Home > Disruptive Innovation > Incomplete Thought: Where Is the Technology Disruption Forcing REAL Change In Security?

Incomplete Thought: Where Is the Technology Disruption Forcing REAL Change In Security?

In the networking world, we’ve seen how virtualization technologies and operational models such as cloud have impacted the market, vendors and customers in what amounts to an incredibly short span of time.

What’s popped out of that progression is the hugely disruptive impact of Software Defined Networking and corresponding Network Function Virtualization.  These issues are forcing both short and long term disruption in the networking space.  Behemoths have had to pivot…almost overnight.  We haven’t seen this behavior for a while.

I’m curious as to what people see in terms of technology that they feel is truly disruptive to the Security industry.  That means you. :)

I understand many use cases, trends and operational shifts such as BYOD, Mobility, Cloud, etc. as well as amplification of “older” issues such as DDoS, Malware, WebApp attacks, etc., but I’m curious if you think we are really seeing truly security technology disruption impact that is innovative versus incremental advancement (on either the offensive or defensive side of the coin.)

You have an opinion?

/Hoff

 

 

Categories: Disruptive Innovation Tags:
  1. January 24th, 2013 at 17:21 | #1

    I’m not a visionary but it seems that BYOD and mobility is pushing some security for end points to the cloud. See the services being offered by Zscaler and OpenDNS/Umbrella Labs.

    http://www.zscaler.com/

    http://www.umbrella.com/

  2. January 25th, 2013 at 03:58 | #2

    I think we’ve definitely been in an innovation rut wrt security for quite some time now. Doing some research back in October, I couldn’t find anything particularly new since about 2005. Sure, there have been several incremental improvements of existing techniques/tools, but that’s hardly innovation. Really, the closest thing to innovative thinking seems to be the resilience/survivability shift in risk management strategy, but even that originates in the late ’90s.

    There are, I think, two key challenges that limit security technology changes. First, by its very nature, security technologies evolve in a purely reactive manner. Until a new threat or vulnerability is perceived, nobody thinks to come up with a new defense against it. Second, we continue to live in a transitional, unstable time. Given that security technologies evolve reactively, and thus more slowly, it is natural to not see any changes or innovations until a point of reasonable stability is reached. Sure, there will patches flung against immediate, short-term challenges, but by-in-large those fixes have been derived almost completely from existing (often antiquated, signature-based) approaches.

    My guess is that it will be 2020-2025 before we start seeing overall technology innovation reaching a new stasis point, at which point there will then be an opportunity for new security technologies to come to fruition. Interestingly, this will also correspond with generational shifts, as by then we will see almost all Baby Boomers retired from work life (or expired, as the case may be). We’ll then live in a world where the majority are IT “natives” who grew up with computing devices. Socially/culturally, this will also be important for innovation in security technology.

    My research from October is summarized here:
    http://www.secureconsulting.net/2012/10/a-little-historical-perspective.html

  3. January 25th, 2013 at 08:51 | #3

    Technology won’t disrupt itself. What will force real change in security is better information about security outcomes, and that disruption is coming. Eg https://www.fidelity.co.uk/investor/news-insights/expert-opinions/details.page?whereParameter=gillian-tett/escalating-cyber-attacks

  4. chris
    January 27th, 2013 at 15:03 | #4

    Agree wholly with Adam’s first sentence. Gotta think that with more outcomes information there will be vastly changed public/govt perception, and from that, disruption. Whether that disruption is creative or destructive is the $64 question, of course.

    I have to add, and I hope it isn’t seen as trotting out the “professionals study econ” trope, that much of the infosec disruption we’ll see is going to originate at the political and financial layers. I don’t think we’ll see crypto wars 2.0, but something is happening, but being just a Mr. Jones, I don’t know what it is…yet.

  5. January 27th, 2013 at 19:11 | #5

    I’m going to take a different stance and say that Anonymous / LulzSec are the true disruptive forces in security, rather than any single technology or process that one can purchase or apply.

  6. fletch
    January 27th, 2013 at 21:58 | #6

    In terms of IT operations, and as an early adopter sysadmin of virtualization, this is a natural, logical continuation of the disruption from system hypervisor abstraction, to network and storage arenas. I am constantly surprised by the de facto status quo in most IT organizations, ignoring this trend and the network, storage and security folks lagging in this area.

    Security firewall rules must evolve from static source:dest:port rules to abstracted/virtual attached policies. Its not so much a technology issue, but that there exists much inertia in terms of corporate IT not understanding and resistant to the mindshift necessary to make this change to security happen.

  7. Mortman
    January 29th, 2013 at 09:41 | #7

    Well it’s not so much an innovation, but I’m definitely seeing cloud as a forcing function of how security is being implemented by organizations if only because many of the traditional network security tools aren’t available in the public cloud yet. As a result, I’m seeing more Jericho Forum type stuff being done leveraging existing operational tools to get the security job done.

  8. Alli
    January 29th, 2013 at 10:47 | #8

    The Armored Stack that Falling Rock is working on looks promising for people who want to prevent their sites from getting hacked all the time.

  9. LonerVamp
    February 4th, 2013 at 14:57 | #9

    Definitely an interesting discussion start, but I’d want a bit of definition on what incremental examples there may be, and what “disruption” is like, since I think this term is still misunderstood unless you’re in the clubhouse.

