Collaborate, Innovate, Secure SecZone 2012 Keynote The problem with accepting a keynote is that audiences tend to come to your talk with the expectation to be inspired, impacted, changed even. Starting to write a keynote after realizing that is, to say the least, a task that is challenged with almost nothing that I have ever done before. Maybe thats a good point to start: "What have I done before Edgar asked me to come out here and talk to you?" Or should I say "for Edgar to ask me"? When I look at myself Im just a crazy guy whos passionate about information security and eager to learn every single day. Ive spent the past 15 years in IT in different functions working for IT Integrators, hardware and software manufacturers and big4 consultancies. Currently I work for Ernst and Young. In my spare time Im a director at (ISC)2 and I organize the BruCON conference. It is an honor for me to speak here and I cant really continue without thanking Edgar : "muchas gracias por la invitación. Me siento muy honrado de estar aquí. Colombia es un país increíble y nunca me he sentido más bienvenido en una conferencia." With that out of the way, lets see what I have in store for today. 2012 has been an interesting year for information security, wouldnt you agree? We have been shocked, we have been exhilerated, we have been depressed, we have laughed (hard!), we have cried and, more often than not, we have sighed. We have sighed with relief because the worst things happened to somebody else and not us. We have sighed in dismay when another database with unsalted hashes appeared on Pastebin. Where Anonymous was omnipresent in 2010-‐2011, we seem to have come back to the essence of information security in 2012. The same questions remain : "Do we want to do business in a secure manner? How do we protect our most valuable assets? How do we ensure that we protect those assets to an acceptable level? And ... what does that exactly mean for us an acceptable level? I am thankful to be active in a community that gathers some of the smartest people in the world around the most challenging problems. For the record: I
dont count myself among that group of smart people. I am but a blip on your screen. I am just a guy with an opinion whos determined to try to do something right. For some values of something. What I want to address today are the following three points : 1 -‐ How can a community that has grown explosively and changed without even realizing it keep collaborating in a competitive setting. 2 -‐ Where I am convinced that many of the decisions we have taken and supported over the past 15 years have stiffled innovation, how can we rekindle that innovative spirit. 3 -‐ And finally, when we have created a collaborative and innovative ecosystem, how can we secure the world together. Let me start at the beginning. In the past decade, the friendly hacking and security community has evolved into an eco-‐system where individuals, associations and organizations are eager to find an equilibrium (or balance) that allows them to maintain a culture of information sharing and at the same time permits the commercialization of a legitimate service or product offering. The power of a community such as the hacker/infosec community has always been that each member is as dedicated to giving back as it is to taking from it. The collective knowledge is what effectively powers the eco-‐system and in the past decades, individuals have found a stable, be it brittle, equilibrium that allowed them to exchange knowledge and ideas. It wasnt until recently (as in "the last 5 years") that the associations of the involved individuals with their employers have become an additional factor in this eco-‐system. One isnt just "John Doe" in todays world. Like I am never just "Wim Remes". Most often I am "Wim Remes, working for Ernst and Young" or "Wim Remes, Director at ISC2" or "Wim Remes, organizer of the BruCON conference" or a combination of all of the above or just the drunk guy at the party. On a personal level the most unsettling part probably is that Im never in control of what cap I am wearing. It comes to a point where I become hesitant to share my ideas and projects with other, interested, parties. Obviously this may just be me being paranoid but when looking at the broader picture, you will see that the whole community is moving
towards a state where information is no longer shared in large groups. The community gets fragmented and loses the core of its being. In the past half decade we have seen a dramatic decline of "new research" being presented at conferences. We have reached a point where most of the talks are about "ideas in the conceptual state" where we used to have "finalized research" and "knowledge sharing" before. One may argue that, as systems become more secure it becomes harder to find 0-‐days. I would even find this reasoning acceptable were it not for the data from vendors that shows that vulnerabilities are still being found at an alarmingly fast rate. So, there must be underlying reasons for this evolution. We have moved from the "no bugs for free" era, where security researchers were glorified hobbyists who were expected to give up their goods for a plane ticket and plenty of alcohol, to a state in the community where security research has become a hard currency. Much of the research that was conducted "independently" a few years ago, is now being performed under a commercial contract, often involving a Non Disclosure Agreement. Where commercial organisations would sometimes prevent research from being presented at conferences by threatening with lawsuits in the past, we now see them hiring the same researchers and blocking them even before the research starts. This isnt necessarily a bad thing for the