Posted by Ed Macnair / 07 June 2017
After my rant about the general lack of coherence in the info security industry, I thought I’d accept my own challenge and see what I could make of the first day’s action here at Infosec 2017.
A scan through the scheduled keynotes and presentations pretty much confirmed what I predicted to be true. Reading the conference agenda is analogous to reading the menu from one of those ‘every international cuisine under one roof’ eateries. Where the only thing the dishes have in common is calories - you know the kind of thing.
Taking an old James Dyson idea, I decided to throw the whole lot into my mental cyclone to see which topics clumped together and settled to the bottom of the bin. Quite a productive tool it turned out to be (...and not half so noisy or heavy to push around as James’ gizmos either).
Here’s what I found. Firstly, securing cloud access is a very common concern. Some of the least self-promoting speakers on the agenda devoted their time to explaining how to implement cloud services safely. Talks included ‘App-to-Cloud Security: Three Problems You Don’t Know You Have’ and ‘On-Demand Access for The Cloud’. Their refreshing starting points were that cloud applications have massive benefits for organisations and are almost certainly essential enablers of new working practises and collaborations: so how do we enable organisations to use cloud innovatively but safely. One case study in particular rang true for me and for CensorNet, with Remy Cointreau’s CTO Sebastien Huet explaining how a cloud-based infrastructure allowed him to facilitate a more agile organisation and workforce without any threat to security and “without wasting costly and valuable IT time on low-level issues such as password resets and account lock-outs.” We should talk, Sebastien.
Another big topic - big here, big everywhere - is AI and machine learning. As it turns out, even very large, well-budgeted IT teams are drowning under the tide of alerts and logs generated by the layers of defenses they’ve built or acquired. Mostly, they’re just firefighting. AIs are proposed as a way to reduce the ‘cognitive burden’ on IT teams. Titles such as ‘Only Human: Redefining the User Security Experience with Machine Learning’ and ‘Applied Machine Learning: Finding Malicious Domains in Your Environment’. The AI sits like an angel on the shoulder of a human analyst, spotting patterns, suggesting links, sifting through gazillions of discrete bits of data a bit like, well, a bit like that cyclone I was talking about earlier. The human gets to focus only on the substantive patterns that clump together and present themselves for inspection. Probably these AIs wouldn’t win any AlphaGo championships, but I believe they’re going to be an important ingredient in creating highly coherent, autonomous cyber security defenses.
There is another way to reduce cognitive overload, of course. Here’s a headline that I could have written: ‘Deep Cyber Tech is OUT, Simple Is IN…’ This feels like it’s offered in antidote to another lengthy wail - sorry, theme - here which is the ongoing lack of cyber skills. The shortage comes in two flavours. The first is that there are simply not enough bodies to go around. The second is that many of those bodies don’t have the right kind of skills on board. If I was presenting the ‘Deep Cyber Tech is Out’ talk, I’d be pointing out that the skills shortage can be reduced by making the tech a lot more joined up, and you don’t necessarily need an AI to make that happen.
In most cases today, if your email protection system thinks it’s discovered a nasty, it takes some pre-emptive action and then raises an alarm. The info security professional then has to assess the threat, and possibly go create a remediating rule-set on, say, a web security system, or a CASB solution, or whatever. The email protection might be ‘best of breed’, but we’ve now a reason to suspect that the human in the chain of events might not be. At least, not at that moment, or under that workload, or whatever. So, your defense is compromised.
If, however, the email security system were to find the problem and take action, notice that the suspect email has a URL onboard, and then instruct the web security system to take pre-emptive action to block it...and if then the whole shebang raises just the one log to tell the human that action has been taken... Well you’d have to admit that simplifies things somewhat for the human in the workflow. Think about it.
And because, as we’ve said before, 81% of data breaches are caused by weak passwords still, talks like ‘Two-factor Authentication in Android, iOS...Mobile Devices’ are highly, highly relevant. Here’s our news on that subject.
One last title that I can’t resist throwing in: Why Conventional SOCs Don’t Work for SMEs’. I’m assuming this is because the speaker is the owner of one - or maybe even a pair - of ‘unconventional’ SOCs. Shouty sales pitch, anyone….?