If you're ever in the position to switch jobs, may I recommend launching into your new gig with Jane Lynch providing the soundtrack? I had that experience yesterday at RSA 2015, the first event I'm attending in my capacity as your newest hire for Windows IT Pro.
Jane Lynch introduced Tuesday morning's keynote speaker, RSA president Amit Yoran — after doing a musical number mapping the dramatic developments of the security landscape to David Bowie's "Ch-ch-changes," all before 8 a.m. — and Yoran took to the stage to deliver a sobering message: "For all practical purposes, we can never secure or trust the … endpoint participants in any computing environments.”
In other words: Get used to living in a world where security breaches are common, because there is no such thing as a perfectly secure technology.
Yoran moved into a map metaphor, arguing that the current "map" for security procedures and tech was inaccurate — we no longer have a clear picture of the terrain of the security landscape. He continued, saying the "perimeter mindset" was outmoded and that old standbys like network monitoring and malware products were inherently limited by their experience — so they could neither anticipate the kind of security attacks made today, nor adapt to new attack models.
So what's a security-minded IT pro to do? Yoran had five key recommendations:
- Stop believing that advanced protections work against today's malicious actors.
- Adapt a deep and pervasive level of visibility everywhere, from endpoint users to the cloud.
- Recognize that authentication and identity matter more, not less.
- Learn how to leverage external threat intelligence.
- You'll never have "enough" resources, so ruthlessly prioritize what you have and make it work.
There were three things that were striking about Yoran's keynote — and in all the other keynotes I attended after that. First: he and several others used the phrase "post-Snowden world," which shows how much weight top-tier security pros are giving to the question of employee access to assets on a network. Second, the Sony hack and its aftermath pervaded every conversation. And third, everyone's emphasis was not on "we need better technology for this new world," but rather, "we need better behavior."
This was also apparent in the subsequent two keynotes. Scott Charney, Microsoft's VP of Trustworthy Computing, spent a significant portion of his keynote on cloud trust talking about how security pros need to recognize and count for people's need to feel in control of their cloud-based assets, and he followed that up by recognizing cloud customers' increasing demand for transparency — they want to know what's happening to their stuff at all time.
And then Intel Security Group senior VP Chris Young made the most effective pitch for thoughts over tools: He brought out Oakland Athletics VP and general manager Billy Beane, who became known for his data-driven approach to maximizing a baseball team's performance with profoundly limited resources. Beane's approach, as detailed in Michael Lewis' book Moneyball: The Art of Winning an Unfair Game, was profoundly radical for its time and went against a lot of industry convention. And when he took the stage during Young's keynote, he stressed that the best way to gain a competitive advantage over your adversaries was to look at old information in new ways.
He also warned about the dangers of complacency in victory — “[The A's management] is constantly evaluating [data] & we’re always analyzing process to make sure we're not correct through serendipity” — and stressed that any organization which uses data to gain or maintain a competitive edge needs to be constantly iterating how they look at that data. Avoid operating based on habits and tradition, he said.
With three keynotes in a row emphasizing the importance of human behavior, it'll be interesting to see when and how security tools assist this call to change how security pros think. I'll be hitting the show floor later to find out.
If you want to follow along with what I'm doing at RSA this week, I'm tweeting about it over at @lschmeiser, using the hashtag #RSAC. This afternoon, I'm off to find out about the generational differences in security approaches, how to use Moneyball-style metrics to sharpen network security, and what it means to be in "the second machine age." I'll report back on how it all went tomorrow.
