Last week I attend the Info Security event at Jacob K. Javits Convention Center in New York City – an awesome forum for Security professionals to get a handle on the latest defense against vulnerabilities. As you may already know I work for Microsoft overseeing 340+ Emerging Security companies who are typically Ventured backed, either contributing directly to Microsoft Partner ecosystem or believe or not complements our platform with competitive operating systems and languages.
Of special interest was two key note speakers; former US Sectary of the Department of Homeland Security Tom Ridge and Founder of Counterpane Internet Security Bruce Schneier, author of his lattes book Beyond Fear.
Tom Ridge’s speech was focused around the five aspects of driving a secure homeland starting with personal responsibility, governments, enterprises / corporations, coordination and Information technology Security. He made his point clear that these ingredients combined are necessary to have complete confidence going forward – he was a bit formal, however actually a very captivating speaker worth listening to.
Bruce Schneier was a bit more animated, as he approached the stage actually leaping vertically 5ft to the podium, sporting a 3 ft ponytail – I knew we were in for a wild ride with that entrance. Bruce took a more pragmatic approach describing the challenges that the audience was facing on a day to day basis within their profession.
- Economic Value - protection must match the asset value.
- Network as Critical - is part of the computing value chain & vulnerability.
- Third Parties Controlling Information – i.e. financial information is kept by suppliers.
- Criminal are on the Internet - shift from hobbyists to criminals.
- Ever increasing Complexity - complexity is faster than security.
- Slower Patching and Faster Exploits – orchestration is formalized: i.e. Microsoft Patch Tuesday.
- Sophistication of Automated Worms– i.e. polymorphic / morphic worms.
- Un-trusted Worthiness of Endpoints – Bruce’s Mom’s PC is the culprit: confession pending.
- End user as the Attacker – Botnetworks!
- Regulatory Pressure – putting the punitive fines where the control is.
- Things are getting worse not better – primarily due to speed & complexity.
- Non technical aspects of security; Political / Social / Economic
- Political pressure is the key: punitive damages & suing.
- Economics not computer science: aligning interaction & economics.
- Externalities leveling: $$ + effort investment = security investment.
- Who’s really exposed, it may not be the one who has the control.
- Tradeoffs & Interests: it will change every six months.
The event was great worth the $$, and met many of the companies that work with on a day to day basis (was like speed dating) and look forward to writing about in the near future.