Friday, February 24, 2012

RSA Conference 2012

This weekend the 2012 RSA Conference begins! I am looking forward to a busy week. Every day is essentially booked from 7am to midnight. I hope to see many of my friends at what has become an annual pilgrimage to San Francisco each spring to catch up on information security trends and technology.

For me, the focus will be on security metrics and risk management, because I've got a talk (Monday morning) and a panel (Wednesday morning), and a half-day seminar (Thursday afternoon) on these topics. It seems the big security issues for 2012 are: Cloud, Mobile, Social Media and Big Data.

I am on another CISO panel at noon Thursday, talking about these security trends. I have been thinking about Big Data for a while now. I find it a fascinating subject - maybe because of my science research background (in a previous life). From the consumer perspective, embedded systems and networked systems are all around us. Data is being collected on your spending habits, Google collects data and with social media, your life is increasingly in the public domain. Now, our cars, tractors and toasters are going to be networked nodes, sending data where you drive, what you plant and how dark you like your bagels back to corporations who will horde it and manipulate it and aggregate it. Security data is coming from standard network devices in the enterprise: the firewalls, routers, IDS... and it is merging with information gathered from badge readers and other "physical security" sources to build up a model of what is "normal" for you... a new biometric, "What You Do". All together, we are looking at mountains of data, and these data sets need to be pared down, while manintaining their integrity, manipulated and analyzed in an ethical and confidential way. This is cool stuff, Maynard!

See you in San Francisco!

Endpoint Security

I recently gave a presentation at the Next Generation Security Summit in Atlanta, GA, on the topic of endpoint protection. I took the approach that endpoints are more than just desktop PCs these days. There is probably some debate on just what defines an endpoint.

Traditionally, the endpoint was the user workstation. Remember back in the early 1990s, when we started giving end users their own computers on their desks, to replace dumb terminals. I think the term “endpoint protection” actually evolved from the model of protecting computers with antivirus, delivered and updated by floppy disks.
We started to see threats increase ten years ago, when more employees started taking laptops home and connecting them to the Internet, and when we switched from dial-up modems to high-bandwidth VPN connections to our wide-open internal corporate networks.

Today, the risk is even greater, and the endpoints are more varied. I don’t think we can just think of Endpoint Security as a desktop security suite. We need to look at all resources that are used for data processing and storage, and we need to move our concern from one use case, to a broader definition that addresses security more holistically.

It is certainly good to be concerned about hardening desktops, but we operate in a more diverse environment, with an enterprise that extends into the cloud, with many different business access needs to address. Therefore, risk is coming at us from all directions and we need to look more holistically at risk management by better protecting the endpoints where our data resides, and one threat to mitigate is going to be the way the data is accessed. We need to do more than just put AV on our computers and call that endpoint protection. We need to focus our resources on the things that are most precious to the business. We do that first by understanding business need. Endpoint protection is a means to an end. We ultimately want to protect intellectual
property, sensitive data and PII, and protect the brand.

I tried to get across the point that endpoint protection needs to be a combination of things, emphasizing the efficacy of layers and security in depth that is more targeted and focused on what is important to protect. This is a work in progress, but I hope you find my slide deck interesting and perhaps even useful in thinking about the problem.