One of my best and most respected friends in the information security world is Bill Brenner. Bill was the long-time senior editor of CSO magazine until a few weeks ago when he took his considerable talents over to Akamai, where he is now blogging up a storm. We are both out here in Las Vegas this week for the security industry's annual party around the Black Hat/Defcon twin conferences. Bill wrote a post on the Akamai blog called "Black Hat 2013: What's New In Security? Nothing."
While I agree with Bill that hearing year after year about what is the next challenge we face can begin to blur over time, that doesn't mean there is nothing new in security. Bill's statement that "I see absolutely nothing new, and haven't for some time," is mistaken. I think back over the 12+ years I have been involved in the security industry. Like Bill, I remember the rise of the mass worms like Code Red and Sasser. I have seen compliance become the scourge of the industry. But unlike Bill I have seen lots of changes over the last few years.
First of all, we have seen the nature of the attackers change. We have seen kiddie scripters give way to organized crime preying on financial information. We have seen nation states using hacking to further strategic national goals. We have seen cyberterrorism, hacktavism and even cyber whistleblowers/traitors.
I have seen the industry change from building castles surrounded by moats to micro-perimeters protecting individual machines. From fighting to convince people to scan their networks regularly, to recognizing that scanning alone is not enough. The rise of penetration testing.The rise of offensive security. Risk management, GRC, Security-as-a-Service.
As we have moved assets out to the cloud, the security industry has both leveraged the cloud to deliver security in ways impossible without it and to protect that cloud infrastructure with technology that would not make sense in a LAN. We have seen the security industry both trying to use Big Data tools to give us greater insight into and better security of our data, while also trying to secure big data as well.
Changing social more is about privacy, what we consider our public personas and social networks have given rise to a whole new area of security challenges. We are already seeing security solutions arise for these hot-button issues.
Perhaps the biggest thing this year at Black Hat is what is your story on BYOD. We are truly at a new KT boundary not just in security but in computing. We have moved from a PC-dominant era to a new mobile era where phones and tablets outnumber computers. This is having a profound effect on security. Increased mobility has changed the where we access data, what we access, and what we do with it.
This mobility is allowing our ever-more remote workers to access the cloud and applications directly without going back through the LAN/WAN, where our traditional security is located. This has forced us to move security to the mobile device and the cloud for to direct to cloud access. It is fundamentally changing what security we deliver and how we deliver it.
Even some of our tactics are changing. We are seeing sandboxes at the edge of our networks, ala Fireye, or in the cloud like Skyhigh Networks. We are seeing micro-visors like those used by Bromium to run apps and processes in their own virtual world.
Bill, my friend, on this one I think you are wrong. There are lots of new developments in the security field, both in the way of new trends and new ways of fighting the bad guys. Take a fresh look at some of the new companies that have risen lately, at some of the new faces presenting at shows like Black Hat.
What hasn't changed is that big security companies still buy smaller companies who are innovating. What isn't changing is that security folk still have a tough time getting budget to really do what they need to. What isn't changing is that we are still under attack every minute of every day and we need to remain vigilant. We may never get one step ahead of the bad guys, but it takes everything we have to stay close to them. What hasn't changed is that we are not winning the war in security, even if we win some battles. People don't take security seriously enough. But don't equate not winning with nothing new happening.
As co-founder and Managing Partner at The CISO Group, Alan Shimel is responsible for driving the vision and mission of the company. The CISO Group offers security consulting and PCI compliance management for the payment card industry. Prior to The CISO Group, Alan was the Chief Strategy Officer at StillSecure. Shimel was the public persona of StillSecure as it grew from start up to helping defend some of the largest and most sensitive networks in the world.
Shimel is an often-cited personality in the technology community and is a sought-after speaker at industry and government conferences and events. His commentary about the state of security, open source and life is followed closely by many industry insiders via his blog and podcast, "Ashimmy, After All These Years" (www.ashimmy.com). Alan is now also a regular contributor to The CISO Group’s security.exe blog and podcast. Follow him on Google.
Alan has helped build several successful technology companies by combining a strong business background with a deep knowledge of technology. His legal background, long experience in the field, and New York street smarts combine to form a unique personality.
Disclosure: The CISO Group sells a software-as-a-service PCI compliance application called SAQPro. The company is independent and does not represent any other vendor's products as a reseller.
Policy on comments: Respectful discussion is welcomed! However comments that use inappropriate language, consist of name calling or personal attacks, or include accusations of wrongdoing are not appropriate. Those comments will be deleted or edited.