parties involved. It could be that it is a bad evolution for the community at large but that remains to be seen. What we see today is that the larger impact of commercial entities on the community leads to polarization as organizations are antagonized to support a certain idea or belief. A good example that we have witnessed over the past year is the debate on the sale of 0-‐day vulnerabilities by researchers or companies to government entities. I am not inclined to use this venue to pass judgement on the ethical nature of selling vulnerabilities for undetermined purposes to whomever pays the most money. Most notably, a French company called VUPEN has become the pinnacle of this debate. I dont think I have seen a commercial company being publicly called out as much as Ive seen VUPEN being called out and blamed for all our collective sins. The only thing they have done to deserve this is refusing to hand over a vulnerability that would have earned them 50,000 dollars in a bug-‐finding competition. Everything from there on forward has been bluff and marketing. Where VUPEN has claimed that they can earn much more from selling the exploit to their customers. The proof
of that remains to be shown. I havent seen it yet, have you? Or maybe we have? Like all (ok, most) "legitimate" companies, VUPEN is required to publish their yearly revenue. Publish is not a latin word : it means that their numbers are made public, for all to see! Its quite strange that we havent seen those numbers in any of the articles that have covered the topic in the past year. For the Americans in the debate, there may be a first problem. VUPEN numbers are published in French. Im happy to provide a quick break-‐down so they dont have to learn a second language. Someone whos a little bit interested will quickly find out that in 2010, VUPEN made almost € 600k in revenue with €325k in net profits. The years before that, the company made LESS than €5k in profits !!! That means that a Pwn2Own payout of $50.000 represents almost 1/7th -‐ or almost 15% -‐ of VUPENs profit. From their perspective that isnt insignificant. At this moment there isnt a single indicator that selling 0-‐day vulnerabilities OR exploits is a viable business model. If VUPEN has the many 0-‐day vulnerabilities that they claim they have AND the clients that want to pay the premium price for them, it surely doesnt reflect in their business numbers. Granted, VUPEN has not published any recent business numbers, and Im looking forward to seeing them, but Im inclined to think they do not show a sharp increase from the 2010 numbers. I have, and I am not shitting you on this one, talked with people in the industry that actually sell 0-‐days and let me assure you that it is not their core business. 0-‐day sales is not the flourishing market that some make it out to be. Allow me to throw out an interesting comparison: It is with a little amusement that I observe that established research organizations such as Forrester and Gartner produce proprietary research and sell it at high prices. C-‐level executives act on these publications and the impact of whatever it is that industry research companies think to be knowledgeable about today is rarely measured. As an example, I was forwarded a short research note from a well-‐known company was recently. The document as such described the added value of integrating vulnerability management solutions with web application firewalls. In
itself, the idea has merit but this kind of papers rarely take into account the grim reality that is a companys infrastructure, silofication, departemental friction, etc. When applied to "the real world"(tm), the whole premise of such a paper falls flat on its face. It becomes a ridiculous idea yet executives assign valuable resources in creating gap analysises, estimating cost, etc. etc. "What a waste" or, if Im allowed to paraphrase an esteemed colleague of mine : "What a waste." All this when we ridicule true researchers that investigate the infinitely interesting ways in which software (and hardware, but everything today is software) breaks. True researchers that operate on the edge that exists between engineering and art. True researchers that are finding ingenuous ways to monetize their skill and efforts. We ridicule them and expect them to work for free. For what? The thought alone is beyond any reasonable argument. I would like to ask the question who has, in the long run, a more nefarious impact on information security? The established research institute that is killing trees spreading advice that lacks even the most remote thought of implementability or the researcher who discovers oversight by industry moguls that puts companies and their clients at risk? Lets elaborate on the idea of selling 0-‐day as a business model. First off , lets explore the position of the seller : It is impossible to control the intellectual property of a 0-‐day vulnerability and its related exploit. A company may have spent 3 months in the development of an exploit, preparing it for sale to an interested third party, just when an independent researcher subscribes to a bounty program or decides to throw the same vulnerability on the internet for free. Any which way you take it, the investment is immediately nullified. At the same time, it is impossible to determine the shelf-‐life of a 0-‐day vulnerability. A vulnerability may exist for days, months or years. It is, with that knowledge, impossible to determine a prize of a vulnerability. At the same time you are, with a unique product, playing in a market driven by demand which means the price of your product is not determined by the intrinsic value of the product you ever but by who needs the product at any given time and with what urgency they need it.
