This week I have been attending the annual RSA Conference held in San
Francisco. I wish I could tell you that the conference was great or
that it was horrible. Alas, I cannot. RSA is famous for being a great
networking conference; a place to come to shore up sagging business
partnerships, renew ties to great relationships and to mine the
community for new ideas and opportunities. This week, VeriSign and
iDefense did that in spades. We rented out three hotel suites and
rotated customers, potential customers and the press through them on an
hourly basis. It was great. Being able to spend an hour with many of
our great customers in a compressed time window was exhausting, but
efficient and extremely productive. Everybody I talked to had great
ideas about the iDefense service; what it is today, where we could
improve it and where it might go in the future.
Because of those meetings, I have attended exactly two sessions of the
conference. From the folks I have talked to though, this year's
presentations were nothing revolutionary (this is not the place to come
for new technical breakthroughs), but most were good at explaining some
common themes that we are all dealing with. Looking through the
conference agenda, these topics pop up a lot:
Cloud Computing
Cryptology
Social Networking
Health Care
Federal Compliance
The general consensus from the attendees is that if the phrase "Cloud
Computing" is not in the presentation title, it will definitely get
some attention during some portion of the lecture. The topic seems to
be what everybody is talking about this week.
I am on the platform at 9:00 a.m. this morning giving the patented
iDefense Trends Briefing. Among other things, I had 20 minutes of Cloud
Computing content that I just yanked out of the slide deck because I am
pretty sure that anybody that may show up for my talk will have been
completely bludgeoned by the topic at this point. I replaced 20 minutes
of slides with this "Reader's Digest" summary:
The CFO will make you buy Cloud Computing services because they are really, really cheap; get ready for it.
There are security risks, but they are manageable. I wouldn't put the
company's crown jewels into the cloud yet, but the risk is manageable
enough to put some low- and medium-end data and services there today.
We have a huge opportunity here; actually building security into these
services from the get-go instead of bolting them onto the service after
they become popular as we have done in every iteration of Internet
technology in the past. Whether or not we do that is still an open
question. The fact that everybody is talking about though is very
promising.
Yes - I got the Friday morning slot to speak. Since a lot of conference
attendees leave Friday morning because they don't' want to take the Red
Eye back home on a Friday night and since many folks attending are
doing the same thing we did here (talking to customers and not
attending the presentations), I think I may be presenting to a bunch of
crickets. Actually, that is not a big problem for me. Most people tell
me that I like to hear myself talk anyway. This is right up my alley.
By now, you all know about the Google Breach. I have been handling belt-fed reporters on my cell phone since we published our press release late last night. In fact, talking to so many reporters has caused the intelligence to get a little confused.
Case in point is the Elinor Mills article on Cnet News interviewing one of our iDefense guys: Elli Jellenc. She has him saying that the hackers that attacked Google and others definitely leveraged an Adobe vulnerability. When I read that, I thought to myself, "Hey - that isn't right. The fact is that we do not know." But after re-reading our own press report, we definitely said that was the case. Elinor Mills is an excellent reporter ( I read her all the time) and reported what we gave her. Unfortunately, we muddled the message.
Let me clear this up. Here is what we know.
A well-targeted attack reportedly hit Google and over thirty other firms, many of them in the Silicon Valley. It appears that attackers primarily targeted source code repositories. Among the companies types targeted were high tech companies based in the Silicon Valley, financial institutions, defense contractors and chemical companies.
Google is convinced that the attackers are sponsored by the People's Republic of China. In fact, they even convinced the US Secretary of State, Hillary Clinton, that is was so. She is quoted as saying,
"We have been briefed by Google on these allegations, which raise very serious concerns and questions. We look to the Chinese government for an explanation." Whatever evidence Google has, it must be strong.
Google reports that it identified malicious code on its system in mid-December. Google followed the code back to the drop servers and determined that in addition to the compromise of its own systems, more companies are involved. According to our sources, hackers hit ~ 33 additional companies.
The attack bears significant resemblance to a July 2009 attack in which attackers launched targeted e-mail campaigns against approximately 100 IT-focused companies. The July attack employed a PDF file that exploited a zero-day vulnerability in Adobe Reader. The malware associated with the summer attacks communicated with Command & Control Servers configured similarly to the Command and Control Servers involved in the Google attacks. In fact, the C&C servers from the Google attacks are within the same subnet and six IP addresses apart from the Command and Control server addresses in the summer attacks.
