Transcript of a BriefingsDirect podcast from the HP Discover 2012 Conference on how our views of security need to be expanded beyond protecting the perimeter.
Building an enterprise security knowledge graph to fuel better decisions, fas...Jon Hawes
1. Automate to enhance human capabilities, not replace them, drawing inspiration from Iron Man's suit rather than Ultron.
2. Make it easy for users to explore patterns in data to understand security issues at both the local and systemic level.
3. Prioritize an open approach that encourages collaboration and community improvement over proprietary solutions.
Cloud Computing by Industry: Novel Ways to Collaborate Via Extended Business ...Dana Gardner
Transcript of a sponsored BriefingsDirect podcast examining how cloud computing methods promote innovative sharing and collaboration for industry-specific process efficiencies.
FuseSource Gains New Autonomy to Focus on OSS Infrastructure Model, Community...Dana Gardner
Transcript of a sponsored podcast discussion on the status and direction of FuseSource, which is being given its own corporate identity by Progress Software.
Enterprise Architecture Faces Vast Promise -- or Lost OpportunityDana Gardner
This document summarizes a podcast discussion on the potential and challenges of enterprise architecture. The panel discusses how enterprise architecture can help organizations adapt to changing digital needs, but it faces an adoption challenge as it lacks established professional standards. Architects must focus on delivering near-term business value while establishing long-term strategic plans. Leadership skills are also important for architects to drive organizational change without direct authority. Overall, the discussion examines how enterprise architecture can create opportunities for businesses through improved IT and business alignment, but realizing this potential remains an ongoing challenge.
Creative Solutions in Healthcare Improves Client Services and Saves Money wit...Dana Gardner
Transcript of a Briefings Direct podcast on how a major healthcare provider is improving internal operations and patient care with a hybrid cloud model.
Building an enterprise security knowledge graph to fuel better decisions, fas...Jon Hawes
1. Automate to enhance human capabilities, not replace them, drawing inspiration from Iron Man's suit rather than Ultron.
2. Make it easy for users to explore patterns in data to understand security issues at both the local and systemic level.
3. Prioritize an open approach that encourages collaboration and community improvement over proprietary solutions.
Cloud Computing by Industry: Novel Ways to Collaborate Via Extended Business ...Dana Gardner
Transcript of a sponsored BriefingsDirect podcast examining how cloud computing methods promote innovative sharing and collaboration for industry-specific process efficiencies.
FuseSource Gains New Autonomy to Focus on OSS Infrastructure Model, Community...Dana Gardner
Transcript of a sponsored podcast discussion on the status and direction of FuseSource, which is being given its own corporate identity by Progress Software.
Enterprise Architecture Faces Vast Promise -- or Lost OpportunityDana Gardner
This document summarizes a podcast discussion on the potential and challenges of enterprise architecture. The panel discusses how enterprise architecture can help organizations adapt to changing digital needs, but it faces an adoption challenge as it lacks established professional standards. Architects must focus on delivering near-term business value while establishing long-term strategic plans. Leadership skills are also important for architects to drive organizational change without direct authority. Overall, the discussion examines how enterprise architecture can create opportunities for businesses through improved IT and business alignment, but realizing this potential remains an ongoing challenge.
Creative Solutions in Healthcare Improves Client Services and Saves Money wit...Dana Gardner
Transcript of a Briefings Direct podcast on how a major healthcare provider is improving internal operations and patient care with a hybrid cloud model.
Liberty Mutual Insurance Melds Regulatory Compliance with Security Awareness ...Dana Gardner
Transcript of a BriefingsDirect podcast on how Liberty Mutual Insurance has adopted a new, heightened security posture that permeates the development process.
Thought Leader Interview: HP's Global CISO Brett Wahlin on the Future of Secu...Dana Gardner
Transcript of a BriefingsDirect podcast on how increased and more sophisticated attacks are forcing enterprises to innovate and expand security practices to not only detect, but predict, system intrusions.
Cloud Security Crosses the Chasm, How IT Now Goes to the Cloud for Better Sec...Dana Gardner
Transcript of a discussion on how cloud security is rapidly advancing and how enterprises can begin to innovate to prevail over digital disruption by increasingly using cloud-defined security.
How the Switch to a Predominantly Remote Workforce Accelerated IT and Securit...Dana Gardner
Transcript of a discussion on how the rapid shift to remote work accelerated the digital transformation of a New York-based publishing organization to reduce risk while preserving a highly creative and distributed culture.