    Defense, by it’s nature is largely reactionary and thus pretty incremental, though I’m sure some solutions will qualify, such as stateful firewalls. In fact, offense can be seen the same way, as it is reactionary to new technology (though there are plenty of innovative attacks and disruptive tools that greatly change risk postures). Fundamental security is also pretty basic: CIA, etc.

    I think one problem is technology today is getting complex extremely quickly (virtual networking on virtual platforms on physical platforms that only paid support knows how to manage…), which in turns makes security tools extremely complex, if even possible. The most successful people I’m aware of are the ones who still work with the smallest, most surgical and basic tools available.

  10. Donny
    February 5th, 2013 at 19:29 | #10

    Maybe it is the wrong question that is being asked. Security should be transparent, not disruptive. Most implement “just enough” security to mitigate risk. With each incremental increase in security comes workflow disruption, extra processes/procedures, and reduced functionality.

    What the enterprise is looking for is the “magic” auditing and control with minimal impact.

    Think of certificates. We could establish a system without central authorities and each system/application would have to trust the specific certificates of preapproved peers. This would greatly improve security. However, the impact to usability would be tremendous. Therefore we implement common trusted roots for ease of use and simplicity.

    Truly disruptive security would be the return of morality…

    For me, the next generation of secruity is to add teeth through law/policy. I am tired of strong policies with loose implementation and justice. Fire, dismiss, suspend, or just do what is documented.

    From a technology standpoint, I would like to see countries denied from public Internet access when a large attack or misbehavior is detected. Black hole China when they send fraudulent BGP updates. ISPs should quarantine systems sending viruses or malicious content. We continue to attempt to block/deflect the issues at the destination. The next generation needs to be focused at chopping off the head.

    • beaker
      February 6th, 2013 at 09:53 | #11

      Donny:

      Really provocative comment, thanks.

      I’m going to come back and reply when I have a few more cycles, but I find your perspective fascinating with respect to transparency vs disruption.
      Not sure I agree, but I’ll explore more shortly.

      Thanks!

      /Hoff

  11. February 11th, 2013 at 05:56 | #12

    Probably not on the scale of “disruption” as the author suggests, but from a corporate IT perspective where a company is trying to deliver products and/or services that aren’t specifically IT (manufacturing, banking, etc.), I believe the sophistication of malware today represents disruption. That disruption is in the mindset of the corporate security professional of the last decade. The prior decade represented the thought process that if enough controls could be applied, the product or service “was secure”. The challenge was to get in front of all the IT investments and “require” solutions to include those controls. Today, one can load up any iT solution with all the available controls and breaches are exceedingly possible.

    I’ve tried to make my case in a recent post of mine here:. http://bit.ly/Nga7ul

  12. February 19th, 2013 at 14:38 | #13

    One thing i’ve been thinking a lot about is the scale and power of tiny devices which are capable of delivering network-based attacks.

    As a malicious entity, if I can physically drop a box on your network that can automatically find and exploit vulnerabilities, exfil data, and maintain a point of presence for me, that’s a pretty powerful force that needs to be reckoned with. This has always been possible, but it’s definitely becoming more easy / affordable / common.

  13. Christian Vigil
    February 20th, 2013 at 08:23 | #14

    Those are valid points, but the “disruption” is going to human error or a human cause. At the rate we are advancing its only time until we are to advanced that we can’t train enough people about the in’s and out’s of the software. We have seen this happen plenty of times with the ability of hackers being about to gain entry into systems. They truly understand how and where to code the programs to help them. Where the corporate security professionals fail, the hackers gain. I believe we need to take a step back and slow down on the advancements and develop the skills and personal to help end this “cypher war” we have on our hands and get a hold of everything. However, I might be wrong what is everyone else’s thoughts?

  14. Andy
    June 15th, 2013 at 00:40 | #15

    @Donny
    Re – Transparency. Yep, I’m with Shostack & Stuart on this. Security education does not work, users will do what is easiest every time. We cannot expect them to adopt the certificate mechanism you describe, due to the general lack of user interest in expending the amount of time and effort to handle any form of “key management”. Instead we need to make the environment as a whole better – transparent security. This will not come from fudging current technologies incrementally. I cannot agree however that policy alone will provide the necessary impetus, outside of individual organisations (and I have my doubts around that being effective in a lot of situations). The transparency will come from proper instrumentation and incremental improvement in code quality in the application space. Yep, coders will need to instrument a degree of security into apps and then work iteration by iteration to improve that security and react to threats. The DevOps concept should not include separate security benchmarks, rather it should treat any malfunction or unforeseen consequence of, say for example, invalid user input as an incident which should be instrumented and subsequently prevented (smart input validation). Then we are not applying security controls to users (education etc.) but removing the problem from the user domain entirely. That is where I believe the real transparency needs to exist.

    As to quarantining systems sourcing (or more likely serving as transport) for malicious content/ware, that can only be achieved properly with an (ideally) globally reaching, highly granular, independently controlled, standardised threat/reputation intelligence data feed, which would enable us to key dynamic network (full layer 3-7) access controls.

    Not appropriate to blackhole any nations traffic based on a few sources of badness, too heavy handed and playing into the hands of anyone wanting to disrupt traffic. Obviously……

  1. No trackbacks yet.