Considering the similarity of the two attacks, it is likely that the summer attacks and the Google attacks originate from the same actor and that the organizations targeted in the Silicon Valley attacks have been compromised since July. It is not much of a stretch to speculate (This is the speculation part) that both attacks leveraged an Adobe vulnerability although that has not been confirmed and Goggle is not talking.
If just half of this turns out to be true, the impact to Google, Silicon Valley and perhaps the US will be enormous. Google's reaction to China is a good example. They are considering pulling their business out of China as retaliation against the attacks. Google's a big player. Where they go, other smaller organization may follow. If Google and other tech-savvy companies started pulling out of China, that would make things very interesting for the next decade for both businesses in the technical sector and for policy negotiation between China and the US.
Yikes, that makes my head spin. I think I will go back to my belt-fed reporters.
It is the end of the year, and most security companies are rolling out their annual security trends reports. We are no exception. We should have our version published to our internal customers by next week and are planning a public presentation Webinar sometime in January. Stay tuned.
For the past couple of years, we have been talking about some intriguing ideas in our annual report. We call them cyber security disruptors. In the commercial world, the notion of a business disruptor centers on ideas or technologies that fundamentally change the way a business sector operates. One example is the combination of iTunes and the iPod. Other companies sold digital music before Apple Inc. came up with this combination at the right price point, but once they did, they fundamentally changed how people in the West purchased music. Since the late 1990s, consumers have been buying less music on CDs but purchasing digital music. That is a business disruptor. Similar to business disruptors, a cyber security disruptor is an idea or technology coming down the pipe that will fundamentally change how enterprise security staffs protect their environments. These are technologies that will start to impact us within the next five to 10 years.
In last year's trends paper, we identified five such cyber security disruptors:
The Metaverse
IPv6
Top-Level Domains and International Domain Names
Cyber Terrorism
Mobile Platform
I won't talk about these here. If you have attended any of my presentations this year or read last year's report, you have gotten an earful about them. What I will do from time to time in this space though is update the status when significant developments occur.
For next year, we are adding two new cyber security disruptors to the list: cloud computing and application stores. I will talk about the applications stores at a later date. I'd like to focus on the cloud for now.
Cloud computing has been in the news a lot in 2009, but not everyone understands what it really is. Since iDefense wrote a paper on the subject in May, let me take a shot at it. Cloud computing is a class of technologies that takes advantage of commodity production to lower the cost of doing the service in-house and transfers the burden of maintaining the infrastructure, platform or application out of the enterprise and into the hands of a third-party provider. It is disruptive because of the cost. The low cost of utilizing a cloud service provider, at least for some services, is too attractive to keep chief financial officers away. There are security risks for sure - including availability issues, recovery issues, investigative support issues, data segregation issues, third-party viability and longevity issues, regulatory compliance issues, privileged user access issues, and data location issues - but there are ways to monitor and mitigate them. In some cases, the mitigation is complex but manageable. One of my bosses, Nico Popp, vice president of Innovation at VeriSign, wrote an interesting blog about this very topic not two weeks ago. He says the following: "In the same way that the cloud is challenging software platform vendors and ISVs, the cloud is about to disrupt the world of security." I agree with him. Cloud computing is coming, and security departments will have to learn to deal with it, if not in 2010, then within the next five years.
This week I have been attending the annual RSA Conference held in San
Francisco. I wish I could tell you that the conference was great or
that it was horrible. Alas, I cannot. RSA is famous for being a great
networking conference; a place to come to shore up sagging business
partnerships, renew ties to great relationships and to mine the
community for new ideas and opportunities. This week, VeriSign and
iDefense did that in spades. We rented out three hotel suites and
rotated customers, potential customers and the press through them on an
hourly basis. It was great. Being able to spend an hour with many of
our great customers in a compressed time window was exhausting, but
efficient and extremely productive. Everybody I talked to had great
ideas about the iDefense service; what it is today, where we could
improve it and where it might go in the future.
Because of those meetings, I have attended exactly two sessions of the
conference. From the folks I have talked to though, this year's
presentations were nothing revolutionary (this is not the place to come
for new technical breakthroughs), but most were good at explaining some
common themes that we are all dealing with. Looking through the
conference agenda, these topics pop up a lot:
