This is my second Black Hat conference, and the best one yet. Last year was full of gloom about all sorts of devices exploited, revelations about the NSA and uncertainty about what threat intelligence meant or how good it was. This year, from the keynote down to an obscure track at BSides which I participated in, the tone was much more optimistic.
Dan Geer’s keynote at Blackhat this year sounded more like a state of the union address than a speech about information security, and this is largely due to the fact that the quote/unquote cyber domain has now reached breadth and depth of such proportions that it might as well be its own political system.
His claim is that cybersecurity has reached critical mass—that our practice areas are being taken seriously outside of our domain—in Congress, across business units and governmental agencies. Sadly, though, he claims that the rate of technological change has made it impossible to keep up with every aspect of info sec; he says this time passed “about six years ago.”
“When younger people ask my advice on what they should do or study to
make a career in cyber security, I can only advise specialization.
Those of us who were in the game early enough and who have managed
to retain an over-arching generalist knowledge can’t be replaced
very easily because while absorbing most new information most of
the time may have been possible when we began practice, no person
starting from scratch can do that now.”
I am one of those that has never had a grasp of the full field, I have known vulnerability management and only vulnerability management since I started applying techniques from operations research to the practice two years ago. And so, I want to sum up Black Hat in the only way I know how: from a math background, with takeaways about vulnerability management.
Why do I see a very bright future for vulnerability management from this year’s Black Hat? A few talks and trends:
1. The Keynote’s (Cyber)CDC suggestion (and the push to share data in general)
As fundamental requirement for future information security best practices, Geer called for mandatory reporting for all types of vulnerabilities: not only for those with Internet-wide implications (like Heartbleed), but for all organizations, both large and small. Geer wants mandatory reporting to follow the model of the US Centers for Disease Control, where details of outbreaks of diseases beyond a specific threshold must be released to the general public.
“When you really get down to it, three capabilities describe the CDC and why they are as effective as they are: (1) mandatory reporting of communicable diseases, (2) stored data and the data analytic skill to distinguish a statistical anomaly from an outbreak, and (3) away teams to take charge of, say, the appearance of Ebola in Miami. Everything else is details. The most fundamental of these is the mandatory reporting of communicable diseases.“
The CDC is effective at stopping pandemics because they force mandatory disease reporting, have expert-away teams, and analyze historical data. Infosec experts should do the same. In fact, much of Risk I/O’s approach to vulnerability management is already exactly this – we collaborate with industry partners to gather information about attacks, breaches and exploits to create a central repository of data that we can then use to guide vulnerability strategy. If there were mandatory disclosures, we’d have much richer data, and on a larger scale. The methods by which we prioritize vulnerabilities would become much more powerful.
2. Alex Stamos on Lessons from his first 6 months as CISO at Yahoo
Alex’s talk did a really good job of characterizing what a security practice at scale means, which has been hard to pin down before. He suggests that scale for security really means a large amount of data, systems, and users, as well as a diversity of users and threat models. There is wisdom in this taxonomy, because of that very last part. A diversity of threat models, to me, means two things: a diversity of threat intelligence, coming from many different sources in order to capture as much of the reality of what’s happening out there as we can, and a diversity of ways to segment that data in order to defend against script kiddies or more advanced attackers.
Alex’s talk was about overcoming “security nihilism,” which is exactly what referred to in my Black Hat preview when I suggested we should ignore the new “sexy” vulnerabilities coming out. Just because we see hundreds of new devices exploited at Black Hat ever year, doesn’t mean there isn’t hope! Attackers change their tactics daily, but for the most part, they rely on exploits that have been around for years and are easily weaponized. If we can focus on stopping this massive part of attacks, we’ll achieve much better security.
3. The Ground Truth Track at BsidesLV (and the attendance numbers!)
The Ground Truth track was all about math and machine learning in info sec, and I invite you to check out the videos on youtube. The material is technical and applied to a various segments of the practice. This might sound like a bit of shameless self-promotion since I spoke at this track myself, but less so than the content, I was impressed with the attendance numbers. The room was packed the entire day, which means folks are paying attention to mathematical models, machine learning, and data-driven approaches to security. The golden age is upon us! Of course, we have a lot more work coming up – with more and better data comes the task of incorporating it into our models, and with more models comes the even more difficult task of determining which are the correct ways to do it.
An important moment for me in the keynote was when Dan Geer said, “For every complex problem there is a solution that is clear, simple, and wrong.” Let’s make sure our solutions stay away from there. Stay tuned for new models and data analysis in the coming weeks!