SecTor review: Double-tap edition
Earlier this week I attended two different summits at the SecTor security conference in Toronto. The first session was the (ISC)2 Nexus and the second day was the Cloud Security Summit. Both were fairly standard conference days with a variety of speakers (note: neither day had vendor heavy pitches masked as presentations). I am writing this as a way to capture and share some of the highlights from each session.
First up is the ISC2 Nexus conference. I would say there were about 200 people in attendance. The first presentation was from the (ISC)2 speaking about their new Professional Development Institute (PDI). If you’re an (ISC)2 member, I highly recommend checking this out. Yes, there’s CPE opportunities, that’s a given. What’s new though is that the PDI has online training sessions that are free for all (ISC)2 Members. What kind of training? Surprisingly a wide array of options! Anything from hands-on labs on Application Security, more traditional ‘immersive’ courses on subjects such as Incident Response (5 CPEs, so I’m guessing it’s a 5 hour course) through to mapping your career path to becoming a CISO. I checked them out quickly and they seem to be a mix of slides and videos.
The next presentation had a discussion on Industrial Control Systems (ICS). A couple of interesting notes from this session. There was a discussion of how many of these systems were built quite a number of years ago and intended to only be run in a closed system. Now however, there are multiple pressures that have been imposed on the companies running these to open them to the outside world. Add the fact that these older systems may have been built by a supplier that is no longer in business and you have a recipe for disaster on your hands. Even from a testing perspective, it may not be possible to acquire the identical system anymore and that something as simple as an NMAP scan has been known to knock Programmable Logic Controllers (PLC) offline in the past. Great, so now you can’t test in production AND you can’t build a test lab. This leaves only one ‘viable’ solution in many cases – just leave the systems alone and hope for the best. Ouch.
Moving forward, we had a presentation from a vendor (ForeScout) that was thankfully not a sales pitch at all (I don’t consider a company logo as a pitch personally). They presented a series of “Best Defenses”. I’ll list them here below:
- Best Defense 1: Start by truly knowing what is in your network (Asset Identification)
- Best Defense 2: Then know what is truly talking to what.
- Best Defense 3: Now that you have real-time asset intelligence, Take action by isolating non-compliant devices, limit movement w/ segmentation (took 3 hrs til 1st Zero-Trust reference) and block unknown devices
- Best Defense 4: Be willing to automate remediation across tools. Automate and orchestrate response!
Ok, here’s the part of the day that just made my head spin. Quantum Computing time with Dr. Mashatan of Ryerson University. Well, more specifically, Y2Q. Huh? Ya, me too. Y2Q stands for Years to Quantum. Basically, the countdown on public-key encryption lifespan is on. You know how ‘they’ always say that encryption doesn’t permanently protect your data, but that it makes it infeasible to break within a lifetime? Ya advances in quantum computing are predicted to have a 50/50 probability of cracking asymmetric encryption (e.g. RSA-2048) by 2032 and a 1/7 chance of cracking it by 2026. Plan for quantum-resistant encryption now. What’s the big deal here? Well, if you store customer data that has personal data in it, you need to be concerned about a breach that harvests these databases today and subjects you to regulator actions for ‘losing’ personal data data years from now once the encryption is broken.
But how do you demand something that doesn’t exist? You begin the discussion of ‘crypto-agility’ now so you’re well positioned in a few years when NIST releases Quantum-Resistant cryptographic standards (anticipated by 2023). Looking at an HSM today? Get a clause in your contract stating the vendor is capable of adding new standards in their product and will implement them for customers without charging existing clients.
Next presentation that was delivered at the (ISC)2 Nexus was from the Canadian Cyber Threat Exchange. They’re working to build on their existing Threat Intelligence service and are working with the Federal Government to get more SMB companies on board. A couple of interesting facts came out of this session. The time to identify a breach is 197 days on average globally (181 in Canada). 69 days to contain the breach at an average cost of breach now pegged at $3.86M (up 6.4% from previous year). They’re also sounding the alarm over supply chain disruption. This was the top identified business risk in the Canadian Transport sector for 2019. Does it make sense now for an attacker to go directly after a large company that spends millions a year in cyber defences, or does it make more sense for them to go after the 15-user supplier company that is a ‘trusted’ partner?
