10/16: AISA

by Gene Kim on

#aisa

Dr. Whitfield Diffie

  • Haha. Dr Whitfield Diffie: "Wish me luck that I don't say anything I'll regret." (presenting here at #aisa in Sydney)
  • Diffie: "Software is the most wonderful manufacturing material ever invented. High development cost, but low materials cost"
  • Diffie: "Internet utterly unlike any network that's been secured (military, banking); Internet built for friends to talk w/friends
  • Diffie: "Unreliable IP (as in TCP/IP) may be greatest invention in last century. Reliablity is unneccsry expensive for many apps"
  • Diffie: "Untestable hypothesis but I believe that crime is good thing; house theft forces economic valuation: police, insurance...
  • Diffie: "Therefore, Internet needs crime, too. Malware, intrusions, etc." Haha.
  • @halans: Dr Diffie talking about the Software Age (as in Bronze Age) #aisa (with Everyone at Sydney Conference Centre) [pic] — http://t.co/E376sdOi
  • RT @halans: Dr Diffie talking about the Software Age (as in Bronze Age) #aisa ( at Sydney Conference Centre) [pic]: http://t.co/E376sdOi
  • Diffie: "Marconi: invention of radio changed everything: business had to change or be left behind: British navy got woven together as better military/diplomatic tool"
  • Diffie: "Downside of radio: people can listen in: WWI brought crypto to fore
  • Diffie: "In World War I, encrypted msgs much slower than non-encrypted; long queues, clerking, etc."
  • Diffie: "Last rotor crypto device in NATO retired in 1980s
  • Diffie: "Underrated: Japanese crypto Purple: telephone switches: embedded into telecomm:
  • Diffie: "My goal when inventing DHKE was to help save the world"
  • Diffie: "Crypto algorithms are fine. Everything else abtcrypto & infosec is rotten: key mgmt, crypto implementation, browsers..."
  • Diffie: "Security by obscurity is never easy
  • Diffie: "Crypto frees you from auditing the path to get assurance: don't need to follow satellite path, cables. Very expensive"
  • Diffie: "Crypto is an amplifier
  • Diffie: "Three great watersheds for communications: radio, crypto and shared resources"
  • Diffie: "During 1960s, life for ppl working on top secret work was crappy: had to work late at night, disconnected from network, etc."
  • Diffie: "Confinement/jails: best word is actually Russian term prison "laboratory"
  • Diffie: "Legacy of Cold War: offense much more fun than defense, and pays better, too. Policy of deterrence enabled it."
  • (!! Fascinating) Diffie: "Defense is seen as cost center. Offense is seen as profit center (can get more budget w/sexy wins)"
  • Diffie: "Expensive and get worse: vet users and defend endpoints: both grow with time and user base"
  • Diffie: "No one can write all their own software: US Air Force abandoned that in 1960s: even wrote their own compiler"
  • Diffie: "2 approaches: Trusted Computing group (limits software that can run); it makes you vulnerable to suppliers for patches and allows them to modify; if they get subpoenad, they could do something to you
  • Diffie: "other approach: build computer ground up for just the user; hide what kind of computer from the world"
  • Diffie: "In conclusion: 4 challenges: we need to learn how to program; the confinement problem (disgraceful that RSA helpdesk for opening an attachment: can't possibly vet all the links themselves"
  • Diffie: "Fix human interfaces; fix liability
  • Diffie: "State of confinement in computing is disgraceful: RSA helpdesk tech can't be held responsible for clicking on a link"

