Amrit Williams, BigFix CTO, takes a look back at 2009, and a look ahead at what the real threats of 2010 will be with Mike Rothman, founder of Security Incite.

Subscribe in iTunes:

Subscribe with XML:

FULL TRANSCRIPT

Amrit Williams: Welcome! This is Amrit Williams, your host on Beyond the Perimeter, and today I am joined by Founder, President, and Principal Analyst with Security Incite, Mike Rothman.

So Mike I wanted to actually turn a little bit to a look back and a look forward 2009, you know we had some interesting things happened. Was there anything in 2009 that stood out in your mind as a really important an impactful event for security in general or IT in general?

Mike Rothman: Sure well you know, I mean I think we can sit here and look at the end of 2009 and say, you know this really was the year of the cloud, right? And I don’t mean from the standpoint that people are actually doing anything with the cloud but it seems that all we’ve been talking at least for the last six to eight months has been cloud, this cloud that, you know manage service this, manage that.

So you know I think we look back and once again, you know again having followed all these markets for many years as you have its just funny to pay attention to the cycles. How you know, the hype cycles happen and then when you don’t actually start hearing about stuff, or if you stop hearing about stuff is probably when it’s really starting to be deployed by a number of customers.

So you know, I look back and say a couple of things. One, you know, we were all very enamored with the cloud and the impact that that’s going to have on the computing infrastructure, which I believe will be measured most likely in a decade as opposed to a year and I think we kind of forget that. But from a security standpoint, it’s been more the same and from my standpoint I’m kind of numb to it at this point. You see okay here are the top ten data breaches of 2009 and all of them are pretty much north of hundred million identities compromised, right?

You know whereas two years ago it was like, holy crap somebody lost 100,000 identities. You know, the magnitude of the attacks has just really gotten so crazy that you kind of lose perspective on it. It reminds of when I did an internship in college at Mobil Oil Company and you know the models we we’re making were kind of breaking Lotus 123 because it had like a hundred digits. Because this guy, you know they were measuring revenues in 70 billion and not that’s so big now but back in late 80’s it really was. So you just kind get numb to just the sheer magnitude of the attacks that are happening now and I actually think that’s kind of a dangerous thing because you get sort of complacent and even if—you know your complacency is “oh crap, you know, identities are going to get lost. There’s nothing I can do about that.” Complacency in any way shape or from is a very dangerous thing. So that’s kind of the first comment that I would make is that, I do see an increasing amount apathy. I do see a significant amount of complacency and I see a lot very innovative attacks.

We can talk a little about that RBC pimp pay card attack. Right, where these guys got into the system, was able to replenish a series of 45 ATM cards and these guys had a world wide network of mules in effect that were there just pulling money out and I think they were able to get 9 million in about 30 minutes right. That’s an attack that—I mean if somebody would have presented that attack to you five years ago, your head would explode. There’s no way anybody can do that and these guys—

Amrit Williams: Well it’s interesting I think this adoption of using physical, cheap labor to be part of the attack value chain is really an interesting turn of events. It’s happening a lot more. We had this with the captures where they were—the bad guys were basically hiring these guys to manually fill in the captures and then send it back to the malware can get past the captures.

It’s really interesting because what you have is a level of sophistication with the organized criminals, they’re saying “listen, we can combine the aspects of things we already understand the physical world, the supply chain, cheap labor, manipulating local law” and then combine that with sophisticated malware and you just have a recipe for some pretty advanced techniques in terms capturing your stuff, your data, your information, you money and we’re certainly going to see a lot more of that especially as the level of sophistication increase. So it is—what’s amazing though is your right. You hear these things couple of years ago, probably your head would explode. You hear them and you just go “Huh, that’s interesting.”

Mike Rothman: Right yeah, that’s cool. I don’t even say that’s interesting or wow, that’s cool. We’re talking about a guy basically robbing a bank, wow that’s cool. Again it’s just totally you know, in some cases I kind of feel it’s like bizarre world. Where you know the innovation isn’t happening from the good guys. We don’t sit there and say wow, blue pill that’s cool. You go “Holy crap, these guys figured out how to pull 9 million bucks out of an ATM in 30 minutes. Now that’s cool.”

(00:05:10)

Amrit Williams: Do you think we became jaded in that respect because I hear this a lot. I hear people saying innovations coming from the bad guys. The good guys aren’t innovating at least in terms of security. You look around and the level of sophistication in terms of technology today and how quickly it’s moving it’s pretty phenomenal. You know the user cloud computing for example and not the use of the cloud but cloud computing specifically or virtualization technologies, mobility the fact that I can hold a small computing device in my palm and basically make reservations at a restaurant—the level of sophistication of the technology today is pretty phenomenal. We don’t see that much on the security side per se, is this sort of a—?

