Security In Depth: Your Guide to SecTor 2019

SecTor is Canada’s largest cybersecurity event, which takes place in Toronto each year in October. I acquired a full access media pass and learned a lot during this year’s event. There were so many great talks, and so many vendors. I'm thrilled to share my experiences with you.

The Keynote

The keynote speech Wednesday morning was made by Dell EMC Fellow Radia Perlman. Over the course of her illustrious career, she went from “feeling ignorant about computing” to designing router protocols that are more scalable, more robust, easier to use, and more configurable.

Perlman’s cybersecurity career has been really impressive so far. She understands intuitively how computer jargon can be confusing to people, and why folk should feel safe and welcome to ask questions. Her attitude is that absolutely everyone is a student in some way or another, and absolutely no one knows everything!

I really enjoyed listening to her talk. Here are some words of wisdom from Perlman:

Perlman on Hype:

“Here's an example of confusion and hype: Blockchain. Blockchain started as a technology for Bitcoin. People made money on Bitcoin, and the more hype, the more money they made. So, it's good to have more and more hype. Blockchain becomes powerful for attracting venture capital. Hence, ‘I'm making shoelaces that are Blockchain-enabled.’ (Audience laughs.)

So, people assume that the technology must be important due to all of the hype. I was one of the earliest Blockchain skeptics. For a long time, I was thinking, ‘What am I missing? The world seems so enthusiastic about it.' As I was a Blockchain skeptic, people were sending me all kinds of articles. Apparently, Blockchain is the biggest innovation since the Internet. It was being considered as the solution to all sorts of problems. I even read ‘the U.S. military is considering using Blockchain to secure nuclear weapons.’

There are some misleading statements that I hear. ‘Look how many applications I can build on Blockchain.' If you assume Blockchain is a black box, and an API stores data and retrieves data, indeed there are many applications you can build on it. But these applications could have easily been built using a disk or a cloud or a storage array.

There might be some sort of societal problem, like children dying of E. coli. The solution is (in theory) to put the supply chain history on Blockchain. But the problem is, it isn’t solving the hard problems, like how do farmers get credentials for writing things. If you have lettuce that may be infected, who’s putting the RFID tags on them and from where? Simply using a database could be more efficient.

Yeah, the problem with how people react to new technologies is that sometimes, they think it’s the correct hammer for all of the nails of the world’s problems. But not all of the world’s problems can be solved with encrypted ledgers. My shoelaces don’t need Blockchain, you know."

Perlman on the Issue of Distributed Trust

“Distributed trust is the interesting thing in and of itself. Distributed trust says, putting all of your information in one organization is scary. The organization can become evil. Either because they hire an evil employee, or someone steals their private key. Also, a single organization might have to prove something to a third party. Does Blockchain solve that? Not really. People assume that it gives you security, but it doesn’t really.

Are there other ways of protecting against a malicious participant? Credit rating agencies are an example. Someone decided on a consortium of organizations that would be the credit rating function for the world. But if anyone wants to be a credit rating bureau, they just do it.

Could Blockchain be the answer (to securing) healthcare? Imagine this. Your entire medical record is on the Blockchain. Databases will automatically update your data, so for diagnostic tests, your results are recorded without a third party. I can’t imagine an application less suited to Blockchain! A world-readable database? A world-writable database? Who’s going to organize credentials so people don’t just put garbage out there?”

Perlman on How People Communicate with Technical Experts:

“I think if you want to be a professor, you should, you know, actually like students. You should want to help them. An old friend once asked me, ‘Are you enjoying grad school?' I said, ‘No, I'm floundering.' I tried to get started on a thesis and my professor said, ‘Oh, come join me.'

The way I got involved with Digital Equipment Corporation (DEC) was pretty interesting. It was exactly the right place at the right time in history. There was a workshop that happened periodically. Someone working in one told me, ‘Oh there's this difficult routing problem that I'm working on.' So I thought about it, and I looked at things from different angles, which is what I do. And then I knew just how to do it. I added to the agenda of the next workshop by writing, ‘Here's the problem, and here's the solution.'

Nobody asked any questions. At the end of the workshop, the guy running it said, ‘Remember, everyone. There's this important unsolved routing problem I want you to all think about.' Which is what I just presented. This guy approached me and said, ‘That's incredible! I've been thinking about it for a while. Once you see the solution, it's so obvious. So, we'll use it at DEC then. You have to get involved with Digital.’ So that’s how I got the job. I became the person to design (OSI) layer three for DEC Net.”