How Dashboard Analytics Bolster Security and Risk Management Across IT Supply...Dana Gardner
Transcript of a discussion on how Bruce Auto Group gained deep insights into their systems, apps, and data to manage and reduce risks across their entire IT and services supply chain.
The Security Industry: How to Survive Becoming Management BSIDESLV 2013 KeynoteVeracode
Christien Rioux's keynote presentation slides from BSidesLV 2013 explores how to build a better hacker manager.
Using his own career arch as a baseline Christien explores the evolution of how he became a hacker and transitioned into the management role he currently holds at Veracode.
We all encounter different crossroads in life and the one constant we can count on is change. In defining success it's important to; separate business and personal goals, understand the factors that influence these and study how we can make the best decisions to achieve our goals.
He breaks down the effects that hacker culture can have on companies and how many negative effects can also be turned positive. Finishing with his own Ten Commandments of Hacker Management, enjoy the presentation!
You can follow Christien on Twitter: @dildog
Inside This Issue:
1. Why Cyberthugs LOVE Your Business
2. Announcing...New Promotion Managed Security PLUS Network, Servers, Workstations & Much More.
3. Download: The Ultimate Small Business Guide To Setting Up A Work-From-Home System For Your Staff.
4. 4 Steps to Become A More Genuine Leader
5. Are you keeping up with the trends? The God Protocol Blockchain
6. Enjoy!
DevOps and Security, a Match Made in HeavenDana Gardner
Transcript of a Briefings Direct discussion on the relationship between DevOps and security and exploring the impact of security on compliance, risk, and auditing.
1. Finding the right balance in any organization depends on assessing risk and then convincing executive management to fund security needs.
2. To justify endpoint security solutions, one expert recommends using actual metrics that show the effectiveness of something already deployed, rather than scare tactics about potential attacks.
3. When facing budget reductions, the expert advises resetting expectations by informing management how service levels may be impacted and the increased risks from reduced resources. Quantitative data showing improved security with existing tools can help make the case for continued funding.
Douglas Land presents the concept of blameless system design, which aims to remove fear from system failures and improvements by assuming good faith, conducting blameless post-mortems, promoting empathy, experimentation, honesty, and communication. The goal is to change an organization's culture away from retribution by encouraging openness, risk-taking, and shared learning from failures and successes. However, changing culture is challenging work that requires buy-in from leadership and a willingness to accept uncertainty.
In This Issue:
1. Your #1 MUST-DO Resolution For 2017
2. Free Report: What Every Small Business Owner Must Know About Protecting And Preserving their Company’s Critical Data And Computer Systems
3. 3 Ways Smart People Blow The Close
4. STAYING ON TOP
Stephane Nappo. January 2023. Top Cyber News MAGAZINE.pdfStéphane Nappo
"One of the main Cyber risks is to think they don't exist. The other is to try to treat all risks".
Key cybersecurity quotes, key methodologies, and advanced risk management approches. Seeking for simplicity and efficiency in the complex realm... Do read.
Right-Sizing the Security and Information Assurance for Companies, a Core-ver...Dana Gardner
This podcast discusses how Lake Health, a regional healthcare provider in Ohio, has matured its approach to information security. The Information Security Officer, Keith Duemling, explains that Lake Health initially took a technology-focused approach but has since transitioned to viewing security through the lens of information assurance and quality assurance. The goal is to ensure the integrity of patient information and protect availability so clinicians have accurate data to make care decisions. Duemling discusses how taking a holistic risk-based approach helps Lake Health address compliance requirements and be proactive on regulatory elements. The conversation explores the challenges of balancing security needs for a mid-sized organization and how automation can help a small team manage visibility and response.
An exploration of the cyber security market factors that lend to pervasive issues with hyperbole and feelings of broken trust across the various participants. Much is left off the slide & was covered in narrative at a recent OWASP LA meetup, original done for B-Sides LV.
Why Today’s Hybrid IT Complexity Makes 'as a Service' Security EssentialDana Gardner
Transcript of a discussion on why more automation, integration, and acquiring security services “as a service” are in hot demand amid rapidly growing IT security costs and the added complexity of protecting distributed workforces.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Liberty Mutual Insurance Melds Regulatory Compliance with Security Awareness ...Dana Gardner
Transcript of a BriefingsDirect podcast on how Liberty Mutual Insurance has adopted a new, heightened security posture that permeates the development process.
