
 
Data Driven Infosec Services
Data Driven Infosec ServicesData Driven Infosec Services
Data Driven Infosec Serviceswremes
 
SOPA 4 dummies
SOPA 4 dummiesSOPA 4 dummies
SOPA 4 dummieswremes
 
In the land of the blind the squinter rules
In the land of the blind the squinter rulesIn the land of the blind the squinter rules
In the land of the blind the squinter ruleswremes
 
And suddenly I see ... IDC IT Security Brussels 2011
And suddenly I see ... IDC IT Security Brussels 2011And suddenly I see ... IDC IT Security Brussels 2011
And suddenly I see ... IDC IT Security Brussels 2011wremes
 
Blackhat Workshop
Blackhat WorkshopBlackhat Workshop
Blackhat Workshopwremes
 
SIEM brown-bag presentation
SIEM brown-bag presentationSIEM brown-bag presentation
SIEM brown-bag presentationwremes
 
10 things we're doing wrong with SIEM
10 things we're doing wrong with SIEM10 things we're doing wrong with SIEM
10 things we're doing wrong with SIEMwremes
 
Fosdem10
Fosdem10Fosdem10
Fosdem10wremes
 
OSSEC @ ISSA Jan 21st 2010
OSSEC @ ISSA Jan 21st 2010OSSEC @ ISSA Jan 21st 2010
OSSEC @ ISSA Jan 21st 2010wremes
 
Open Source Security
Open Source SecurityOpen Source Security
Open Source Securitywremes
 
Teaser
TeaserTeaser
Teaserwremes
 
Ossec Lightning
Ossec LightningOssec Lightning
Ossec Lightningwremes
 
Brucon presentation
Brucon presentationBrucon presentation
Brucon presentationwremes
 
Pareto chart using Openoffice.org
Pareto chart using Openoffice.orgPareto chart using Openoffice.org
Pareto chart using Openoffice.orgwremes
 

Plus de wremes (20)

Distributed Denial Of Service Introduction
Distributed Denial Of Service IntroductionDistributed Denial Of Service Introduction
Distributed Denial Of Service Introduction
 
Intro to Malware Analysis
Intro to Malware AnalysisIntro to Malware Analysis
Intro to Malware Analysis
 
Crème Brulée :-)
Crème Brulée :-)Crème Brulée :-)
Crème Brulée :-)
 
Vinnes jayson koken
Vinnes jayson kokenVinnes jayson koken
Vinnes jayson koken
 
Build Your Own Incident Response
Build Your Own Incident ResponseBuild Your Own Incident Response
Build Your Own Incident Response
 
Secure Abu Dhabi talk
Secure Abu Dhabi talkSecure Abu Dhabi talk
Secure Abu Dhabi talk
 
Data Driven Infosec Services
Data Driven Infosec ServicesData Driven Infosec Services
Data Driven Infosec Services
 
SOPA 4 dummies
SOPA 4 dummiesSOPA 4 dummies
SOPA 4 dummies
 
In the land of the blind the squinter rules
In the land of the blind the squinter rulesIn the land of the blind the squinter rules
In the land of the blind the squinter rules
 
And suddenly I see ... IDC IT Security Brussels 2011
And suddenly I see ... IDC IT Security Brussels 2011And suddenly I see ... IDC IT Security Brussels 2011
And suddenly I see ... IDC IT Security Brussels 2011
 
Blackhat Workshop
Blackhat WorkshopBlackhat Workshop
Blackhat Workshop
 
SIEM brown-bag presentation
SIEM brown-bag presentationSIEM brown-bag presentation
SIEM brown-bag presentation
 
10 things we're doing wrong with SIEM
10 things we're doing wrong with SIEM10 things we're doing wrong with SIEM
10 things we're doing wrong with SIEM
 
Fosdem10
Fosdem10Fosdem10
Fosdem10
 
OSSEC @ ISSA Jan 21st 2010
OSSEC @ ISSA Jan 21st 2010OSSEC @ ISSA Jan 21st 2010
OSSEC @ ISSA Jan 21st 2010
 