Perlman on Security Culture:

“How do you improve the culture to attract and retain women and minorities, and help them thrive? I think that’s the wrong question. The right question is, how do we improve things to attract and retain all good people throughout?

So for good security culture, it has to be safe to ask questions. Now you say, ‘Of course it’s safe to ask questions!’ But one of my previous companies was exactly the opposite. The culture was dominated by these extremely aggressive people. If you asked a question, especially in public, they would say, ‘You don’t know that? You don’t belong in this room!’ Can you imagine? So, if someone asks me a question that supposedly everyone knows, I don’t say ‘how can you not know that?’ Instead, I say, ‘it’s the coolest thing, and I can’t believe that I have the honor to explain it to you!”

Perlman emphasized that there are no dumb questions. If people don’t feel comfortable in asking them, the effect on cybersecurity and the computer technology industry as a whole can be devastating. Perlman’s talk was a great one to hear, and I’m impressed by how well prepared she was to deliver the keynote.

Enabling Zero Trust with Artificial Intelligence

The next talk I attended was presented by BlackBerry Cylance’s own Chris Pittman. He discussed the ways that we must innovate away from the perimeter model of network security. The message from his talk was very clear. The perimeter as we know it is obsolete. Identity is the new perimeter.

Here’s what he had to say:

Pittman on Identity and Authentication

“I want to talk specifically about zero trust and zero authorization. From the security practitioner's space, the idea is to secure the environment, secure data, secure users, secure devices. From the consumer or end user's side, there's a need, a desire, and a necessity to accomplish that without impeding their productive capabilities.

A word that can be used to describe that is ‘frictionless.' We want to apply and implement this as often as possible. Frictionless security, because what we do know about end users in general is that if we implement security controls that stop them from doing their job, they'll find other ways to do it - and a much less secure way to do it.

We believe we’re at a point in the history of technology when the ‘artificial intelligence winter’ is over. We finally have the data storage possibilities to realize some of the possibilities of AI, and to make possible real-time transparent security in a production space.

What we’re really talking about, is utilizing machine learning to implement transparent security measures and controls. The security controls we’re talking about implementing are not necessarily new. There are age old disciplines about identity, authentication, role-based access control, and understanding the perimeters we deal with. Although the perimeters themselves are evolving and changing - there is no longer a network perimeter.

But maybe the network perimeter can be considered to be the user’s identity itself. Maybe the user’s identity is that new perimeter.”

Pittman on True Zero Trust

"Let’s talk about this concept of zero trust. Let’s define it, to make sure we’re all on the same page. Which is difficult because the idea itself is about ten years old. It was born at Forrester Research. It didn’t have a definitive framework around it. But there’s still no definitive answer about what zero trust means. If you talk to all of the vendors, they’ll each give you a different definition. And there are lots of technologies that’ll implement a zero-trust environment for you.

Let’s just talk about the fundamentals of zero trust. First, let’s understand that zero trust wasn’t born as a security practice or framework. It is a response to the world and how it has changed. With the explosion of data capabilities across the world, users are accessing distributed data from multiple devices. Data is everywhere. The users (of this data) are everywhere. They’re no longer using a single securable device. They’re accessing their applications, their data, and their assets through multiple devices. They’re doing it from multiple locations.

This introduces, of course, a unique security problem. We can’t fundamentally secure any one of those resources because they’re all moving, they’re all dynamic. But if we implement a security control on any of those, we introduce friction. The friction is ultimately going to lead to the circumvention of the security control. It just won’t be implemented, or it’ll be turned off by the business side. Because the business side is ultimately not going to allow productivity to be infringed.

In a zero-trust model philosophy, the network is always assumed to be hostile. It doesn’t matter if you own the network, if you designed the network, if you control the network. Or if it’s a completely public network. There’s no trusting anything in a zero-trust model. You have to understand that, because what happens in a lot of the limitations of products or security frameworks that would propose to be zero-trust, is they ultimately end up putting in a control that says, ‘Yeah, now we trust at least this part of the network.’ Or we narrow the perimeter of the network and say, ‘well we now trust this perimeter or this segment of the network.’