Thought Leader Interview: HP's Global CISO Brett Wahlin on the Future of Secu...Dana Gardner
Transcript of a BriefingsDirect podcast on how increased and more sophisticated attacks are forcing enterprises to innovate and expand security practices to not only detect, but predict, system intrusions.
Cloud Security Crosses the Chasm, How IT Now Goes to the Cloud for Better Sec...Dana Gardner
Transcript of a discussion on how cloud security is rapidly advancing and how enterprises can begin to innovate to prevail over digital disruption by increasingly using cloud-defined security.
How the Switch to a Predominantly Remote Workforce Accelerated IT and Securit...Dana Gardner
Transcript of a discussion on how the rapid shift to remote work accelerated the digital transformation of a New York-based publishing organization to reduce risk while preserving a highly creative and distributed culture.
How Dashboard Analytics Bolster Security and Risk Management Across IT Supply...Dana Gardner
Transcript of a discussion on how Bruce Auto Group gained deep insights into their systems, apps, and data to manage and reduce risks across their entire IT and services supply chain.
The Security Industry: How to Survive Becoming Management BSIDESLV 2013 KeynoteVeracode
Christien Rioux's keynote presentation slides from BSidesLV 2013 explores how to build a better hacker manager.
Using his own career arch as a baseline Christien explores the evolution of how he became a hacker and transitioned into the management role he currently holds at Veracode.
We all encounter different crossroads in life and the one constant we can count on is change. In defining success it's important to; separate business and personal goals, understand the factors that influence these and study how we can make the best decisions to achieve our goals.
He breaks down the effects that hacker culture can have on companies and how many negative effects can also be turned positive. Finishing with his own Ten Commandments of Hacker Management, enjoy the presentation!
You can follow Christien on Twitter: @dildog
Inside This Issue:
1. Why Cyberthugs LOVE Your Business
2. Announcing...New Promotion Managed Security PLUS Network, Servers, Workstations & Much More.
3. Download: The Ultimate Small Business Guide To Setting Up A Work-From-Home System For Your Staff.
4. 4 Steps to Become A More Genuine Leader
5. Are you keeping up with the trends? The God Protocol Blockchain
6. Enjoy!
DevOps and Security, a Match Made in HeavenDana Gardner
Transcript of a Briefings Direct discussion on the relationship between DevOps and security and exploring the impact of security on compliance, risk, and auditing.
1. Finding the right balance in any organization depends on assessing risk and then convincing executive management to fund security needs.
2. To justify endpoint security solutions, one expert recommends using actual metrics that show the effectiveness of something already deployed, rather than scare tactics about potential attacks.
3. When facing budget reductions, the expert advises resetting expectations by informing management how service levels may be impacted and the increased risks from reduced resources. Quantitative data showing improved security with existing tools can help make the case for continued funding.
Douglas Land presents the concept of blameless system design, which aims to remove fear from system failures and improvements by assuming good faith, conducting blameless post-mortems, promoting empathy, experimentation, honesty, and communication. The goal is to change an organization's culture away from retribution by encouraging openness, risk-taking, and shared learning from failures and successes. However, changing culture is challenging work that requires buy-in from leadership and a willingness to accept uncertainty.
In This Issue:
1. Your #1 MUST-DO Resolution For 2017
2. Free Report: What Every Small Business Owner Must Know About Protecting And Preserving their Company’s Critical Data And Computer Systems
3. 3 Ways Smart People Blow The Close
4. STAYING ON TOP
Stephane Nappo. January 2023. Top Cyber News MAGAZINE.pdfStéphane Nappo
"One of the main Cyber risks is to think they don't exist. The other is to try to treat all risks".
Key cybersecurity quotes, key methodologies, and advanced risk management approches. Seeking for simplicity and efficiency in the complex realm... Do read.
Right-Sizing the Security and Information Assurance for Companies, a Core-ver...Dana Gardner
This podcast discusses how Lake Health, a regional healthcare provider in Ohio, has matured its approach to information security. The Information Security Officer, Keith Duemling, explains that Lake Health initially took a technology-focused approach but has since transitioned to viewing security through the lens of information assurance and quality assurance. The goal is to ensure the integrity of patient information and protect availability so clinicians have accurate data to make care decisions. Duemling discusses how taking a holistic risk-based approach helps Lake Health address compliance requirements and be proactive on regulatory elements. The conversation explores the challenges of balancing security needs for a mid-sized organization and how automation can help a small team manage visibility and response.