From a customer perspective, the situation is even more dire. You dont want to stock up on 0-‐day that you may or may not use. It isnt unthinkable that you will have a $100k exploit lying around that is then published on pastebin by a creative teenager, immediately devaluating the bu. Youre looking for exploits when you need them and custom developed for you at that specific time. I am, for the sake of not boring you to death, not even digging into the details of how reliability of an exploit impacts its value. Imagine that you are a buyer, how much are you willing to pay for an exploit that only works 3 out of 10 times? How much for an unreliable vulnerability that leaves a machine in an unstable state and how much for one that doesnt impact the state of a machine noticeably? In most cases, very little, but if you really need to bring down that Iranian nuclear plant ... it may be worth a million dollars. Taking all that in regard I would dare to claim that the market for 0-‐day vulnerabilities and exploits is very small (to the level of unviable in the long term) and highly unstable. At the same time the market for specialized skills and vulnerability research seems to be large enough and continues to grow. I think that, in the case of 0-‐day sales, we are looking for an imaginative 800lbs gorilla and I dont believe we will find it. One possible -‐and for a change believable -‐ scenario where someone may be interested to buy 0-‐day is from a defensive perspective. It is as important to know the tools your enemy has available as it is to sharpen your own tools. Buying 0-‐day gives you a perspective on what is available in the underground market. What you may or may not need to defend against and how you may or may not be attacked. The whole 0-‐day sales debate being fought out in public is, in my opinion, little more than politics. It isnt new for pressure groups to create an alternate reality to forward their own agenda. What it shows to me though is that we are becoming particularly good at throwing out peers under the train for little or no reason at all. If we want to stop doing that, I believe we can start by focusing on our own strengths. Instead of pointing out our competitors weaknesses (whether thats selling 0-‐day exploits or offering vulnerability assessments as
penetration tests), we should aim our sights on performing the best we can in our space. This would be a first change that can lead us to a collaborative, innovative, security industry. When we all aim to be better, we collectively move forward. -‐-‐-‐ Not so long ago someone suggested that I should watch a short movie called Jiro dreams of sushi. I am forever grateful.The documentary (its a true story, not fiction) digs into the life of Jiro, the head chef of a three star restaurant in Tokyo. His restaurant, with no more than 10 seats, has reached the ultimate recognition in the culinary world. Being awarded three stars is not something thats easy to do. At a time where he should be enjoying retirement, living the life of a recognized hero and watching his 2 sons carry on his legacy, he gets up in the morning every single day. To make sushi. To work with ingredients so simple and pure that one would wonder if there really is anything special about it. Now, the question is why would Jiro do that and ... obviously ... what is the lesson we can learn from it? Jiro is a very simple man. His only goal is to make the perfect piece of sushi. To do that, he goes through every single detail. The rice he uses, the fish, manually roasting the nori sheets, using (or not using) condiments. Those seem obvious but where any ordinary chef would stop, Jiro pushes forward. He learns his customers, he knows who will sit where and whether they are left-‐ or right-‐handed. He is so engaged in the process of creating a piece of sushi that one would wonder if it is still healthy for him but he doesnt mind. His only goal is to make the perfect piece of sushi. His love for the raw products he works with is only surpassed by his love for his customers and his quest to make the perfect. Jiros perfect, according to world standards, can not be expressed in Michelin stars, yet he keeps pushing the boundaries. Over the past few months, in different settings, we have heard the following being said : * lets not aim for the stars if we want to shoot the moon. * sometimes good enough is perfect * nobody needs perfect if good enough suffices Voltaire (a French writer/poet) had an interesting idiom about that understanding : "le mieux est lennemi du bien" "the better is the enemy of
the good". The original meaning of this phrase has been redefined over time, so much that I feel it is important that we go back to the original. What Voltaire meant or, maybe better, what I believe he meant is that people intend to set lofty goals and get lost in their attempt to reach those goals. This finally results in not reaching any goals at all. A solution, a situation or a product can be "good enough" and "good enough" can be a state we can live with in our quest for "perfect". I predict that Voltaire is going to surpass Sun Tzu as the most quoted dead guy at information security conferences so when you hear him again, please think back of what I said here. Voltaire does not tell us that "good enough" is in itself an end goal, it is an acceptable state for a finite amount of time as we figure out our next steps. A few years ago executives that I talked to often countered my push for better security by saying "we are not Fort Knox" or "nobody wants to hack us". In a Voltaire world, these people are saying that we dont have to be perfect and aim their sights at "good enough". It is our task to drive innovation by setting intermediate "good enough" goals and using our magicians force on the way to perfect. The concept of the magicians force in itself is interesting. (provide example) . As the magician you give your subjects the idea that they have been given a choice while, in the end, they had no choice at all. Compliance may be an example of an area where your use of the magicians force is very much needed. At this very moment colleagues in industries like healthcare and finance are swamped with regulatory requirements: HIPPAA, PCI-‐DSS, local banking regulations, local and international privacy regulations, you name it. All of those frameworks set a bar that we now perceive as perfect security. Most of us agree that the combination of the recommendations we read in those frameworks all together would may not even be good enough. To innovate security, we have an obligation to be passionate about what we are doing and aim to be better tomorrow than we are today. We need to be a little bit more Jiro and care about our products and clients as much as we care about the money we are making.