Open Source Security
Open Source SecurityOpen Source Security
Open Source Security
 
Teaser
TeaserTeaser
Teaser
 
Ossec Lightning
Ossec LightningOssec Lightning
Ossec Lightning
 
Brucon presentation
Brucon presentationBrucon presentation
Brucon presentation
 
Pareto chart using Openoffice.org
Pareto chart using Openoffice.orgPareto chart using Openoffice.org
Pareto chart using Openoffice.org
 

Collaborate, Innovate, Secure

  • 1. Collaborate,  Innovate,  Secure   SecZone  2012  Keynote     The  problem  with  accepting  a  keynote  is  that  audiences  tend  to  come  to   your  talk  with  the  expectation  to  be  inspired,  impacted,  changed  even.   Starting  to  write  a  keynote  after  realizing  that  is,  to  say  the  least,  a  task  that   is  challenged  with  almost  nothing  that  I  have  ever  done  before.  Maybe   that's  a  good  point  to  start:  "What  have  I  done  before  Edgar  asked  me  to   come  out  here  and  talk  to  you?"  Or  should  I  say  "for  Edgar  to  ask  me"?     When  I  look  at  myself  I'm  just  a  crazy  guy  who's  passionate  about   information  security  and  eager  to  learn  every  single  day.  I've  spent  the  past   15  years  in  IT  in  different  functions  working  for  IT  Integrators,  hardware   and  software  manufacturers  and  big4  consultancies.  Currently  I  work  for   Ernst  and  Young.  In  my  spare  time  I'm  a  director  at  (ISC)2  and  I  organize   the  BruCON  conference.     It  is  an  honor  for  me  to  speak  here  and  I  can't  really  continue  without   thanking  Edgar  :  "muchas  gracias  por  la  invitación.  Me  siento  muy  honrado   de  estar  aquí.  Colombia  es  un  país  increíble  y  nunca  me  he  sentido  más   bienvenido  en  una  conferencia."     With  that  out  of  the  way,  let's  see  what  I  have  in  store  for  today.  2012  has   been  an  interesting  year  for  information  security,  wouldn't  you  agree?       We  have  been  shocked,  we  have  been  exhilerated,  we  have  been  depressed,   we  have  laughed  (hard!),  we  have  cried  and,  more  often  than  not,  we  have   sighed.  We  have  sighed  with  relief  because  the  worst  things  happened  to   somebody  else  and  not  us.  We  have  sighed  in  dismay  when  another   database  with  unsalted  hashes  appeared  on  Pastebin.         Where  Anonymous  was  omnipresent  in  2010-­‐2011,  we  seem  to  have  come   back  to  the  essence  of  information  security  in  2012.       The  same  questions  remain  :  "Do  we  want  to  do  business  in  a  secure   manner?  How  do  we  protect  our  most  valuable  assets?  How  do  we  ensure   that  we  protect  those  assets  to  an  acceptable  level?       And  ...  what  does  that  exactly  mean  for  us  an  acceptable  level?     I  am  thankful  to  be  active  in  a  community  that  gathers  some  of  the  smartest   people  in  the  world  around  the  most  challenging  problems.  For  the  record:  I  
  • 2. don't  count  myself  among  that  group  of  smart  people.  I  am  but  a  blip  on   your  screen.  I  am  just  a  guy  with  an  opinion  who's  determined  to  try  to  do   something  right.  For  some  values  of  something.     What  I  want  to  address  today  are  the  following  three  points  :     1  -­‐  How  can  a  community  that  has  grown  explosively  and  changed  without   even  realizing  it  keep  collaborating  in  a  competitive  setting.       2  -­‐  Where  I  am  convinced  that  many  of  the  decisions  we  have  taken  and   supported  over  the  past  15  years  have  stiffled  innovation,  how  can  we   rekindle  that  innovative  spirit.     3  -­‐  And  finally,  when  we  have  created  a  collaborative  and  innovative   ecosystem,  how  can  we  secure  the  world  together.     Let  me  start  at  the  beginning.     