An exploration of the cyber security market factors that lend to pervasive issues with hyperbole and feelings of broken trust across the various participants. Much is left off the slide & was covered in narrative at a recent OWASP LA meetup, original done for B-Sides LV.
Why Today’s Hybrid IT Complexity Makes 'as a Service' Security EssentialDana Gardner
Transcript of a discussion on why more automation, integration, and acquiring security services “as a service” are in hot demand amid rapidly growing IT security costs and the added complexity of protecting distributed workforces.
Similar to Resiliency, Risk Management Add a New Dimension to Discussions about Enterprise Security (20)
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
UiPath Test Automation using UiPath Test Suite series, part 5DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 5. In this session, we will cover CI/CD with devops.
Topics covered:
CI/CD with in UiPath
End-to-end overview of CI/CD pipeline with Azure devops
Speaker:
Lyndsey Byblow, Test Suite Sales Engineer @ UiPath, Inc.
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
For the full video of this presentation, please visit: https://www.edge-ai-vision.com/2024/06/building-and-scaling-ai-applications-with-the-nx-ai-manager-a-presentation-from-network-optix/
Robin van Emden, Senior Director of Data Science at Network Optix, presents the “Building and Scaling AI Applications with the Nx AI Manager,” tutorial at the May 2024 Embedded Vision Summit.
In this presentation, van Emden covers the basics of scaling edge AI solutions using the Nx tool kit. He emphasizes the process of developing AI models and deploying them globally. He also showcases the conversion of AI models and the creation of effective edge AI pipelines, with a focus on pre-processing, model conversion, selecting the appropriate inference engine for the target hardware and post-processing.
van Emden shows how Nx can simplify the developer’s life and facilitate a rapid transition from concept to production-ready applications.He provides valuable insights into developing scalable and efficient edge AI solutions, with a strong focus on practical implementation.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
Enchancing adoption of Open Source Libraries. A case study on Albumentations.AIVladimir Iglovikov, Ph.D.
Presented by Vladimir Iglovikov:
- https://www.linkedin.com/in/iglovikov/
- https://x.com/viglovikov
- https://www.instagram.com/ternaus/
This presentation delves into the journey of Albumentations.ai, a highly successful open-source library for data augmentation.
Created out of a necessity for superior performance in Kaggle competitions, Albumentations has grown to become a widely used tool among data scientists and machine learning practitioners.
This case study covers various aspects, including:
People: The contributors and community that have supported Albumentations.
Metrics: The success indicators such as downloads, daily active users, GitHub stars, and financial contributions.
Challenges: The hurdles in monetizing open-source projects and measuring user engagement.
Development Practices: Best practices for creating, maintaining, and scaling open-source libraries, including code hygiene, CI/CD, and fast iteration.
Community Building: Strategies for making adoption easy, iterating quickly, and fostering a vibrant, engaged community.
Marketing: Both online and offline marketing tactics, focusing on real, impactful interactions and collaborations.
Mental Health: Maintaining balance and not feeling pressured by user demands.
Key insights include the importance of automation, making the adoption process seamless, and leveraging offline interactions for marketing. The presentation also emphasizes the need for continuous small improvements and building a friendly, inclusive community that contributes to the project's growth.
Vladimir Iglovikov brings his extensive experience as a Kaggle Grandmaster, ex-Staff ML Engineer at Lyft, sharing valuable lessons and practical advice for anyone looking to enhance the adoption of their open-source projects.
Explore more about Albumentations and join the community at:
GitHub: https://github.com/albumentations-team/albumentations
Website: https://albumentations.ai/
LinkedIn: https://www.linkedin.com/company/100504475
Twitter: https://x.com/albumentations
Threats to mobile devices are more prevalent and increasing in scope and complexity. Users of mobile devices desire to take full advantage of the features
available on those devices, but many of the features provide convenience and capability but sacrifice security. This best practices guide outlines steps the users can take to better protect personal devices and information.
