Several of the panels at the inaugural Global Cyber Innovation Summit (Baltimore, May 1st and 2nd, 2019) offered industry perspective on the directions in which emerging technology will drive security.
Clouds, yes, but also making security part of the process.
In a May 1st panel moderated by Momentum Cyber’s Dave DeWalt, panelists Tom Gillis (VMware), Wayne Jackson (Sonatype), and Mike Viscuso (Carbon Black) addressed such industry givens as the growing ubiquity of clouds, public, private, and hybrid. But they also described how the sheer complexity of the systems now entering use changes the security challenge, particulary the software supply chain’s attack surface.
Sonatype’s Jackson called the sheer amount of software “astounding.” JPMorgan Chase, he said, now has some forty-thousand coders, which suggests the scale of the software being written. A great deal of this is open source, and increasingly producers of open source software have little or no relation to the software’s consumers. With eighty-to-ninety percent of any given software product being written by unknown people with equally unknown skills, qualifications, and motivations, we now face the problem of the “malicious committer.” “Working your way into a project and introducing coding errors,” Jackson said, “is pretty trivial.”
Gillis, of VMware, foresees increasing “balkanization” of the supply chain. If we have to assume that the hardware is compromised, then isolation become(s) more interesting. As the line between the public and private cloud blurs, we’ll need artificial intelligence and machine learning to help manage the intersection between network management and anomaly detection.
Validating software and hardware.
These considerations combine, Carbon Black’s Viscuso pointed out, to make it imperative that we move security into the software development cycle, where it becomes part of the process as opposed to the bolt-on it has too often been. “We’re at he beginning of the shift-left revolution,” he said, apologizing for the cliche but keeping it nonetheless for convenience and clarity.“ The more instrumenation we can put earlier in the process to establish clear boundaries between components that can be validated and enforced, the better.” Jackson added that it’s important to equip developers wtih an understanding of the effects their choices will have on the end result.
DeWalt observed that better testing should be possible, and asked whether we might have an organization like Underwriters Laboratories (UL) to mediate between the government and the private sector. Would it be possible to push tamper resistance down to a lower level? Some panelists thought the blockchain might offer some potential for decentralized transparency.
But as Gillis noted, every system is breakable. The question is how we can reduce the big holes in the infrastructure. He thought there was a lot that could be done here. Identifying “known good” will be an important capability machine learning can bring to security, but we’re still in the early stages of this approach.
A “heat map” of innovation.
ADP’s Roland Cloutier moderated a subsequent panel on May 1st that sought to lay out the places in the ecosystem where innovation was to be found. This group was drawn from the venture capital community: Momentum Cyber’s Eric McAlpine, Boston Meridian Partners’ Matt Hicks, and DBO Partners’ Brian White. They offered three bits of initial advice. From McAlpine, a recommendation to think about innovating around people and processes. From Hicks, a recommendation to look for those who can bridge the gap between ideation and commercialization. And from White, a caution that not every problem can be solved with commercial technology.
Looking over the landscape as a whole, they see large opportunities in artificial intelligence (driven largely by the expense and scarcity of human talent), in identity (“critical to almost anything”), and, of course, in risk management.
They agreed that CISOs had an important and as yet insufficiently realized role to play in technology innovation. McAlpine hoped to see more CISOs enter the investment world, and White argued that CISOs had an important contribution to make in terms of providing perspective on what their organizations’ security needs in fact were.