In  the  past  decade,  the  'friendly'  hacking  and  security  community  has   evolved  into  an  eco-­‐system  where  individuals,  associations  and   organizations  are  eager  to  find  an  equilibrium  (or  balance)  that  allows  them   to  maintain  a  culture  of  information  sharing  and  at  the  same  time  permits   the  commercialization  of  a  legitimate  service  or  product  offering.       The  power  of  a  community  such  as  the  hacker/infosec  community  has   always  been  that  each  member  is  as  dedicated  to  giving  back  as  it  is  to   taking  from  it.  The  collective  knowledge  is  what  effectively  powers  the  eco-­‐ system  and  in  the  past  decades,  individuals  have  found  a  stable,  be  it  brittle,   equilibrium  that  allowed  them  to  exchange  knowledge  and  ideas.  It  wasn't   until  recently  (as  in  "the  last  5  years")  that  the  associations  of  the  involved   individuals  with  their  employers  have  become  an  additional  factor  in  this   eco-­‐system.     One  isn't  just  "John  Doe"  in  todays  world.  Like  I  am  never  just  "Wim   Remes".  Most  often  I  am  "Wim  Remes,  working  for  Ernst  and  Young"  or   "Wim  Remes,  Director  at  ISC2"  or  "Wim  Remes,  organizer  of  the  BruCON   conference"  or  a  combination  of  all  of  the  above  or  just  the  drunk  guy  at  the   party.  On  a  personal  level  the  most  unsettling  part  probably  is  that  I'm   never  in  control  of  what  cap  I  am  wearing.  It  comes  to  a  point  where  I   become  hesitant  to  share  my  ideas  and  projects  with  other,  interested,   parties.  Obviously  this  may  just  be  me  being  paranoid  but  when  looking  at   the  broader  picture,  you  will  see  that  the  whole  community  is  moving  
  • 3. towards  a  state  where  information  is  no  longer  shared  in  large  groups.  The   community  gets  fragmented  and  loses  the  core  of  its  being.     In  the  past  half  decade  we  have  seen  a  dramatic  decline  of  "new  research"   being  presented  at  conferences.  We  have  reached  a  point  where  most  of  the   talks  are  about  "ideas  in  the  conceptual  state"  where  we  used  to  have   "finalized  research"  and  "knowledge  sharing"  before.  One  may  argue  that,   as  systems  become  more  secure  it  becomes  harder  to  find  0-­‐days.  I  would   even  find  this  reasoning  acceptable  were  it  not  for  the  data  from  vendors   that  shows  that  vulnerabilities  are  still  being  found  at  an  alarmingly  fast   rate.  So,  there  must  be    underlying  reasons  for  this  evolution.         We  have  moved  from  the  "no  bugs  for  free"  era,  where  security  researchers   were  glorified  hobbyists  who  were  expected  to  give  up  their  goods  for  a   plane  ticket  and  plenty  of  alcohol,  to  a  state  in  the  community  where   security  research  has  become  a  hard  currency.  Much  of  the  research  that   was  conducted  "independently"  a  few  years  ago,  is  now  being  performed   under  a  commercial  contract,  often  involving  a  Non  Disclosure  Agreement.   Where  commercial  organisations  would  sometimes  'prevent'  research  from   being  presented  at  conferences  by  threatening  with  lawsuits  in  the  past,  we   now  see  them  hiring  the  same  researchers  and  blocking  them  even  before   the  research  starts.       This  isn't  necessarily  a  bad  thing  for  the  parties  involved.  It  could  be  that  it   is  a  bad  evolution  for  the  community  at  large  but  that  remains  to  be  seen.     What  we  see  today  is  that  the  larger  impact  of  commercial  entities  on  the   community  leads  to  polarization  as  organizations  are  antagonized  to   support  a  certain  idea  or  belief.    A  good  example  that  we  have  witnessed   over  the  past  year  is  the  debate  on  the  sale  of  0-­‐day  vulnerabilities  by   researchers  or  companies  to  government  entities.     