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Removing Uninteresting Bytes in Software FuzzingAftab Hussain
Imagine a world where software fuzzing, the process of mutating bytes in test seeds to uncover hidden and erroneous program behaviors, becomes faster and more effective. A lot depends on the initial seeds, which can significantly dictate the trajectory of a fuzzing campaign, particularly in terms of how long it takes to uncover interesting behaviour in your code. We introduce DIAR, a technique designed to speedup fuzzing campaigns by pinpointing and eliminating those uninteresting bytes in the seeds. Picture this: instead of wasting valuable resources on meaningless mutations in large, bloated seeds, DIAR removes the unnecessary bytes, streamlining the entire process.
In this work, we equipped AFL, a popular fuzzer, with DIAR and examined two critical Linux libraries -- Libxml's xmllint, a tool for parsing xml documents, and Binutil's readelf, an essential debugging and security analysis command-line tool used to display detailed information about ELF (Executable and Linkable Format). Our preliminary results show that AFL+DIAR does not only discover new paths more quickly but also achieves higher coverage overall. This work thus showcases how starting with lean and optimized seeds can lead to faster, more comprehensive fuzzing campaigns -- and DIAR helps you find such seeds.
- These are slides of the talk given at IEEE International Conference on Software Testing Verification and Validation Workshop, ICSTW 2022.
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024Neo4j
Neha Bajwa, Vice President of Product Marketing, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Speck&Tech
ABSTRACT: A prima vista, un mattoncino Lego e la backdoor XZ potrebbero avere in comune il fatto di essere entrambi blocchi di costruzione, o dipendenze di progetti creativi e software. La realtà è che un mattoncino Lego e il caso della backdoor XZ hanno molto di più di tutto ciò in comune.
Partecipate alla presentazione per immergervi in una storia di interoperabilità, standard e formati aperti, per poi discutere del ruolo importante che i contributori hanno in una comunità open source sostenibile.
BIO: Sostenitrice del software libero e dei formati standard e aperti. È stata un membro attivo dei progetti Fedora e openSUSE e ha co-fondato l'Associazione LibreItalia dove è stata coinvolta in diversi eventi, migrazioni e formazione relativi a LibreOffice. In precedenza ha lavorato a migrazioni e corsi di formazione su LibreOffice per diverse amministrazioni pubbliche e privati. Da gennaio 2020 lavora in SUSE come Software Release Engineer per Uyuni e SUSE Manager e quando non segue la sua passione per i computer e per Geeko coltiva la sua curiosità per l'astronomia (da cui deriva il suo nickname deneb_alpha).
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slackshyamraj55
Discover the seamless integration of RPA (Robotic Process Automation), COMPOSER, and APM with AWS IDP enhanced with Slack notifications. Explore how these technologies converge to streamline workflows, optimize performance, and ensure secure access, all while leveraging the power of AWS IDP and real-time communication via Slack notifications.
In his public lecture, Christian Timmerer provides insights into the fascinating history of video streaming, starting from its humble beginnings before YouTube to the groundbreaking technologies that now dominate platforms like Netflix and ORF ON. Timmerer also presents provocative contributions of his own that have significantly influenced the industry. He concludes by looking at future challenges and invites the audience to join in a discussion.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Resiliency, Risk Management Add a New Dimension to Discussions about Enterprise Security
1. Resiliency, Risk Management Add a New Dimension to
Discussions about Enterprise Security
Transcript of a BriefingsDirect podcast from the HP Discover 2012 Conference on how our
views of security need to be expanded beyond protecting the perimeter.
Listen to the podcast. Find it on iTunes/iPod. Sponsor: HP
Dana Gardner: Hello, and welcome to the next edition of the HP Discover Performance
podcast series. I'm Dana Gardner, Principal Analyst at Interarbor Solutions, your
co-host and moderator for this ongoing discussing of IT innovation and how it's
making an impact on people’s life.
Once again, we're focusing on how IT leaders are improving performance of
their services to deliver better experiences and payoffs for businesses and end
users alike. This time, we’re coming to you directly from the HP Discover 2012
Conference in Las Vegas. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.]
At the event, I had a chance to sit down with Raf Los of HP Software. Raf has an interesting
personal perspective on “enterprise resiliency,” which I initially heard about through his blog,
Following the White Rabbit.
Raf will now share his point-of-view, and you can also read more about “enterprise resiliency”
on Raf's blog, or by following him on Twitter at @wh1t3rabbit.
With that, Please join me now in welcoming Raf Los. Welcome back.
Raf Los: Thank you for having me again.
Gardner: Tell me a little bit about your vision. We all understand security and why it’s
important, but you've developed, I think, an expanded category for security. Tell me what you
mean and where that is heading.