Mary Ann Davidson, CSO, Oracle

  • Next up: Mary Ann Davidson, CSO, Oracle
  • Davidson: "Soon there will be a flood, and you'll have 100K Dutch boys; it's an infrastructure problem; genetically modify to increase fingers"
  • Nice. Davidson: "What is used as infrastructure needs to be designed, built & delivered to actually BE infrastructure"
  • Davidson: "Technology is both a force multiplier and our 'Achilles backbone?"
  • Davidson: "Lack of software assurance is a fundamental cultural problem, manifested as technical weaknesses"
  • Davidson: "You can't win a war if you don't think you're in one"
  • Davidson: "Culture shifts must start in universities; Epaminondasic Oath: "First, assume an enemy..."
  • Davidson: "Goal: every developer must think like a hacker"
  • Davidson: "
  • @jdalessa: Davidson: CS curricula needs to change to avoid Brilliant nerds who can't communicate
  • Davidson: "Most vendors use drug addict model: install everything, get you to use everything, and charge you for it"
  • Davidson: "Was naval officer: Marine Corp: every marine is a rifleman; products must self-defend; N devices shouldn't require n defenders
  • Davidson: "Bad or evil input deserves more than error message; it's intelligence" (every attack is a gift)
  • Davidson: "Supply chains are important: Everyone but God has a supply chain"
  • Davidson: "At last count, Oracle software is made up of over 70MM lines of code"
  • Davidson: "We must focus on resilient engineering & operations; cannot double down on systemic risk (cannot be mitigated)"
  • Davidson: "Should nuclear power plant control rods be remotely capable: 5 people w/access vs 1B PCs"
  • Davidson: "At Oracle, I report to chief architect"
  • Davidson: "

@MissAuricomous: Why do people put the empty mentos wrappers back in the bowl? #aisa #thebigissues

Next up: Bryan Sartin: Director Investigative Response, Verizon Business

  • Next up: Bryan Sartin: Director Investigative Response, Verizon Business
  • Sartin: "Verizon is largest non-military investigative organization"
  • Sartin: "
  • Could be worse. Bowl could be full of used chewing tobacco. :) @jdalessa: Yes! I prefer finding them on the chair next to me...
  • Sartin: "DBIR is all about studying failures, not successes; modeled after NTSB investigations (airline crashes)"
  • Sartin: "DBIR encompasses 2000+ confirmed data breaches over 8 years"
  • @jdalessa: Sartin: 8 years of Verizon research, 2000+ confirmed data breach cases, more than 1 billion records stolen.#aisa
  • RT @jdalessa: Sartin: 8 years of Verizon research, 2000+ confirmed data breach cases, more than 1 billion records stolen.#aisa
  • Sartin: "New trend: 5 out of 6 attacks are industry specific attacks: gas/electric, defense"
  • Sartin: "Again, vast majority of records lost were by companies 10-100 employees: restaurant, hospitality, etc."
  • @jdalessa: Sartin: Trend starting in March this year, 5 out of 6 breaches Verizon reported on we're data espionage related.#aisa
  • RT @jdalessa: Sartin: Trend starting in March this year, 5 out of 6 breaches Verizon reported on we're data espionage related.#aisa
  • Sartin: "

Eran Feigenbaum

Director of Security, Google Enterprise

  • Next up: Eran Feigenbaum, Director of Security, Google Enterprise
  • Feigenbaum: "Now over 1 billion blogs online"
  • Feigenbaum: "@jdalessa: EranF: Just under 1 billion blogs currently in operation, and 72 hours of video uploaded every minute.
  • RT @jdalessa: EranF: Just under 1 billion blogs currently in operation, and 72 hours of video uploaded every minute.
  • Feigenbaum: "Writing more infosec policies [& other status quo] doesn't work at Google, &@jdalessa: EranF: 50% of users say they would more effective at work if they had the same tools they had at home.#aisa
  • will likely cease to work for you, too"
  • RT @jdalessa: EranF: 50% of users say they would more effective at work if they had the same tools they had at home.#aisa
  • Feigenbaum: (From Cloud Sec Alliance): "Spectrum: IaaS "build security in" vs PaaS vs Saas "you RFP security in""
  • Feigenbaum: "If you could build your infrastructure from scratch, what would u do different? That's what cloud vendors have done"
  • Feigenbaum: "Google: tens of thousands of identical systems: run on hardened custom built Linux software stack"
  • Feigenbaum: "Microsoft stat: most orgs take 60-90 days to deploy patches"
  • Feigenbaum: "
  • @jdalessa: EranF: Homogeneity is good for security because outliers (malware, etc) stick out.#aisa
  • RT @jdalessa: EranF: Homogeneity is good for security because outliers (malware, etc) stick out.#aisa

It is an incredible feat to make what Google does (which is so exciting), so entirely deadly boring....

I'm so bored.

