Upload
camron-carpenter
View
215
Download
1
Embed Size (px)
Citation preview
Challenges and Opportunities in Cyber Security Innovation
Paul BarfordQualys Inc. andUniversity of Wisconsin
Fall, 2011
Internet Cambrian explosion
• Internet threat landscape exploded in ‘01 – Virus, DoS, worms, bots
• We’re in a time of evolving cyber ecosystems– Highly complex, dynamic and diverse– Expanding challenges and opportunities
• Addressing threats requires innovation– Step functions vs. increments– We’ve not seen much in the security domain
lately…
Challenge: tech vs. innovation
• What is the “next big thing”?– Threats: many possibilities– Counter measures: new architectures
• Where will the “next big thing” come from?– Companies typically develop technology– gov/mil are fairly dark and highly diverse– Academia needs better processes– Entrepreneurs are the innovators
Challenge: antiquated edu
• Processes in academia can stifle innovation– Tenure is a conundrum– Unenlightened IP management
• Incubation support is … incubating– It’s not just about physical space or $$– The Utah example
• Why isn’t entrepreneurship taught in CS?– Gates, Page/Brin, etc. were not B-school grads– Young people are often ignored
Challenge: bridging the gap
• Standard start-up issues– Business plan, funding, hiring, execution, etc.
• Complexities and privacy concerns of security operations– Highly sensitive nature of sec ops limit feedback
• Regulations– SOX, PCI, international, etc.
• Moving targets– New threats change perception of value
Challenge: metrics
• How do we assess the impact of something innovative in the security space?– No analog of FLOPS or bps
• Security is good when nothing happens– Sends wrong message
• Changing the conversation– Being proactive – Being robust– Value add for products
Challenge: deployment • Hardware is pretty much out
– “You want to deploy IN LINE!?!”
• Easy integration is essential– Complex architectures– Home grown solutions– Privacy concerns
• Ad hoc evaluation methods and tools– Related to metrics
• Everyone is busy
Chall-atunity: O vs. D
• Standard focus of cyber security is defense– Threats determine policies, processes, systems– Robust but fragile
• Offense (attacker) always has the advantage– Only one entry point is required– Humans are in the loop
• Offense can clearly have an impact– Stuxnet is a game changer
• Offense is clearly controversial!
Opportunity: data*/service
• Many security systems and processes depend on different types of data– Aggregates– Signatures
• S,S,SaaS via the cloud– Simplifies deployment– Lowers costs– Changes playing field– But, risks are difficult to assess
Opportunity: secure software
• Software system vulnerabilities will be with us forever– System complexity– Humans in the loop
• Secure software development methods– Requires careful consideration of threats
• Software testing methods, tools, processes – Fast, accurate identification of a myriad of bugs
• However, humans are in the loop…
Opportunity: education• Educate “consumers” on best practices
– Private users• Simple things can make all the difference
– Developers• Evolving threats make this an on-going challenge
– Public/enterprise/SMB• How to assess risk & make good decisions on security
• Educate policy makers on security landscape– Regulation must be considered VERY carefully
• Educate the next generation of innovators– These resources must be fostered carefully
Opportunity: partnerships
• Public + private > {public, private}– Sharing perspectives is a good starting point– Trusted relationships enable sound decisions and
effective use of technology
• Bring academia to the table (gov/com/edu)– Unfettered perspective– Neutral third party
• Foster consistent evaluation for innovative technologies– National Cyber Security Assessment Center
Opportunity: innovation
• Situational awareness– Unifying theme for sec ops
• Embrace cloud-mobile environment– Solutions for the cloud and from the cloud
• Policy, regulation and enforcement– Important part of ecosystem– Facilitate via gov/com/edu partnerships
• Change the playing field– Group-centric security
Conclusions• Dynamic and diverse threat landscape
– Obviates incremental solutions– Necessitates innovation
• Challenges abound– Entrenchment based on unknown risks
• Opportunities abound– Data centric innovation– Software security– Partnerships– Changing the playing field