I  am  not  inclined  to  use  this  venue  to  pass  judgement  on  the  ethical  nature   of  selling  vulnerabilities  for  undetermined  purposes  to  whomever  pays  the   most  money.  Most  notably,  a  French  company  called  VUPEN  has  become   the  pinnacle  of  this  debate.  I  don't  think  I  have  seen  a  commercial  company   being  publicly  called  out  as  much  as  I've  seen  VUPEN  being  called  out  and   blamed  for  all  our  collective  sins.  The  only  thing  they  have  done  to  deserve   this  is  refusing  to  hand  over  a  vulnerability  that  would  have  earned  them   50,000  dollars  in  a  bug-­‐finding  competition.  Everything  from  there  on   forward  has  been  bluff  and  marketing.  Where  VUPEN  has  claimed  that  they   can  earn  much  more  from  selling  the  exploit  to  their  customers.  The  proof  
  • 4. of  that  remains  to  be  shown.  I  haven't  seen  it  yet,  have  you?  Or  maybe  we   have?     Like  all  (ok,  most)  "legitimate"  companies,  VUPEN  is  required  to  publish   their  yearly  revenue.    Publish  is  not  a  latin  word  :  it  means  that  their   numbers  are  made  public,  for  all  to  see!  It's  quite  strange  that  we  haven't   seen  those  numbers  in  any  of  the  articles  that  have  covered  the  topic  in  the   past  year.  For  the  Americans  in  the  debate,  there  may  be  a  first  problem.   VUPEN  numbers  are  published  in  French.  I'm  happy  to  provide  a  quick   break-­‐down  so  they  don't  have  to  learn  a  second  language.     Someone  who's  a  little  bit  interested  will  quickly  find  out  that  in  2010,   VUPEN  made  almost  €  600k  in  revenue  with  €325k  in  net  profits.  The  years   before  that,  the  company  made  LESS  than  €5k  in  profits  !!!       That  means  that  a  Pwn2Own  payout  of  $50.000  represents  almost  1/7th  -­‐   or  almost  15%  -­‐  of  VUPEN's  profit.  From  their  perspective  that  isn't   insignificant.         At  this  moment  there  isn't  a  single  indicator  that  selling  0-­‐day   vulnerabilities  OR  exploits  is  a  viable  business  model.  If  VUPEN  has  the   many  0-­‐day  vulnerabilities  that  they  claim  they  have  AND  the  clients  that   want  to  pay  the  premium  price  for  them,  it  surely  doesn't  reflect  in  their   business  numbers.       Granted,  VUPEN  has  not  published  any  recent  business  numbers,  and  I'm   looking  forward  to  seeing  them,  but  I'm  inclined  to  think  they  do  not  show  a   sharp  increase  from  the  2010  numbers.  I  have,  and  I  am  not  shitting  you  on   this  one,  talked  with  people  in  the  industry  that  actually  sell  0-­‐days  and  let   me  assure  you  that  it  is  not  their  core  business.  0-­‐day  sales  is  not  the   flourishing  market  that  some  make  it  out  to  be.     Allow  me  to  throw  out  an  interesting  comparison:     It  is  with  a  little  amusement  that  I  observe  that  established  'research'   organizations  such  as  Forrester  and  Gartner  produce  proprietary  'research'     and  sell  it  at  high  prices.  C-­‐level  executives  act  on  these  publications  and  the   impact  of  whatever  it  is  that  'industry  research  companies'  think  to  be   knowledgeable  about  today  is  rarely  measured.  As  an  example,  I  was   forwarded  a  short  research  note  from  a  well-­‐known  company  was  recently.   The  document  as  such  described  the  added  value  of  integrating   vulnerability  management  solutions  with  web  application  firewalls.  In  