Los: Security, over the years, has evolved from an absolute concept of a binary decision: is it
secure or is it not? As we move forward, I believe very strongly that what we’re
evolving into is, as we’ve heard people talk about, risk management.
Risk management starts to include things that are beyond the security borders. As I
talked to customers out here, I was having an "aha" moment. A little while ago, at
one of our converged cloud chats, we were talking about how things fail.
Everything fails at some point, and chaos takes over.
So rather than talking about security, which is a set of absolutes or a concrete topic, and boxing
ourselves into threats from a security perspective, the evolution of that goes into enterprise
2. resiliency. What that means is that it’s a combination of recoverability, security, performance,
and all the other things that bring together a well-oiled business that can let you take a shot to the
gut, get back up, and keep going.
A lot of the CISOs nowadays are set up to fail by their organizations. It’s a non-winning position,
because you're put into a position where the board of directors, if you’re lucky, or your CTO or
your CIO asks, "How much money do you need to secure this organization?"
That's horrible, and no matter what you say, you lose. If you say nothing, you lose. If you have
$10 million, a billion dollars, there's no amount of money you can spend to make your company
completely secure.
Acceptable risk
So what are you aiming for? You're aiming for a level of acceptable risk. Well, acceptable risk of
what and how and how much you’re aiming for. It’s not just acceptable risk. We’re
looking at acceptable risk from a security perspective, but we need to incorporate
the fact that we're going to get owned.
We need to get out of our ivory towers and we need to start thinking about the
fact that attacks happen and insiders happen. There are things that are going to
transpire that are beyond our control and things that we cannot plan for.
Technology will fail.
People and processes will fail. Our own technologies, our own minds will fail us. Our best
friends will fail us. People get tempted. This is a human nature that the weakest element will
always be a human being, and there's no patch for that.
So how do we move and get back to business as usual? How we get back to being a resilient
business. That’s a cool concept -- that I have enterprise resiliency.
Gardner: This makes great sense to me, because we’ve been talking, over the past several years,
about how security needs to be applied to different parts of the organization holistically and
needs to be thought of in advance, be built in, and become part of a lifecycle.
But it makes double sense to me to expand the purview of security. It really is in making sure
that there's performance resiliency, failover resiliency, backup and recovery resiliency, and data
backup and duplication resiliency. So why not look at it through the resiliency lens? It makes a
great deal of sense.
Los: Absolutely, and that’s exactly where this is coming from. I’ve actually given a series of
talks and called it the introduction of Chief Chaos Officer. It’s not an actual role you’re going to
see on monster.com, but it’s just a concept. It’s kind of like the aging Killcraft, a Chaos Monkey
thing from Netflix.
3. Can you, as an organization, get comfortable with the fact that things will fail? In the talk that I
gave, it comes from the perspective of you’ve got a lot of great security technology. You've
probably got full disk encryption. You back up. You have firewalls, redundant networks, and all
these things that you do.
You have procedures that you’re supposed to follow in the red book, a big red binder that sits on
your incident response handler's desk, and you have all these things that are supposed to be
followed.
Your people are trained, and your developers are supposedly writing better source code. These
are all things that we can test through penetration testing, which means on Sunday between 7:00
p.m. and Monday 3:00 a.m. on the following four IPs, but only when we’re ready. Can you go
ahead and pen-test us?
No patch for the human
And it’s like, okay, we've tested ourselves, we’re confident that we’re secure. I'm making kind
of a scrunchy face, because that’s not really what this means. I've worked with folks who are red-
team testers. I've yet to meet a red team that's failed, because, as I said, there's no patch for the
human.
When you can’t penetrate a system or an organization via a new O-day, you'll walk in through
the front door by walking and carrying flowers from the CEO's wife or something, and you'll
own the organization that way.
But the question isn’t whether you'll be owned or not. What happens next is the big question, and
it encompasses things like how good is your PR strategy. Do you have all the legal pieces in
place? When your backup system fails or your entire data center gets wiped out by Hurricane
Katrina, in a worst-case scenario, do you just sort of throw up your hands and go, "Well, that
stinks? Well, we were in the cloud." Oh, your cloud just got wiped out. Now what?
Gardner: Okay, let’s go to the cloud. I've been speaking with a number of folks lately who hold
the opinion that at least for small-to-medium sized businesses (SMBs), going to the cloud can
improve their security and resiliency sufficiently to make it a no-brainer. For enterprises, it might
be a longer haul and there might be more complications and issues to manage.