Through my work for (ISC)2 I am allowed to talk to information security professionals around the globe, from South-‐America to Japan and Australia. Executives often tell me that they dont find the right people to fill in extremely important positions. I think this is an important problem that we need to solve. and the first thought that always comes to mind is how we can improve the knowledge transfer and build a pipeline of professionals that can support our organisations to do business securely. I know several people, ranging from my fellow board members at (ISC)2 that are active in the academic world to people like Dan Guido who is a "resident hacker" at NYPoly. They do groundbreaking work to fill the pipeline of information security workers we need so much but I dont believe that: a) we can solve the lack of skills by training people that have little or no experience to begin with. b) we should expect all our solutions for this problem to come from academia. I believe we need significant investments to build IT Security into the existing Computer Science curriculums and much more integration of the efforts that are made by private sector, government and academia alike. It is quite awesome to see that an event like SecZone provides a venue for such collaboration and integration here in Colombia. Firstly we need to make sure that the skilled people we train are ready for the reality they will be functioning in. That means that we dont only have to prepare them for the technical challenges they will face but also for the business challenges they will face. And then, when they enter the labor market. When they are finally ready we need to make sure that those people also choose a career in information security. Very often we discuss the "skills gap", it seems impossible to find the security workers that we are needing so badly in our organisations. When Isee another job announcement describing a profile that looks like only someone with 30 years of experience can truthfully claim to fit in but the company looking for that profile only offers a wage equivalent to that of a senior IT administrator, I often wonder: How do we expect someone who can earn an equivalent pay as an IT admin, probably working more regular hours and certainly not suffering a 150% workload, to choose entering the information security industry? "Hiring high-‐skilled resources at rock bottom pay IS NOT A SKILLS GAP."
If we ourselves misconstrue the problem, we set ourselves up to fail in finding the solution to the problem. What we also shouldnt forget is that the security team from today looks very much different than the security team(s) 10 years ago. The teams 10 years from now will look totally different than those today. Your team members will possess a variety of skills complementary to their security skills that should enable them to address the problems. If you lead a security team today, my advise would be to look at the variety of skillsets you need to keep up and hire accordingly. Assuming that we achieve to both maintain a collaborative environment and bring back innovation to the information security industry, how will we progress in securing our infrastructures ? Im certainly not the first to say that it is safe to assume that you will, at a certain point in time, be hacked. It is just a matter of when, if it didnt already happen. The big question then is how you will be able to detect it, how will you be able to react to it and how you will prevent it from happening in the future. First and foremost I believe that our security models need to become more -‐not attacker-‐centric-‐ but attacker aware. This means that we need to collect more reliable data on attackers, attacker groups, their methods, interactions and why they attack. Analysis of this data will help us to become better defenders. But only if we are also able to share this data. Whether this happens through a public forum, local and global CERTs or through industry groups doesnt really matter. We need to move away from the idea that we are fighting this fight alone. If we can bring collaboration into our daily operations, we benefit from both the strengths of an industry and those of a community. I hope that through this talk, Ive been able to share some of my thoughts on the security community, the security industry and our collective challenges. Im happy to explore these ideas further here at the conference or later, via email on wremes-‐at-‐gmail-‐dot-‐com or on twitter @wimremes.