  • 5. itself,  the  idea  has  merit  but  this  kind  of  papers  rarely  take  into  account  the   grim  reality  that  is  a  company's  infrastructure,  silofication,  departemental   friction,  etc.  When  applied  to  "the  real  world"(tm),  the  whole  premise  of   such  a  paper  falls  flat  on  its  face.  It  becomes  a  ridiculous  idea  yet  executives   assign  valuable  resources  in  creating  gap  analysises,  estimating  cost,  etc.   etc.       "What  a  waste"  or,  if  I'm  allowed  to  paraphrase  an  esteemed  colleague  of   mine  :  "What  a  waste."     All  this  when  we  ridicule  true  researchers  that  investigate  the  infinitely   interesting  ways  in  which  software  (and  hardware,  but  everything  today  is   software)  breaks.  True  researchers  that  operate  on  the  edge  that  exists   between  engineering  and  art.  True  researchers  that  are  finding  ingenuous   ways  to  monetize  their  skill  and  efforts.  We  ridicule  them  and  expect  them   to  work  for  free.  For  what?  The  thought  alone  is  beyond  any  reasonable   argument.     I  would  like  to  ask  the  question  who  has,  in  the  long  run,  a  more  nefarious   impact  on  information  security?  The  established  'research'  institute  that  is   killing  trees  spreading  'advice'  that  lacks  even  the  most  remote  thought  of   implementability  or  the  researcher  who  discovers  oversight  by  industry   moguls  that  puts  companies  and  their  clients  at  risk?     Let's  elaborate  on  the  idea  of  selling  0-­‐day  as  a  business  model.     First  off  ,  let's  explore  the  position  of  the  seller  :     It  is  impossible  to  control  the  intellectual  property  of  a  0-­‐day  vulnerability   and  its  related  exploit.  A  company  may  have  spent  3  months  in  the   development  of  an  exploit,  preparing  it  for  sale  to  an  interested  third  party,   just  when  an  independent  researcher  subscribes  to  a  bounty  program  or   decides  to  throw  the  same  vulnerability  on  the  internet  for  free.  Any  which   way  you  take  it,  the  investment  is  immediately  nullified.  At  the  same  time,  it   is  impossible  to  determine  the  shelf-­‐life  of  a  0-­‐day  vulnerability.    A   vulnerability  may  exist  for  days,  months  or  years.  It  is,  with  that  knowledge,   impossible  to  determine  a  prize  of  a  vulnerability.  At  the  same  time  you  are,   with  a  unique  product,  playing  in  a  market  driven  by  demand  which  means   the  price  of  your  product  is  not  determined  by  the  intrinsic  value  of  the   product  you  ever  but  by  who  needs  the  product  at  any  given  time  and  with   what  urgency  they  need  it.      
  • 6. From  a  customer  perspective,  the  situation  is  even  more  dire.  You  don't   want  to  stock  up  on  0-­‐day  that  you  may  or  may  not  use.  It  isn't  unthinkable   that  you  will  have  a  $100k  exploit  lying  around  that  is  then  published  on   pastebin  by  a  creative  teenager,  immediately  devaluating  the  bu.  You're   looking  for  exploits  when  you  need  them  and  custom  developed  for  you  at   that  specific  time.     I  am,  for  the  sake  of  not  boring  you  to  death,  not  even  digging  into  the   details  of  how  reliability  of  an  exploit  impacts  its  value.  Imagine  that  you   are  a  buyer,  how  much  are  you  willing  to  pay  for  an  exploit  that  only  works   3  out  of  10  times?  How  much  for  an  unreliable  vulnerability  that  leaves  a   machine  in  an  unstable  state  and  how  much  for  one  that  doesn't  impact  the   state  of  a  machine  noticeably?  In  most  cases,  very  little,  but  if  you  really   need  to  bring  down  that  Iranian  nuclear  plant  ...  it  may  be  worth  a  million   dollars.     Taking  all  that  in  regard  I  would  dare  to  claim  that  the  market  for  0-­‐day   vulnerabilities  and  exploits  is  very  small  (to  the    level  of  unviable  in  the   long  term)  and  highly  unstable.  At  the  same  time  the  market  for  specialized   skills  and  vulnerability  research  seems  to  be  large  enough  and  continues  to   grow.       I  think  that,  in  the  case  of  0-­‐day  sales,  we  are  looking  for  an  imaginative   800lbs  gorilla  and  I  don't  believe  we  will  find  it.     