Do you agree with that that the SMB can outsource some of this resiliency to the cloud provider
who needs to do it and has the resources and experience to do it better than the SMBs do?
Los: There's a number of SMBs that can greatly benefit from the fact that good security talent is
expensive and good security talent that can actually work towards a more resilient, more secure
enterprise is very difficult to come by. It’s becoming scarce.
4. So small companies do the best they can with what they have their hands on. And there's
certainly a ton of benefit to be gained from going to a shared model like a cloud. Does it raise the
bar for everybody? I can’t say yes. On the whole, do I believe it raises the bar? Absolutely. Let's
take the angle of threat intelligence.
I'm a small entity with five IP addresses on the Internet. How do I know what bad guys look like?
If I have my five IP addresses in a public cloud some place, that public cloud is attacked billions
of times a day and probably subscribes to numerous threat-intelligence services. They know
exactly what to look for. And if they don’t, they can find out pretty quickly. They probably have a
ton of resources from the security perspective.
Do I think it’s better? Absolutely. SMBs have a lot to gain by taking that step. You have to be
intelligent about it. You can’t just say, "I'm going to move to the cloud and I'll be secure." Let’s
be realistic about it. Get a partner that will get you there. Do due diligence on the partner that
you’re choosing to work with. You still can’t run into the water with your eyes closed, but I think
there's a lot of benefit to be had, absolutely.
Gardner: And as we’re learning more here at Discover about the HP Converged Cloud. In a
sense, it’s a cloud of clouds. You have hybrid delivery. You might have a variety of sources for
applications and services. You might have data in a variety of sources across a variety of
organizations, running from on-premises to managed hosting to multiple cloud and SaaS
providers.
Is there a way that, in addition to the security that's going on within those organizations, you can
add more security at that converged cloud layer, particularly when you’re converging network
storage, workload provisioning, governance, and so forth. What’s the add-on value that the HP
Converged Cloud can bring resiliency-wise?
Choice, consistency, confidence
Los: Our Converged Cloud strategy focuses on three very simple words: choice, consistency,
and confidence. We’re focusing on consistency and confidence here and perhaps a little bit of
choice as well.
What we’re saying is that because we focus on OpenStack, because we’ve chosen to build our
platform completely on OpenStack, because we’re building across a single model, a single way
of operating, as Meg said yesterday. You can build a single security operating model and you'll
be able to implement it across your private, public, and hybrid models.
I don’t think it’s realistic to say every company will have a public cloud-only presence, just as I
don’t think it’s realistic to say companies won’t have a public cloud presence. Most organizations
will be a combination of on-premise IT, private cloud, virtual private cloud, and public cloud, all
of that somehow sharing space and workload, bursting out to each other when necessary.
5. As I said systems fail, clouds fail, everything fails. So when we think about, and we’ve had this
on our converged cloud chat, when things fail, you have to start architecting for failure and
resiliency.
Because of this architecture that we’ve had, if you choose to get one other partner to back up
what you have with us, pick a partner that's got the same OpenStack platform and the same
models. It’s not going to be hard. There are lots of them out there.
OpenStack is a big platform. You should be able to build once, package once, deploy many
times. This saves on manpower, on cost, and on having to redevelop the security wheel over and
over and over again. That provides unbelievable amounts of flexibility of what you can do with
your enterprise.
When one cloud or a connectivity to one cloud fails, or maybe not fails, but you get attacked in
one position, you can bring up other capacity to compensate for that. That's where the true value
of cloud comes in. It’s elastic computing. It’s not a marketing buzzword.
Gardner: And when we think about the HP philosophy about cloud that it’s not lock-in, that’s
it’s not tied to a single nameplate on the cloud, it seems to me that there's an opportunity to
reduce risk further, when you have open fungible elasticity and bursting. If there is a trouble, a
problem that comes up, or a red light goes on, you can, according to people I've spoken to,
literally move an entire data center virtually from one location to another, reconstitute your
perimeter, and so forth.
So is there an inherent benefit, security and resilience, in the ecumenical bursting approach that
HP is adopting?
Los: Absolutely. That’s what that whole choice part is. That's the word that we’re using. It’s
choice, consistency, and confidence. We were all consumers, Meg was a consumer of ours as
well, at some point. I was a consumer before I became a vendor.