Fast forward to the Cloud Security Summit. Unfortunately, I couldn’t catch all of the sessions because I was on the Incident Response panel and needed to join my co-panelists in advance of us taking the stage. I can tell you this though, there was an insane amount of knowledge delivered this day. Here are some of the day’s highlights:
The first session was delivered by Charlie Kauffman. This guy knows his stuff! Makes sense that he would, considering he was responsible for securing Microsoft Azure. His presentation was what the provider does. I was a bit concerned at first because the dreaded term “security responsibility” was used and I immediately thought this was going to be a waste of time. I’m very happy to say it was an eye-opening session. Here are a few key takeaways I had from Charlie’s session:
- Genetic Diversity – Lots of vendors in the security space is a good thing. If everyone used one IDS for example, attackers could just focus on that one product.
- Attacks coming from another tenant are going to use high-speed networks. A velocity of attack you haven’t seen in a traditional datacenter.
- CSPs have to assume customers are not just incompetent, they can be malicious. CSPs architect their cloud services accordingly for both traffic coming into and within a cloud environment.
- Side channel attacks such as hyper-threading and speculative execution are serious concerns for CSPs.
- Think a CSP will notice your credit card being used to open multiple accounts? Not so fast! Your CSP may not even see the credit card data if they outsource credit card processing.
- CSPs often have less information about clients (esp. those using a stolen credit card) than an ISP does.
- What happens when Spamhaus identifies an IP being spammy? The next one to use that IP gets penalized. Another reason why CSPs need to have great visibility into what’s happening on their network.
Again, great insight into how and why providers NEED to have strong controls over traffic coming into, leaving and traversing the cloud environment they manage. I would attend another one of his sessions in a millisecond.
Next up was an AI panel. Personally, I’m not too into this subject at this time. This is only because I’ve come to learn over the years that “can’t miss hot tech” often takes many more years to be adopted than expected. I don’t believe AI will be any different. There was a lot of talk about bias in AI. Well, the trick is that AI requires humans to program it. If you let AI make decisions on its own to “remove bias”, how far away is a Terminator-style Skynet? Other items from this talk included:
Key items to ask vendors in AI space: 1 – How does it improve day to day ops? 2 – Can you show me how you’ll solve 1 problem first before you keep talking about everything you can do? 3 – Prove it.
Good quotes here: “AI in security tools allows smart people to focus on hard problems” and “Are you doing more with AI on your side” It’s doing its job of delivering value then.
Finally, a cool story that I never knew before the session: ‘Hackers’ tricked a Tesla into driving on the wrong side of the road using stickers. Stickers? Really?
The next speaker is none other than Jim Reavis, CEO of the Cloud Security Alliance. Jim presented some interesting facts. For example, Cloud infrastructure spend was higher than traditional for the first time in 2018 (IDC Stat). I find this a truly remarkable finding considering you’re looking at Operation Expenditures vs Capital Expenditures.
The SaaS model has the highest impact to your security program as there’s so many more SaaS apps that require vetting compared to IaaS. I have thoughts on this subject on how you can reduce the costs associated with risk assessment of these providers, but I’ll leave that for another time.
Another interesting takeaway from Jim is that Cybersecurity is synonymous with National Security. CSA research being used by many Governments around the world.
A couple of forward-looking statements below:
- Cloud attacks and breaches will explode, probably based on basic threats. Big wildcard is a major event causing a lack of trust in future.
- Enterprise Directions according to Jim: 1) Transition from Infosecurity to cybersecurity. 2) Cloud-Centric Cybersecurity 3) Radical Automation 4) Cloud Security Workforce development is strategic priority 5) Exploring how blockchain can be leveraged as security solution.
Finally, we have Kellman Meghu’s presentation. This one was a little bit more technical than the other ones that I saw, but Kellman had a couple of zinger quotes that are still making me chuckle a bit.
- Cloud Security introduces “New Weirdness”…and programming. Here’s the thing – He’s right. If you’re going to tap into the true power of cloud, you need to automate. In order to automate, you need to code.
- Don’t just practice least privilege, practice least code as well. If you have a bunch of crap in your code that doesn’t need to be there, why is it allowed to be there?
The absolute best line of the two days (for me at least) and is deadly accurate when it comes to cloud adoption by companies of all sizes and sectors comes from Kellman as well. “The hard part isn’t learning new technologies, it’s leaving the old ones behind”.
That’s a wrap folks. I hope you enjoyed this review of the first two days of summits at the Sector Security conference in Toronto.