  • @RealGeneKim: RT @jdalessa: EranF: Homogeneity is good for security because outliers (malware, etc) stick out.#aisa
  • ie, Variance -> risk. RT @jdalessa: EranF: Homogeneity is good for security because outliers (malware, etc) stick out.#aisa

  • @halans: Feigenbaum: "Google has 300 people in their security team"

  • RT @halans: Feigenbaum: "Google has 300 people in their security team"

  • (Repetition creates mastery) Feigenbaum: "At least once per year, run a drill of security incident as if security breach happened"

  • Feigenbaum: "Google Apps reliability: 99.984% in 2010, 99.99% in 2011; zero scheduled maintenance; 46x more reliable than Exchange"

  • @halans: "Who Has Your Back?" Corporate Transparency About Government Demands for User Information #aisa https://t.co/i1Qxo9nh

  • RT @halans: "Who Has Your Back?" Corporate Transparency About Government Demands for User Information #aisa https://t.co/i1Qxo9nh

  • Feigenbaum: "Google first to prove that SSL was more than just for login screens"

  • Feigenbaum: "I get this call weekly: 'My gmail acct just got broken into. Please help me.' Problems: is it the real acct owner?

My talk

  • @jdalessa: AISA Up next: Gene Kim
  • @VS_: Rugged presentation kicked off by @RealGeneKim with Visible Ops flashback.
  • @jdalessa: GeneKim: high performing co's lead with discipline and rigor.
  • @jdalessa: GeneKim: bad decisions about software and dev can lead to negative affects to the bottom line.
  • (And bad infosec outcomes!) @VS_: “Fragile operations lead to over-promising and under-delivery.” @RealGeneKim #AISA
  • @jdalessa: GeneKim:complex problems compound over time to were the fragile operation can no longer fix in a reasonable period of time.#aisa
  • @VS_: Technical debt compounds: fragile ops. @RealGeneKim at
  • Haha. @VS_: “Every company is an IT company…” @RealGeneKim spreading the heresy. All hail HypnoGene.
  • True! @jdalessa: GeneKim: 95% of all capital projects have IT component. I read a note recently that 80% of all IT projects fail.
  • @benbuchacher: RT @VS_: “Every company is an IT company…” @RealGeneKim spreading the heresy. All hail HypnoGene.
  • @jdalessa: GeneKim: New move toward Devs thinking like ops, ops thinking like Devs.#aisa
  • @halans: DevOps => ^(?<dept>.+)Ops$
  • @VS_: And we have a recap of the last few #velocityconf presentations rolled into a few slides. Jaw-dropping # of changes. @RealGeneKim at #AISA
  • @VS_: “Systems thinking: do Toyota’s continuous improvement approach.” Kaizen. @RealGeneKim at
  • Consistent themes are startling & exciting! @jdalessa: GeneKim: Never unconsciously pass defects downstream. Better coding, like Davidson and Diffie.
  • Consistent themes are startling/exciting! @jdalessa: "Never unconsciously pass defects downstream. Better coding: Davidson/Diffie"

  • @jdalessa: GeneKim: Define the work and make it visible.

  • @VS_: “With a click of a button build entire systems. Build in parallel entire dev, test, and run environment.” @RealGeneKim at #AISA

  • @jdalessa: GeneKim: Change the agile sprint policy. At the end of a sprint have the code and the enviro it runs in.

  • @VS_: “Learnings from run environment need to be fed back to the devs; feedback loop a must.” @RealGeneKim at #AISA

  • @halans: Rapid fire DevOps preso by @RealGeneKim #aisa http://t.co/GftBVcRA

  • @halans: Andon cord pulled 100x a day at Toyota

  • @VS_: “Properly managed handover from Devs to Ops required to prevent fragile environment.” @RealGeneKim at #AISA

  • @Steve_Lockstep: Just arrived at #aisa. First slide I see of Gene Kim's is worryingly like TQM. Lets see where this goes ... But #qualityisdead

  • @halans: "We found that when we woke up developers at 2am, defects got fixed faster than ever" P. Lightbody

  • @jdalessa: GeneKim: Embed developers into IT Ops, more knowledge sharing, more transparency, more accountability.

  • @jdalessa: GeneKim: by embedding deb in ops defects are fixed faster, feedback loops are closed, soloing drops off. Culture changes.

  • @VS_: “Create a culture that encourages constant experimentation and learning from failure.” @RealGeneKim at #AISA

  • @jdalessa: GeneKim: Repetition is a prerequisite to mastery.

