This week, we attended the Structure Security conference in San Francisco’s Presidio Golden Gate Club. It was billed as a conference that “will highlight the best practices that security professionals are using to protect some of the world’s largest companies and institutions, and examine the future of security products, services, and the threats that aim to take them down.” The audience was a nice mix of business-side people, CSOs, CISOs, CIOs and vendors, and featured numerous speakers that ranged from Arlette Hart, FBI CISO, to Yahoo!’s CISO, Bob Lord (@boblord). Many thanks to the organizers of this show. The venue, food and short presentation format were all excellent.

The conference was opened by Art Coviello, ex-CEO RSA, who was introduced as the “father of security” and offered a rather ominous Winston Churchill quote – “Evils can be created much quicker, than they can be cured.”

There were three main themes running through the event:

1 – Need for a more proactive approach – Breaches are so costly and damaging to brands’ reputations that enterprises can no longer afford to just sit and wait. Breaches have become a “when” rather than an “if.” As Stuart McClure (@stuartmcclure), CEO of Cylance (@cylanceinc) noted, the OPM only began to make the correct cybersecurity decisions until after the 2015 data breach had exposed the records of 25 million Americans. The only way to mitigate the risk is to be as proactive as possible. The problem as Art Coviello pointed out is that the cybersecurity landscape has become a “ball of confusion,” with 1700 vendors in the space and the average Fortune 500 company now with well over 50 security products. Furthermore, industry analysts really do not offer any type of “holistic” guidance on how companies can be more proactive.

One very interesting talk was given by Nathaniel Gleicher of Illumio (@illumio) who outlined what we can learn from the secret service and how they protect the ultimate high value asset, the president of the United States. According to Nathaniel the secret service spend months preparing a location before the president makes a public appearance. Theirfirst goal is to control the terrain by reducing the attack vectors as much as possible. The remaining attack vectors are then controlled and protected making it much more difficult for an attacker to go undetected. This approach has application for data centers that need to be proactive in reducing the paths that a potential intruder may take. Another key point from his talk was that our focus should not be solely on reducing the number of actual breaches rather we should focus on “‘dwell time” or the length of time it takes to detect an intruder. Today the average dwell time in a data center is as high as 150 days.

2 – Growing attack surface –  IoT and Insider Threat -“It’s a mess out there and the attack surface has expanded exponentially. Despite billions spent, we are less secure in our infrastructure than we were 10 years ago.” according to Art Coviello.

Today there are perhaps 6 billion connected devices. By 2020 we could be looking at upwards of 20 billion. The problem is that many of these devices coming on stream do not offer robust security. Tom Le, GE Digital Wurldtech, talked about how breaches differ between the consumer and industrial side: “The biggest difference in standard IoT and industrial IoT is that attacks on industrial IoT have a physical impact if they were to be followed through with. While traditional IoT attacks can put data and privacy at risk industrial IoT attacks pose a risk of human safety, environmental damage, and massive system disruption.” He also talked about how many of the existing control systems on the industrial side are really old and do not receive regular security updates. On the consumer side Scott Montgomery, Chief Technical Strategist at Intel Security, talked about how for many devices ease of use was winning over security, and how manufacturers were not holding up their side of the bargain. Products were being released with no thought given to permissioning or even to an actual business model that would support security updates over the life of the device.

There was also much talk about insider threat. Arlette Hart, FBI CISO explained that software can only do so much to detect this type of threat. Niloofar Razi Howe (@NiloofarHowe), Chief Strategy Officer, RSA pointed out that in many ways “people have become the new perimeter.”  

3 -Automation and Machine Learning to the rescue  – Jay Leek, Blackstone CISO, talked about how it is a constant struggle to hire security professionals and how there are tens of thousands of open security recs. New, more sophisticated threats mean that security has increasingly become about data and analysis. Programing skills like Python are now table stakes for anyone wanting a career in security. His organization has successfully used automation to alleviate the personnel shortage, allowing his security professionals to be more efficient and to work on higher value tasks. 

There is still considerable confusion in the industry on terms like “AI”, “Deep Learning” and “Machine Learning” but Stuart McClure was very optimistic about how with machine learning algorithms, organizations can better recognize how hackers are trying to exploit their computer systems, and better protect themselves. “It will save the entire security industry,” said McClure.