One  possible  -­‐and  for  a  change  believable  -­‐  scenario  where  someone  may  be   interested  to  buy  0-­‐day  is  from  a  defensive  perspective.  It  is  as  important  to   know  the  tools  your  enemy  has  available  as  it  is  to  sharpen  your  own  tools.   Buying  0-­‐day  gives  you  a  perspective  on  what  is  available  in  the   underground  market.  What  you  may  or  may  not  need  to  defend  against  and   how  you  may  or  may  not  be  attacked.     The  whole  0-­‐day  sales  debate  being  fought  out  in  public  is,  in  my  opinion,   little  more  than  politics.  It  isn't  new  for  pressure  groups  to  create  an   alternate  reality  to  forward  their  own  agenda.     What  it  shows  to  me  though  is  that  we  are  becoming  particularly  good  at   throwing  out  peers  under  the  train  for  little  or  no  reason  at  all.     If  we  want  to  stop  doing  that,  I  believe  we  can  start  by  focusing  on  our  own   strengths.  Instead  of  pointing  out  our  competitors  weaknesses  (whether   that's  selling  0-­‐day  exploits  or  offering  vulnerability  assessments  as  
  • 7. penetration  tests),  we  should  aim  our  sights  on  performing  the  best  we  can   in  our  space.  This  would  be  a  first  change  that  can  lead  us  to  a  collaborative,   innovative,  security  industry.  When  we  all  aim  to  be  better,  we  collectively   move  forward.     -­‐-­‐-­‐     Not  so  long  ago  someone  suggested  that  I  should  watch  a  short  movie  called   'Jiro  dreams  of  sushi'.  I  am  forever  grateful.The  documentary  (it's  a  true   story,  not  fiction)  digs  into  the  life  of  Jiro,  the  head  chef  of  a  three  star   restaurant  in  Tokyo.  His  restaurant,  with  no  more  than  10  seats,  has   reached  the  ultimate  recognition  in  the  culinary  world.  Being  awarded   three  stars  is  not  something  that's  easy  to  do.  At  a  time  where  he  should  be   enjoying  retirement,  living  the  life  of  a  recognized  hero  and  watching  his  2   sons  carry  on  his  legacy,  he  gets  up  in  the  morning  every  single  day.  To   make  sushi.  To  work  with  ingredients  so  simple  and  pure  that  one  would   wonder  if  there  really  is  anything  special  about  it.  Now,  the  question  is  why   would  Jiro  do  that  and  ...  obviously  ...  what  is  the  lesson  we  can  learn  from   it?     Jiro  is  a  very  simple  man.  His  only  goal  is  to  make  the  perfect  piece  of  sushi.   To  do  that,  he  goes  through  every  single  detail.  The  rice  he  uses,  the  fish,   manually  roasting  the  nori  sheets,  using  (or  not  using)  condiments.  Those   seem  obvious  but  where  any  ordinary  chef  would  stop,  Jiro  pushes  forward.   He  learns  his  customers,  he  knows  who  will  sit  where  and  whether  they  are   left-­‐  or  right-­‐handed.  He  is  so  engaged  in  the  process  of  creating  a  piece  of   sushi  that  one  would  wonder  if  it  is  still  healthy  for  him  but  he  doesn't   mind.  His  only  goal  is  to  make  the  perfect  piece  of  sushi.  His  love  for  the  raw   products  he  works  with  is  only  surpassed  by  his  love  for  his  customers  and   his  quest  to  make  the  perfect.  Jiro's  perfect,  according  to  world  standards,   can  not  be  expressed  in  Michelin  stars,  yet  he  keeps  pushing  the   boundaries.     Over  the  past  few  months,  in  different  settings,  we  have  heard  the  following   being  said  :       *  let's  not  aim  for  the  stars  if  we  want  to  shoot  the  moon.     *  sometimes  good  enough  is  perfect     *  nobody  needs  perfect  if  good  enough  suffices     Voltaire  (a  French  writer/poet)  had  an  interesting  idiom  about  that   understanding  :  "le  mieux  est  l'ennemi  du  bien"  "the  better  is  the  enemy  of  