Mike Rothman: Yeah, I mean we certainly have not seen innovation at the level of the rest of the computing stack and security. And you know what I think part of that—I mean there are a couple of different reasons for that. You know but I think a lot of it has to do with most of the attacks are perpetrated more on social engineering type of techniques than hardcore, you know real technical innovation. It’s usually you know multi-faceted aspects certainly of the bigger compromises. But you know, the typical fraud is really as much smash and grab as it is anything else right. You know send a fishing message, you get somebody to click on it, their machine is owned and then I can do a whole bunch of interesting stuff. I also think that there is a lack of ability for most customers to consume innovation.

So you know, we could sit here and like you know, listen we both spend a lot of time in venture back companies that actually have to think about things in a quarterly basis. And interesting as it is to think about real innovation from a technology standpoint, the cold harsh reality is most companies wouldn’t even be able to consume if it was built. So, you know and if that happens three, four, five years in a row, you have this disincentive for companies to actually do innovative things and, you know, again, if I ever sit here and I’m worried complacency. I’m also worried that there’s no real fault leadership about how this stuff should be happening over the next couple years. We all talk about “Wow, the clouds are never going to happen until security.”  That’s a load of crap! You know the cloud is going to happen, the real question is what are we going to do mitigate deferral transfer, you know some of the risks of that kind of computing model.

So and again, my fears tend to be more that, you know because the customers can’t buy it, there’s no economic incentive to build it which means we’ll constantly be—you know, I wouldn’t even say reactive. You know it may not even make sense to fight anymore. Visa and MasterCard they put a, what 2%, 3% of all of their revenues in a reserve bucket because they know what’s going to shrink. Maybe that’s just what we do over time and obviously that’s excessive and that’s something that will happen over decades, not years. But if I sit here and really be objective about where all of this stuff is going, that’s a huge fear for me.

Amrit Williams: Well it’s interesting I mean I think we keep ourselves in this never ending state of moving forward. There is no real ability for a company to implement a radically different approach to security. They really just can’t logistically, politically or even process wise deal with it. So if there was a radically different approach to keeping the bad guys out, its adoption would be really slow. So because of that, it slows the innovation around that and what people are doing instead of trying to change the paradigm, or just simply trying to make a better mouse trap. No one’s really trying to figure out how to get rid of the mice and that’s really an interesting take. I think there’s probably you know aspects of economy or economics that we need to look at and other things to try and change the demand for all of this malicious actors. But you know, C’est la vie, it is what it is. I don’t see a change anytime soon.

Mike Rothman: Well hey, you know guys like us live off the fat of the land right?  So you know part of me says, “Well this is just the wrong thing to do overtime” the other part of me says, “God, I’m pretty lucky to have at least some semblance of this skill set in an environment that’s not going away any time soon.” This kind of weird model again, as wrong as it is when you think about it from that perspective, you know, selfishly I can’t complain too much.

Amrit Williams: You know that’s true and you know we all think God for Microsoft’s security issues.

Mike Rothman: That’s right.

(00:10:00)

Amrit Williams: But what scares a little bit, 2010 what do you see in the horizon of 2010?  Is it another year and a life?

Mike Rothman: It is, and you know I think that’s part of my challenge right because I was in this space when it was like cool and exciting and you had, you know really magnetic entrepreneurs that were—you know really out there to kind of change the world. You know now it’s as much—you know, “hey man, you auditor showing up, you know you got to do something right.” And you know to an early market type of guy, you know that kind of is a little bit painful but you know, the reality as you had said right, it is what it is. We have to accept the situation for what it’s going to be and in 2010 I mean I think we’re going to continue to see a lot more the same. I think you are going to see more hybrid models from a lot of the companies that are out there which is, “You know what if you don’t want to mange this, we’ll manage it for you.”

So a lot of the stuff that we see as traditional software businesses or customer prime oriented businesses, I think we’ll have highbred models because again, that’s where customers want to be. I think that we have to start paying attention a lot more to the user experience.

Again guys like us are able to make this stuff work. If we really want security to happen and permeate the broader market it’s got to be easier to use. So I think the folks that we’ll doing some level of innovation aren’t necessarily about a better mouse trap, but it’s a mouse trap that’s easier to set up and reduces the likelihood that you’ll snap your finger or your toe and be in a world of hurt. And you know I think these are kind of market evolutionary things that are indicative of what is a rapidly maturing marketplace.

And I think we all have to come to grips to the fact that you know this isn’t a bunch of guys that are rubbing their cryptographic antennas once a year at the RSA show anymore. It’s a freaking industry and you have a lot of big companies in here that are trying to, you know wanting to do the right thing on their computing stacks and make them some semblance of secure. But you also have a real driver on the customer’s side to at least be able to prove some set of controls that are in place and utilize, and be able to document those controls so that when the auditor show up, you actually have something to say to them.

Amrit Williams: Do you see the role of the security professional changing? We’ve certainly seen it changed from the firewall jockeys to somebody who could more properly speak to the business and talk about risk. These roles diverging more, converging more, what happens—?