In a true zero trust environment, you don’t trust any part of the network, at any time, anywhere.

Understand this: threats exist both internally and externally. Not just outside, the threats are also inside. And the inside threats are not just dumb users, they’re just not misinformed users, or poor security hygiene users. There are internal, active threats against you, your users, your data, and your environment.

Trust itself is a vulnerability. It should be measured and understood in a risk matrix. And it should be considered the same as any other vulnerability that can be quantified.”

Pittman on How Zero Trust Environments are Implemented:

“I’m taking in all of this data from the macro and micro context of the device. The data, the application, the service, and the user. And I need to apply in real time the specific necessary policy for that situation. Understand that the policy that I’m applying can’t be just about the user, it’s not about just what they’re trying to use. It’s the combination of all of those things, plus the environment, plus behavior.

Behavior is much more than just what (programs) I’m opening or closing. It’s ‘how am I behaving as a human being?’ I have to dynamically adjust and apply policies in real time. I may not have a cloud to push out that policy. So, the mechanisms to apply policies must be portable, global, and transparent enough to exist on that device. This is made possible for the first time in history by machine learning."

I’m excited about the research that BlackBerry Cylance is doing to utilize artificial intelligence, in order to implement the zero trust environments that we need now. Now that the perimeter model of network security is obsolete, identity is the new perimeter!

Insights from Live and Simulated Incident Response Failures

The next talk I attended was presented by my friend, security architect Chad Calease. A lot of organizations struggle with incident response, so I was eager to listen to what Calease had to say.

Calease on Identity Theft

“I don’t really have much interest in security. It turns people off when you say that word. It makes people feel incompetent, dumb, and unprepared. But I had a phone call in 2006 from a really good friend. They called me and asked, ‘Do you know anything about identity theft?’ I had no idea. I’m a technical person. But they’ve been financially ruined over eighteen months because of it.

Over the next three years, we worked on a process. The most heartbreaking part of the story is that there were things they could have done (to prevent the identity theft).

There are acceptable risks, and there are preventable ones. While I was helping my friend, I took a look at all of the simulations that apply to disaster recovery. I was implementing a context for privacy and resilience, so that (the thinking goes) if we make mistakes, how prepared are we for when we do?

Most of the things I’m going to show you come from the experience of eleven years of doing these simulations for organizations from large Deloitte sized companies all the way down to small law firms, healthcare providers, and everything in between.”

Calease on How People Interact with Technology.

Calease described someone flying an aircraft as an example of how people interact with technology, particularly new tech:

“I asked them, ‘Are you okay?’ They said, ‘Yes, I’ve played a few video games. I’ve flown in aircraft simulations.’ Establishing trust is much easier when we’re using a simulation, (however) the experience is part of the simulation. It’s kind of like teaching a kid how to ride a bike. If there’s an accident, if they get hurt, we say, ‘Here’s a helmet.’ Now they’re going to ride in even more risky ways because they feel invincible, because now they have a helmet on.

We can do that in security all the time. We can introduce things in such a way that we give (users) these tools and this mental model. ‘We don’t have to care about anything because the tools are going to protect me.’ (Audience laughs).

We want to give them a helmet. But we also want to give them some expertise and a philosophy of why they need to be secure. The helmet should be more of a deterrent. If we choose friendly tools, they're going to work with that. But if the tools aren't friendly, they're just going to work around them and create more risk. I made that mistake a lot.”

Calease on the 140-year History of Ketchup

Calease also discussed how Heinz was reluctant to change while their ketchup dominated the market for decades. In the 90s, someone in the company suggested making plastic squeezable bottles to complement the glass bottles they've been using since the Victorian Era. The suggestion was resisted until Heinz produced their first plastic squeezable ketchup bottles in 2002. In the early 2000s, the ketchup market grew. But partly thanks to Heinz's plastic bottles, the growth of their ketchup sales increased even more than the overall ketchup market did.

The moral of Calease's story is that if we make technology easier for people to use, they're more likely to use it. Let's implement better security measures and products in the same way Heinz implemented more user-friendly ketchup bottles.

Cloud Native Security Explained

The first talk I attended on Thursday was given by another friend of mine, application security specialist Tanya Janca. She led a fun and interactive presentation. Here are some of her pearls of wisdom:

Janca on The Cloud and Native Cloud Security

“What is the cloud? Cloud computing is the on-demand availability of resources, especially storage management and computing power, without direct management by the user.