  • 8. the  good".    The  original  meaning  of  this  phrase  has  been  redefined  over   time,  so  much  that  I  feel  it  is  important  that  we  go  back  to  the  original.       What  Voltaire  meant  or,  maybe  better,  what  I  believe  he  meant  is  that   people  intend  to  set  lofty  goals  and  get  lost  in  their  attempt  to  reach  those   goals.  This  finally  results  in  not  reaching  any  goals  at  all.  A  solution,  a   situation  or  a  product  can  be  "good  enough"  and  "good  enough"  can  be  a   state  we  can  live  with  in  our  quest  for  "perfect".     I  predict  that  Voltaire  is  going  to  surpass  Sun  Tzu  as  the  most  quoted  dead   guy  at  information  security  conferences  so  when  you  hear  him  again,  please   think  back  of  what  I  said  here.  Voltaire  does  not  tell  us  that  "good  enough"   is  in  itself  an  end  goal,  it  is  an  acceptable  state  for  a  finite  amount  of  time  as   we  figure  out  our  next  steps.     A  few  years  ago  executives  that  I  talked  to  often  countered  my  push  for   better  security  by  saying  "we  are  not  Fort  Knox"  or  "nobody  wants  to  hack   us".  In  a  Voltaire  world,  these  people  are  saying  that  we  don't  have  to  be   perfect  and  aim  their  sights  at  "good  enough".  It  is  our  task  to  drive   innovation  by  setting  intermediate  "good  enough"  goals  and  using  our   magician's  force  on  the  way  to  perfect.  The  concept  of  the  magician's  force   in  itself  is  interesting.       (provide  example)  .       As  the  magician  you  give  your  subjects  the  idea  that  they  have  been  given  a   choice  while,  in  the  end,  they  had  no  choice  at  all.     Compliance  may  be  an  example  of  an  area  where  your  use  of  the  magician's   force  is  very  much  needed.  At  this  very  moment  colleagues  in  industries  like   healthcare  and  finance  are  swamped  with  regulatory  requirements:   HIPPAA,  PCI-­‐DSS,  local  banking  regulations,  local  and  international  privacy   regulations,  you  name  it.  All  of  those  'frameworks'  set  a  bar  that  we  now   perceive  as  'perfect'  security.  Most  of  us  agree  that  the  combination    of  the   recommendations  we  read  in  those  frameworks  all  together  would  may  not   even  be  'good  enough'.       To  innovate  security,  we  have  an  obligation  to  be  passionate  about  what  we   are  doing  and  aim  to  be  better  tomorrow  than  we  are  today.  We  need  to  be   a  little  bit  more  Jiro  and  care  about  our  products  and  clients  as  much  as  we   care  about  the  money  we  are  making.    
  • 9. Through  my  work  for  (ISC)2  I  am  allowed  to  talk  to  information  security   professionals  around  the  globe,  from  South-­‐America  to  Japan  and  Australia.     Executives  often  tell  me  that  they  don't  find  the  right  people  to  fill  in   extremely  important  positions.  I  think  this  is  an  important  problem  that  we   need  to  solve.  and  the  first  thought  that  always  comes  to  mind  is  how  we   can  improve  the  knowledge  transfer  and  build  a  pipeline  of  professionals   that  can  support  our  organisations  to  do  business  securely.  I  know  several   people,  ranging  from  my  fellow  board  members  at  (ISC)2  that  are  active  in   the  academic  world  to  people  like  Dan  Guido  who  is  a  "resident  hacker"  at   NYPoly.  They  do  groundbreaking  work  to  fill  the  pipeline  of  information   security  workers  we  need  so  much  but  I  don't  believe  that:     a)  we  can  solve  the  lack  of  skills  by  training  people  that  have  little  or     no  experience  to  begin  with.     b)  we  should  expect  all  our  solutions  for  this  problem  to  come  from     academia.       I  believe  we  need  significant  investments  to  build  IT  Security  into  the   existing  Computer  Science  curriculums  and  much  more  integration  of  the   efforts  that  are  made  by  private  sector,  government  and  academia  alike.   