Option to standardize
This is the longest I’ve ever worked for a vendor in my life and I can’t imagine myself
anywhere else. The reason for that is because I think we give people the option to standardize on
us, but if they chose to move off of us at some point, it’s okay. We’re not going to make them
completely redevelop their platforms. That makes the reason to stay with us that much more
compelling.
This is one of those things where locking somebody into a platform is a terrible idea. Vendors
used to do this years and years ago with the more proprietary platform. "We'll get them on it, and
they’ll never be able to get off." That's not smart thinking. It's just not.
Gardner: It’s not resilient.
6. Los: It’s not resilient, because it fails everybody. It builds animosity and tension, and when
something fails, everybody loses.
Gardner: One last area I like to get into is this idea that we’re seeing highly virtualized
environments. We’re talking about virtualized server instances, workloads, and network storage.
Disaster recovery (DR) technologies have evolved to the point where we're mirroring and
moving entire data centers virtually from one location to another, if there's a resiliency issue like
a natural disaster or a security or cyber attack that impacts an electric grid or something along
those lines.
Is there a sort of a tipping point that we’re at, when it comes to higher levels of virtualization,
some of the DR speeds, working with de-duplication and reducing the amount that needs to be
moved in these instances, that gives us this higher level of security, simply because of the
mobility in which we can now exercise for vast amounts of data and applications?
Los: I believe so. Do I have an answer for that that’s clear and crisp? No, I don’t know, and I saw
a lot of that fantastic stuff. One of the things that caught my attention is we’ve broken the 100-
terabyte-an-hour backup barrier. That blows my mind. I used to work in IT when we were lucky
to get 100 gigs an hour and I remember 100 megabytes an hour being a challenge on those giant
DLT tapes sometimes over networks.
The idea that we can take an entire cloud and because of data de-duplication, because of the way
we move workloads and policies all in one fell swoop, and the way we package things once and
move them, as a model, rather than everything together, moving metadata rather than the actual
data, it gives us the ability to move things.
One thing that everybody needs to think about is what is this doing for our bandwidth
requirements. Bandwidth is a silent thing nobody really thinks about. I've had this discussion
with our networking folks. People are building clouds all over the place now and that's great, but
it’s really easy to get out to a vendor, to get out to a public cloud or whatever, amass an absolute
metric ton of data, and then say, "I want to move." How are you going to take your data from
there to there? That’s a big question.
You need to do your homework ahead of time, make sure you know what you’re getting into, and
make sure you know what technologies are being supported. Don’t get in and know the dinosaur.
This is all important stuff, and you want to have a vendor and a partner that is at the cutting edge
of technology for stuff like this.
As Jeff Katzenberg, somebody who has been into cloud business since before cloud was a
marketing buzzword, said, "Hi. We’re HP. We’ve been doing this for a while. Join us. The water
is fine."
Gardner: Very good. I'm afraid we'll have to leave it there. We’ve been talking with Raf Los of
HP Software on his interesting personal perspectives about the evolution of security into the
concept of enterprise resiliency, and how that also impacts the move to cloud and cloud models.
Thanks so much, Raf.
7. Los: Thank you for having me once again.
Gardner: And thanks to our audience for joining this special HP Discover Performance podcast,
coming to you from the HP Discover 2012 Conference in Las Vegas. I'm Dana Gardner, Principal
Analyst at Interarbor Solutions, your host for this ongoing series of HP-sponsored discussions.
Thanks again for listening, and come back next time.
Listen to the podcast. Find it on iTunes/iPod. Sponsor: HP
Transcript of a BriefingsDirect podcast from the HP Discover 2012 Conference on how our
views of security need to be expanded beyond protecting the perimeter. Copyright Interarbor
Solutions, LLC, 2005-2012. All rights reserved.
You may also be interested in:
• HP Expert Chat Explores How Insight Remote Support and Insight Online Bring
Automation, Self-Solving Capabilities to IT Problems
• Investing Well in IT With Emphasis on KPIs Separates Business Leaders from Business
Laggards, Survey Results Show
• Expert Chat with HP on How Better Understanding Security Makes it an Enabler, Rather
than Inhibitor, of Cloud Adoption
• Expert Chat with HP on How IT Can Enable Cloud While Maintaining Control and
Governance
• Expert Chat on How HP Ecosystem Provides Holistic Support for VMware Virtualized
IT Environments