Having wanted to attend Jeff Carr’s Suits and Spooks (SNS) event for a number of years, life offered me a touch of luck since his latest event landed in Arlington, VA – just a quick jaunt from our Iron Bow offices.
Over the years, I have not always agreed with Carr’s analyses, but that is neither here nor there because the infosec intelligence game has enough facets and variables that “the truth” often becomes immaterial since we often are only left with cinder, smoke and consequences.
Differences aside, there’s no denying Carr’s ability to put together an interesting and palpably visceral event which brings together actual thinkers and doers. Furthermore, it offers both the speakers AND the audience an academic style environment from which they can actually have bidirectional communication.
While standard briefings-as-information-dump-trucks have a certain value, I’m from the school of thought that a conversation offers tangible value. It’s the idea of having a conversation vs. being talked at. SNS is a real-time live forum, with break out panels, Twitter feeds and a limited audience to allow for coherent discussion. In the world of bloated industry events – it’s a breath of fresh air.
Here are a few of the discussions that stood out to me:
There seemed to be a general consensus amongst both the spooks and the suits: The security industry is at an impasse. Our technologies are limited and the threats surface of any entity is approaching infinity. From apps, to network, to third party partners to cloud providers and social media exposure – when a finite resource is pit against infinite odds, catastrophic failure seems immanent.
In fact, we’ve seen some interesting lapses from our own industry peers. There have been a number of vendor related technical fiascos over the past few years
An event in recent memory sparked a fair amount of discussion simply due to the fact they allegedly didn’t eat their own dog food and had their own key stores hacked such that their own product was signing/whitelisting malware. While such events aren’t at all shocking, sacred cows being turned into hamburger seems to be an ongoing theme. I expect many multi-vertical and multi-platform BBQs will ensue as 2013 rolls along.
All that being said, how many of us perform code reviews, QA or any real kind of analysis of the security products we depend on? What about the trusted cloud provider who is a repository for your data? The cloud based authentication system? If you aren’t testing the security and resilience of their products, why would they? Do they have the in-house resources? How many of us do? What assurances do you have regarding your provider’s SDLC or security posture? If you aren’t auditing your supply chain, why would you think they are performing appropriate due diligence?
Where things got interesting was how various individuals and organizations saw government and legal frameworks intersecting with the private sector. This situation is exacerbated given that state on state threats tends to imply a need to legislate at an international level. To some extent, these discussions are moot, as legislation tends to have minimal impact on those who do not feel bound by it – namely criminals and other state sponsored actors.
Some other thoughts triggered by these conversations:
- Our legal frameworks are woefully (years and years) behind the actual threats being faced by organizations.
- There needs to be a focus on threats to businesses rather than a purely risk and compliance based approach. This may offer some efficiencies in the coming years of decreased budgets.
- The infosec world is acknowledging that it is functioning in a world of smoke and mirrors; and attribution is a dream. Therefore, in the coming years internal and external intelligence programs will become increasingly critical for maintaining organizational operation state.
- And a fun quote by proxy, “Anonymous is God’s gift to the Chinese”…and the Russians, and the French and the Brazilians.
Overall, SNS is a well done conference and I will make certain that I attend the next one being held in La Jolla, CA this coming June 15-16, 2013. According to Carr, the next SNS will be focused on “exploring intersects between the U.S. Special Operations Forces community and the private Information Security community.” This should bring out at least a handful of interesting people from both the Suit and Spook side. Keep an eye open at Taia Global for details.