It  is  quite  awesome  to  see  that  an  event  like  SecZone  provides  a  venue  for   such  collaboration  and  integration  here  in  Colombia.       Firstly  we  need  to  make  sure  that  the  skilled  people  we  train  are  ready  for   the  reality  they  will  be  functioning  in.  That  means  that  we  don't  only  have   to  prepare  them  for  the  technical  challenges  they  will  face  but  also  for  the   business  challenges  they  will  face.  And  then,  when  they  enter  the  labor   market.  When  they  are  finally  ready  we  need  to  make  sure  that  those   people  also  choose  a  career  in  information  security.     Very  often  we  discuss  the  "skills  gap",  it  seems  impossible  to  find  the   security  workers  that  we  are  needing  so  badly  in  our  organisations.  When   Isee  another  job  announcement  describing  a  profile  that  looks  like  only   someone  with  30  years  of  experience  can  truthfully  claim  to  fit  in  but  the   company  looking  for  that  profile  only  offers  a  wage  equivalent  to  that  of  a   senior  IT  administrator,  I  often  wonder:  How  do  we  expect  someone  who   can  earn  an  equivalent  pay  as  an  IT  admin,  probably  working  more  regular   hours  and  certainly  not  suffering  a  150%  workload,  to  choose  entering  the   information  security  industry?     "Hiring  high-­‐skilled  resources  at  rock  bottom  pay  IS  NOT  A  SKILLS  GAP."    
  • 10. If  we  ourselves  misconstrue  the  problem,  we  set  ourselves  up  to  fail  in   finding  the  solution  to  the  problem.     What  we  also  shouldn't  forget  is  that  the  security  team  from  today  looks   very  much  different  than  the  security  team(s)  10  years  ago.  The  teams  10   years  from  now  will  look  totally  different  than  those  today.  Your  team   members  will  possess  a  variety  of  skills  complementary  to  their  security   skills  that  should  enable  them  to  address  the  problems.  If  you  lead  a   security  team  today,  my  advise  would  be  to  look  at  the  variety  of  skillsets   you  need  to  keep  up  and  hire  accordingly.       Assuming  that  we  achieve  to  both  maintain  a  collaborative  environment   and  bring  back  innovation  to  the  information  security  industry,  how  will  we   progress  in  securing  our  infrastructures  ?       I'm  certainly  not  the  first  to  say  that  it  is  safe  to  assume  that  you  will,  at  a   certain  point  in  time,  be  hacked.  It  is  just  a  matter  of  when,  if  it  didn't   already  happen.  The  big  question  then  is  how  you  will  be  able  to  detect  it,   how  will  you  be  able  to  react  to  it  and  how  you  will  prevent  it  from   happening  in  the  future.       First  and  foremost  I  believe  that  our  security  models  need  to  become  more  -­‐ not  attacker-­‐centric-­‐  but  attacker  aware.  This  means  that  we  need  to  collect   more  reliable  data  on  attackers,  attacker  groups,  their  methods,   interactions  and  why  they  attack.  Analysis  of  this  data  will  help  us  to   become  better  defenders.  But  only  if  we  are  also  able  to  share  this  data.   Whether  this  happens  through  a  public  forum,  local  and  global  CERTs  or   through  industry  groups  doesn't  really  matter.  We  need  to  move  away  from   the  idea  that  we  are  fighting  this  fight  alone.       If  we  can  bring  collaboration  into  our  daily  operations,  we  benefit  from   both  the  strengths  of  an  industry  and  those  of  a  community.       I  hope  that  through  this  talk,  I've  been  able  to  share  some  of  my  thoughts  on   the  security  community,  the  security  industry  and  our  collective  challenges.   I'm  happy  to  explore  these  ideas  further  here  at  the  conference  or  later,  via   email  on  wremes-­‐at-­‐gmail-­‐dot-­‐com  or  on  twitter  @wimremes.