RSA Conference USA, one of Tripwire’s top 11 information security conferences for 2016, is now well underway! With so many events planned for this week, you might miss a few keynotes and panels.Don’t worry. We at The State of Security have prepared synopses of a few notable RSA presentations that have occurred thus far. We hope you enjoy them!The Sleeper AwakesSpeaker: Amit Yoran (@ayoran), President, RSAAmit Yoran, President of RSA, discussed the security industry’s “common experiences.” He spoke about prevention being a failed strategy and the movement of authentication and identity management back to the forefront of our discussions.Mandy Huth, Director of Cyber Security at Belden, says what struck her the most about his presentation was his comment that “there is no magic that will save us all.”“It resonates because as security practitioners, we have to adjust to ever changing rules and ‘counter move’ our adversaries,” Huth said.We can do that by leveraging what Amit called our ‘hunters’ – the curious – problem solving analysts.“I believe that fueling a culture of curiosity will drive us into an investigative spirit that can help propel us ahead of our adversaries,” Huth said.
Speaker: Brad Smith (@bradsmi), President and Chief Legal Officer, Microsoft
President and Chief Legal Officer Brad Smith of Microsoft gave a compelling keynote on privacy rights and the importance of encryption – an issue receiving much attention recently in the wake of the Apple vs. FBI debate.
Smith made several strong statements reiterating the company’s full support of Apple, adding that Microsoft underwent a similar situation last November following the attacks in Paris. The company received 14 requests for information about at-large terrorist suspects. Ultimately, Microsoft determined that the requests were lawful. It therefore pulled the content on the suspected terrorists and turned it over to law enforcement in an average response time of less than 30 minutes.
Smith referenced these incidents as a way to echo the notion that today, “there is no national security without cybersecurity.” In the midst of this, he also stressed that encryption is vital to keeping people safe and our information secure.
“Whatever the intention, one thing is clear: the path to hell starts at the back door. We need to make sure encryption technology remains strong,” said Smith.
Furthermore, Smith noted that U.S. laws need to be significantly updated by stating, “The world is going to trust technology only if the law can catch up.”
Speaker: Christopher D. Young (@youngdchris), Senior Vice President and General Manager at Intel Security Group
Intel’s Senior Vice President and General Manager Christopher Young discussed two main issues in his keynote – the value of threat intelligence sharing and the cybersecurity talent shortage.
First, he noted the importance of companies focusing their efforts with a single mindedness that allows them depth and visibility that they might otherwise overlook when dealing with large volumes of data.
He went on to explain Intel’s collaboration with other major vendors in the security space, including Symantec, Palo Alto Networks, and Fortinet, to deeply analyze and research CryptoWall– a strain of ransomware that has caused more than $325M in global damages today.
“The value of threat intelligence is only as good as the counter measures it enables,” said Young. “Addressing threats is bigger than one person, one company – it’ll take a partnership,” stressing that collectively, we can bring more value to the industry and to the people we want to protect.
Secondly, Young addressed the growing issue of talent shortage in the industry.
Huth noted that he brought a powerful message by introducing Morgan, a freshman at Purdue who is participating in a joint internship program called “Pathmaker” hosted between his university and the state of Indiana.
“By enabling our youth to participate and engage in our cyber concerns, we are growing a community of hunters that will protect us as we journey through our ever-evolving cyberworld,” Huth said.
“We’re capable and confident, and we can dive into these problems with new ideas,” said the student.
- Moderator: Trevor Hughes (@jtrevorhughes), President & CEO, IAPP
- Panelist: Brendon Lynch (@brendonlynch), Chief Privacy Officer, Microsoft Corporation
- Panelist: Keith Enright (@keith_enright), Legal Director, Privacy, Google
- Panelist: MeMe Rasmussen (Meme Jacobs Rasmussen), VP, Chief Privacy Officer, Adobe Systems
With Microsoft’s keynote being so relevant and interesting, I thought it would be good to also hear from the privacy leaders of other major players in technology.
The panelists in this presentation answered questions around some of the most debated topics today. One of the issues discussed revolved around innovative data usage and dealing with product managers who may want do something that is not quite right.
Microsoft’s Brendon Lynch stated that this case is likely inevitable, as we are beginning to recognize that data is the key to innovation. The best way to turn these discussions into healthy tension is by focusing on what’s right for customers.
Meanwhile, Keith Enright from Google said their employees are encouraged to take risks and that it’s important to foster this notion in conversations. But this came with a caveat.
“Let’s remember the trust of our users is detrimental to Google’s success,” Enright said.
Another topic touched upon was the GDPR introduced in Europe. All of the panelists believed this is an issue that is still up in the air. Adobe’s MeMe Rasmussen said it’s clear the document was written by people who don’t run businesses, including numerous countries that all have their own agendas.
“A lot will be up to interpretation, and we’re waiting for guidance on what certain terms mean,” said Rasmussen. “We will have to wait until the dust settles, and that won’t be for a few years from now.”
Meanwhile, Enright added that he and other leaders around privacy practices need to negotiate and draw out rationality as much as they can.
“Ultimately, our interests are aligned. We want to protect users to the greatest extent – the GDPR gives us a framework to do so. We have to bring our programs to the next level of privacy and make them more robust in demonstrating compliance externally,” Enright said.
The security of critical infrastructure has been in the spotlight recently following a power outage in the Ukraine, which the U.S. government has confirmed was caused by a cyber attack. What David Meltzer and Jeff Caldwell stressed is that these incidents are a real issue – not FUD (fear, uncertainly and doubt).
However, the latter part of this problem that doesn’t receive as much attention is the fact that the overwhelming majority (80%) of incidents on ICS networks are unintentional – caused by human errors, software flaws, or an untargeted malware infection.
Meltzer and Caldwell discussed an approach to industrial cybersecurity and defending against ICS incidents, including how IT and OT teams can work together to secure industrial networks, PCs, and controls.
Responding to today’s threats requires improved communications between the two areas as well as cooperation on a consistent security strategy. Although OT engineers and IT security professionals bring different skill sets and perspectives to these cyber security challenges, it’s important to note that both teams can learn significantly from each other.
Lastly, the speakers outlined a few keys to successful convergence:
- In the next week: commit to improving your ICS security skills, such as by reading a book or taking a course.
- In the next three months: begin to build relationships with the IT staff or ask to get a tour of the plant.
- In the next six months: drive or support a collaborative environment and metrics that both emphasize teamwork.