Mike Rothman: Oh I still think we have many, way too many that aren’t comfortable, kind of talking about risk and giving a presentation to senior management. I don’t think we’ve made much progress at all on the front. We talk about it a lot, I certainly do. That was one of the lynchpins of the pragmatic CSO is the importance of realizing the fact that you’ve got to play the game. You’ve got to get political, you’ve got to get phased time with a lot of the senior business leaders that are out there but, yeah again, I don’t necessarily know that we’ve made a huge amount of progress on that front.

I think that we really have to get to is this idea that there’s the large enterprise and large government agencies and that’s really a different world. The things that you have to do to successfully implement the security program in that space is radically different than what you have to do in a mid-market type of platform in order to protect some stuff. Because you know remember, we tend to spend a lot of time with the specialist, right?

The guys that are whether they are world class firewall jockeys or IPS signature gurus or identity management directory masters, you know whatever it is, I think what we don’t spend enough time thinking about is how do we get that guy who is the exchange administrator and the sequel server jockey, how do we get this guy cognizant and knowledgeable enough about basic security stuff so that 90% of the world is not totally Swiss cheese. We spend a lot of time protecting the edges of the Fortune 500 and the Global 2000. You know it’s literally an open door and pretty much the rest of the world.

Amrit Williams: Oh it’s just one of the reasons that targeting SMBs, targeting the mom and pop shops are very profitable for those folks that can commit volume of crimes.

(00:14:55)

Mike Rothman: That’s right. That’s right! That’s exactly right and I think—so when you think about it as I re-envision my business now that I’m kind of back in the independent agitator role. It really is trying to think about and solve that problem for that administrator that wears multiple hats. You know your PCI things going to happen, what do I do. You know you’ve got issues in terms of a contractor needing to come and access your stuff. You know you have people that are using social media, what do you do? Knowing that maybe I’ve got 10 hours a week to spend on this stuff assuming that these guys work 50 or 60 hours on your typical week.

I think that we need to spend more time as a community thinking about those issues but we also need to package both solutions and information to help those folks do something besides just go “Hey Mister Symantec or McAfee or anybody that’s out there make this problem go away.” Or, “Hey Mister Phish Net or Ocuvan” or your big reseller, whoever they are, you know, drop ships and stuff to fix this problem for me and have people start thinking a lot more strategically about architecture and how security needs to really fit into the larger computing stack of everything that they’re doing.

Amrit Williams: Any big moves for security inside?  I mean not big moves but big changes, you’re still going to focus on the same type of markets that you have before?

Mike Rothman: Yeah I mean I think I am going to focus a little bit more so I would get say my typical customer is going to be that mid-market professional. I think I am going to focus a little more probably on the things that are a little bit less sexy. Nowadays things like, as you had mentioned patch management and IPS and UTM and some of those things end-point security that and again isn’t necessarily sexy for the security cognoscenti but it is where most of the bulk problem in that mid-market space, as well as economic revenue share would be when you think about all the money that people spend on securities. As most entrepreneurs, I’m going to chase the money and that’s where I think the money is going to be.

Amrit Williams: I agree with you and I think it’s interesting, you know we’d start earlier by saying that we’re sort of shocked about some of the priorities that people are putting on are the same sort of old things that have been around for a while. I think the reality is people don’t know how to implement them properly. They’re still challenged to do the basics and one of the things that the security professionals can really help companies deal with is let’s get the basics right before we start dealing with all this weird edge cases. And that’s something that has not been done very well. We tend to go focus on the sexy, exotic things that will not impact everybody and forgetting about the things that happen to everybody. Like I really am not that concerned about a bunch ninja assassins breaking into my—although it possible.

Mike Rothman: It is possible and especially with your background man. You’ll never know when these guys are going to say “Time to take that guy out” but I agree with you in that. You know again we spend a lot of time as a security—you know let’s call at the security echo chamber right and that’s whether it’s the blogs or the twitter or any of these other things. Some of the conferences, the hacker shows, we do by definitions spend a lot of time on edge cases and I guess the epiphany that I had is, the big soft underbelly are the folks that, again they don’t even know what they don’t know. And we’ve got a do better job collectively of helping them understand what they don’t know and giving them some information and hopefully some solutions to allow them to integrate good computing, good safety-security and privacy practices into kind of their day to day operations. And I think that’s the best opportunity that we have to impact the economic side of things.

It’s sort of like that supply side economics, old philosophy but as long as these guys have that huge economic motive, they’re going to keep doing it. And until we can figure out a way to shut off that oxygen and you’ll never going to totally shut it off but right now it’s kind of coming out of a fire hose and I think we do have to change that.

Amrit Williams: Absolutely Mike Rothman, thanks for joining me today. For those of you interested in more of the information and insights that Mike has, you can subscribe to the Daily Inside and you can visit Mike and his thoughts at securityincite.com. That’s security S-E-C-U-R-I-T-Y incite I-N-C-I-T-E .com, Mike thanks for joining me today.

Mike Rothman: Thank you Amrit, always a pleasure.

Announcer: You have just listened to Beyond the Perimeter, sponsored by BigFix Inc. Views expressed on this podcast are the personal opinions of podcast participants and do not reflect official positions of their employers or BigFix.

Thanks for listening!