I’m going to give you some more definitions that I like better. Basically, I want a virtual machine, I want a platform as a service. You give (the vendor) your credit card and what happens is that I’m able to have my virtual machine expand (resize) horizontally or vertically. It just happens. A lot of magical stuff happens without having your own datacenter.

In traditional datacenters, you often have to apply patches manually and you need your own security staff. In the cloud there are applications and processes, and you want to automate them. (With) cloud native security can solve your scaling problems. You can implement a next generation firewall."

Janca on Zero Trust

"What do you think of when you think of cloud native security? (Audience suggestions: ‘Leveraging a large company and telemetering tools to provide security for yourself?’ ‘Security as a service.’ ‘Micro-segmentation?’ ‘Tagging?’ ‘Templating disk images.’

Well, every organization has different risk tolerance and I absolutely respect that. What’s zero trust? (Audience suggestions: ‘Never trust, always verify.’ ‘No more perimeter.’” I added, “every single entity needs to prove its worthiness of being in the system regardless of where it comes from or what it is.” Janca replied, “I feel like Kim should give a talk next year!” What an honor!)

“You don’t trust anyone, whether it’s your app, server, or your API (application programming interface.) It’s identity as the perimeter.

You can now just push a button on some servers and it will automatically close all the TCP/IP ports for you, automating everything, including patch management. Some services have a dashboard where you can just look in and see your patch status and everything. I believe in defense in depth. So, it’s about total visibility and threat modeling. Now, you can just go to the main dashboard and see everything!

(This is) the automation of security throughout its lifecycle. You can monitor everything, you can see everything. So you can create automated responses. Cloud security might seem complicated, but automation, when properly implemented, can make managing it much easier.”

To conclude…

I had a great time at SecTor 2019, and I learned a ton. It was impossible for me to cover everything because multiple talks occurred at the same time, and I haven't cloned myself (yet). But I'd like to thank the SecTor folks for welcoming me for two very full days, and I'm eager to attend SecTor 2020!

About the Speakers:

Radia Perlman 
Fellow, Dell EMC
Radia Perlman is a Fellow at Dell EMC. She developed the technology for making network routing self-stabilizing, largely self-managing, and scalable. She also invented the spanning tree algorithm, which transformed Ethernet from a technology that supported a few hundred nodes to something that could support large networks. She is the author of the textbook “Interconnections” (about network layers 2 and 3) and coauthor (with Charlie Kaufman) of “Network Security”. She has been recognized with many industry honors including induction into the National Academy of Engineering, the Inventor Hall of Fame, the Internet Hall of Fame, and lifetime achievement awards from Usenix and SIGCOMM. She has a PhD in computer science from MIT.

Chris Pittman
Principal Security Engineer, BlackBerry Cylance

Chris Pittman has worked in enterprise information technology since 1993 and has specialized in cybersecurity for the last 14 years. He worked in security and controls and incident response for the Ford Motor Company before moving to the security vendor space in 2008. As a sales engineer at BlackBerry Cylance, he provides technical and security guidance to global enterprises interested in implementing AI-based endpoint security solutions. He holds SEC+, CISSP and a Master of Information Assurance in Digital Forensics, which he also teaches at Eastern Michigan University.

Chad Calease
Principal Security Architect

Chad Calease is the Principal Security Architect at Forget Computers, Ltd., the largest and oldest Apple-focused MSSP in Chicago, IL, USA. The story of how he got into InfoSec is prolly not much different from yours, meandering over more than 15 years across infrastructure engineering, complex systems design, strategy, and lots of mentoring across sectors and industries in the US and overseas. His Twitter bio sums him up nicely: Dad, ludic, neurodivergent, grateful for many gifts. Mom said, “There’s always one weirdo on every bus.” But I can never find them.

Tanya Janca
Senior Cloud Developer Advocate, Microsoft

Tanya Janca is a senior cloud developer advocate for Microsoft, specializing in application security; evangelizing software security and advocating for developers through public speaking, her open source project OWASP DevSlop, and various forms of teaching via workshops, blogs and community events. As an ethical hacker, OWASP Project and Chapter Leader, software developer and professional computer geek of 20+ years, she is a person who is truly fascinated by the ‘science’ of computer science.