When Rafal Los (@Wh1t3Rabbit) asked people to describe Enterprise
Security in three words I took the humor approach with selections like
"Complete Cluster Fsck" and "Advanced Persistent Marketing". Rafal was
kind enough to post a running document with all suggestions for
reference at http://t.co/iqWlkudO and a blog post at
http://bolt.thexfil.es/3sqzj. Now, I was being quite cynical in my
responses but I do have very serious and strong feelings about this
topic.

Enterprise Security is Not Business Relevant. Now, that's quite the
inflammatory statement but unless your business is security then it's
true in practice today. Before the flaming begins let me start by
saying I believe firmly it ~IS~ business critical but I want to make
it actually _relevant_. I'm going to briefly explore what this means
to me:

- Security needs to produce better product
- Security needs to provide product, service, and visibility to the
core business
- Security needs to instill trust and good faith amongst employees and customers
- Security needs to be a competitive advantage

I'm going to talk about the first point in this post; Security needs
to produce better product.

I'm not talking about Security vendors here, I'm talking about
Enterprise Security departments within industrials, banks,
pharmaceuticals, etc. Security and privacy offers all stages of the
product lifecycle lessons, expertise, and benefits not immediately
thought of by most internal customers. Some examples:

- Security Engineering frequently identifies bugs and
incompatibilities that present themselves in non-traditional or
internationalized use-cases. Or with popular but untested software and
up-and-coming standards. I've yet to see a security oriented code
review that didn't improve the tightness, readability, documentation,
etc. of code. Or that didn't also improve stability and compatibility
in some aspect or another.

- Techniques used by security professionals can be used to improve the
performance and stability of almost any production environment. We
look at things through the lens of DTrace or Packet Captures in a way
most people do not. Working alongside developers and systems
administrators in this way can yield, once again, better development
and product.

- Security professionals can instill in your staff better overall
intellectual property protections by also making the privacy and
security of the end-user product better. When devops consider the
end-user privacy in the context of their own then they will also
further that practice with enterprise data. (This parallels what I've
referred to as 'Security through undoing Facebook' which I will
re-visit in another post.)

- Security professionals have almost endless bandwidth for
understanding innovation. This is somewhat vague and arrogant but I
truly believe it from what I've seen over the past fifteen years.
Security professionals can "get" almost anything you're trying to do
and brainstorm and critique with the best of people. It's not
something that is taught, I just believe it's something that also
draws people to the security field.

Taking these examples and trying to put them into practice and play is
non-trivial in most environments. There are institutional barriers,
egos (our own included), hours in a day, etc. that all get in the way.
However, it's critical that Security becomes more engrained in the
production of product and thus business relevant if we ever want to
get the funding, respect, and eventually rest we all desire.

How do I suggest you do this? Well, my first and most important step
would be to actually ~DO~ it. Seriously.. start with the developers
and see if they have a bug system you can peruse, check out a copy of
their code, submit a patch. Work with them in an agile environment.
That's effectively your road-show to the developers. Just get in the
muck and pain with them without prejudice or reservation. Don't
differentiate yourself in any way except the output. Comments,
patches, etc. You might have to learn new APIs or languages even but
it's about bleeding with them for their blood in return. Secondly
provide unsolicited observations of the end-product in well written,
visualized if possible, and non-judgmental ways. Over a decade ago I
first did this with a few page analysis of the core daemon for a
software product. I provided information based on profiling, disk IO,
network traffic, etc. that was all of interest to me in building a
security model BUT I didn't say any of that. I just provided it to
them in the numerous contexts of improving their product performance,
lessening infrastructure dependencies, and improving stability. By the
time they got done appreciating and implementing all that I only had a
minimal number of "security" issues to address and they were more than
happy to oblige. This lesson stuck with me ever since and it's been
endlessly valuable. And finally you evangelize and take pride in your
companies products and services. We're a cynical bunch but we can be
fanboys too. Try it sometime and those who fund you and you need to
influence will appreciate it. It's not social engineering exactly..
well.. OK, so it is in a sense but you'll be happier for it I wager.

That's the short of it for now. I will build on this basis in future
posts and appreciate any feedback. Cheers, -Ali

Recently on LinkedIn and Twitter, Rafal Los (@Wh1t3Rabbit) of HP was
hashing out the qualifications of a CISO/CSO. Should they be business
or technically backed?

To consider this properly a little historical context is in order.
Consider where business was ten and twenty years ago? I affectionately
cal it the Jack Welch era. Where is business today? More agile,
adapting to niche markets, passionate individualism, engaged directly
with the customers, distributed worldwide by default, etc. How
different is that from the GE model of the 1990s? According to Fortune
and others, it's as night and day as you get. However, when you talk
to business insiders - and I've been fortunate (unfortunate?) to have
spent a lot of hours with some big Fortune 100 C-levels - they say
it's evolutionary and they re-tool and adapt regularly. So no panic
there.