  • @transparenzia: RT @jdalessa: GeneKim: Embed developers into IT Ops, more knowledge sharing, more transparency, more accountability.

  • @jdalessa: GeneKim: in order to survive failure, we have to fail often -NetFlix

  • @VS_: “Netflix Chaos Monkey by @adrianco mentioned. Loud expressions of disbelief and ‘Whaaat?’ heard in the audience.” @RealGeneKim at #AISA

  • RT @VS_: “Netflix Chaos Monkey: @adrianco cited. Loud expr of disbelief and ‘Whaaat?’ heard in the audience.” @RealGeneKim at #AISA

  • @jdalessa: GeneKim: Anyplace we can fail, prior to our customers experiencing a failure of ours, is a positive dev environment.

  • @halans: Netflix Chaos Monkey Released Into The Wild #aisa http://t.co/Z8rQHTVI

  • @jdalessa: GeneKim: Allocate 20% of your cycles on IT debt reduction- Marty Cagen, eBay

  • RT @VS_: “20% cycles to reduce technical debt continually or spend all ur time reducing it” @RealGeneKim at #AISA

  • @VS_: “End result of Rugged Ops: winning all around.” @RealGeneKim at #AISA

  • @VS_: “In almost every organisation where departments are segregated: dev, ops, security, … failure is imminent.” @RealGeneKim at #AISA

  • @jdalessa: GeneKim: When people feel trapped in a system where failure is per-ordained, we suffer as people. IT waste has a flow on effect.#aisa

  • @jdalessa: GeneKim: More from Gene http://t.co/HXPEdLmm and IT Revolution Press

  • Thanks everyone! For slides, "Top 11 Things You Need To Know About DevOps," resources, goto http://www.instantcustomer.com/go/75894

A Manifesto For Cyber Security

Alastair MacWillson, Chair, Institute of Information Security Professionals, Global Managing Partner Security Practice, Accenture

  • Up: Alastair MacWillson, Chair, Institute of Information Security Prof, Global Managing Partner Security Practice, Accenture
  • @jdalessa: DrMacWilson:there is too little imagination, diversity and criticism in the field of info sec management. Here, here!
  • @VS_: “Anonymous was great in getting #infosec issues into Board meetings.” Dr MacWilson at #AISA
  • @jdalessa: DrMacWilson. We should thank hacktivist groups for raising global awareness of cyber security like no media outlet to date
  • @jdalessa: DrMacWilson:how do you reconcile head count reduction with an increased need for skilled professionals?
  • @VS_: “Sec thinking must evolve: perimeter (80’s), defence in depth (90’s), I&AM consolidation (00’s) to info-centric sec” Dr MacWilson at #AISA
  • @SteveLockstep: @SteveLockstep: Does the #infosec profession tend to repel anything that suggests managers have presided over vulnerabilities?
  • @VS_: And now I feel I’m feeding back into the Twitter #InfoSec echo chamber. We all know this, we’re just not spreading the heresy. #AISA
  • @VS_: The infosec echo chamber isn't where message is needed. IMHO, it's Dev, IT Ops, Proj and Prod Mgmt. There is a better way. :)
  • @VS_: “Industry best practice isn’t necessarily a good practice to stop security issues.” Dr MacWilson at #AISA
  • @Steve_Lockstep: IMO defense in depth is badly marred by orthodox ISMS: intellectual progeny of ISO 9000. Management painting-by-numbers #aisa #infosec
  • @VS_: “Security has not caught up with technology from 10 years ago and is rapidly falling behind.” Dr MacWilson at #AISA
  • @hyper3xpl0iter: RT @VS_: “Advance #infosec by thinking differently, not like rigid rules-based robot, but a creative technologist.” Dr MacWilson at #AISA
  • RT @VS_: “Advance #infosec by thinking differently, not like rigid rules-based robot, but a creative technologist.” Dr MacWilson
  • @VS_: “Rigid controls and structures pose a challenge for people to find a work-around to do their work faster and easier.” Dr MacWilson at #AISA
  • MacWilson: "IISP (Intl Inst Infosec Professionals) has 3000 members, 30 corporates, govt certification authority"

Haha. "Immoral! Irresponsible!" :) @x509v3: @RealGeneKim @VS_ @adrianco I got the same reaction in a room full of auditors too :)