Now, consider IT over that same period... and you'll notice agile,
niche, passionate individualism, engaged directly w/ end-users,
distributed by default, etc. That sounds familiar, does it not?
However, we can't retool completely because systems have to keep
business running 24/7/365 and our customers don't see the
architectural rot that we do. So we have layers of hugely disparate
systems that linger for decades. A bit of panic.

What alo has happened is that ~casual~ life expectations have aligned
themselves across ALL industries in such a way that we're all our own
C-levels. Things like personal finance and taxes have moved upward and
things like "manufacturing" (aka DIY) have moved down-ladder. Likewise
families and communities have become distributed geographically
through the Internet while simultaneously insular on the neighborhood
level. So, tying this all together, we now have a generation of Open
Source and Open Community Citizen Engineers led by early frontrunners
Linus Torvalds and Larry Wall that looks remarkably like the business
play-books of the Fortune 100. The Soccer Mom management edict of
communities put on steroids dealing with bigger egos, language
barriers, and the eyes of everyone. Our OS/OC Citizen Engineers have
created their own Six Sigmas and are rocking industry after industry
through trial-by-fire growth.

This is not to say that business professionals and C-levels don't have
massive amounts of expertise and perspective that everybody else does
not. They most certainly do. However, we can now relate to business
people in a way we could not a decade or two ago. Likewise in other
industries (e.g. Medical, Legal, ..) we have the same commoditization
to the Citizen of the basic underpinnings. As I'm sure we're all
aware, this trend has potentially catastrophic downsides too but
that's for another debate.

OK, ~NOW~ consider Security over the same timeframes and there is one
notable difference. There. Is. No. Baseline. As an industry we're
still selling snake oil and have huge differences of opinion with
about the same market result (e.g. hacked, stock doesn't budge). The
rules of engagement that have made it down to the end-user are so
ridiculously primitive that if we were Doctors our version of WebMD
would say "have an Apple and an Aspirin" for ~every~ ailment.

Back to the first paragraph.. it's because of that, because of the
organic nature and relative immaturity of our field, that I feel
strongly that you can't teach a CSO/CISO the ~S~ on the job. They have
to already lived and breathed that for the past decade to have even a
fighting chance of being the C-level over the Anarchist mass of
Security Professionals. When the baseline customer is used to posting
the most intimate details of their lives and passwords, install AV,
and patching is all they know otherwise.. well.. you're screwed at
that starting gate. If "Turing Complete" triggers a visit to Expedia,
you might as well pack up your data and leave it in the mall parking
lot.

I guess a rude way of saying it would be that you can't teach insanely
dangerous intellectual curiosity. We haz it. Sorry for the random
rant, just thinking out-loud, Cheers, -Ali

I was hoping to do this properly but ran into some problems.. either
way, here is a rudimentary first-pass look at how #DerbyCon staked up
on Twitter versus other big InfoSec/NetSec conferences this year.
First, a short blurb on methodology, I used @peoplebrowsr to do some
1000-day searches and then filter out what I perceive as
main-stream-media coverage. Then broke it down by hashtags, retweets,
(tried to) toss bots, and Facebook public postings (not many, no
surprise).

Some high-level randoms: #HFC and associated discussion were the most
talked about overall on Twitter. Outside of the core founders/hosts,
Rob Fuller (@mubix) from direct views, RTs, etc. seems to have reached
the most people about #DerbyCon. HD Moore (@hdmoore) was a close
second. THOTCON's CFP got a big boost through @hdmoore and #DerbyCon.
And the Microsoft MS08_067 cake pic(s) were a huge early hit. Oh, and
@dualcoremusic, was a huge hit getting more talk than most parties got
at any other con as I could find.

Some comparisons: #DerbyCon was far more level in chatter over the
three days than DEFCON or Black Hat. In other words, people were
almost equally as excited/chatty across all three days (~5% variance).
In both DEFCON and Black Hat the first main day generated over 2x as
much noise as the following days (again, excluding MSM). Number of
tweeters vs. known attendees had a much better ratio, almost 10x, than
DEFCON and Black Hat. That ratio of tweeters/RTs/attendees was about
the same as ShmooCon 2011 and a bit better than CanSecWest. Of course
that's also a reflection of how many attendees relatively have Twitter
accounts. People seemed to get a touch more sleep at #DerbyCon than
DEFCON or ShmooCon but not much (gauged by 24/7 tweet rates).

Now, the next part will be breaking down speakers and tracks better
but at first glance it would appear Track 3 had the highest overall
talk. It will take some more time to break that all down.. I'll try to
get that done later this week. And maybe see if I can pull Identi.ca
and Diaspora into the mix a little. -Ali