The big buzz seemed to me to be around two things:
1) The high profile infrastructure and defense industrial base breaches, and the big changes that will inevitably result with more government intervention, more regulation in these areas. An interesting panel was the one on Securing Critical Networks (Marcus Sachs of Verizon, Michael Assante of NERC, and 3 others). I learned a few things about the challenges utilities/energy face in securing their networks. Air gaps between SCADA networks and IP networks frequently don’t exist, and many of the devices in use have serious problems (inability to run A/V, patch issues, embedded OSes, simple password change issues). This industry faces technical challenges, and the usual “unfunded mandate” kind of challenge from NERC/FERC CIP. One of the panelists mentioned seeing Conficker traffic from medical devices (diagnostic equipment running embedded OSes), looking for updates. It struck me how similar that issues in energy and medical are, with the issue of critical networks (control networks in energy, and medical device networks in healthcare) merging with or being connected to IT networks, and with embedded systems that necessarily run older OS versions that can’t be patched frequently (think FDA-controlled OS releases). Big issues that will take time, money, and vendor creativity to fix. Let’s hope that the government (as they get more involved) recognize the real issues, and help solve the problems, vs. creating new ones.
2) Everything is cloudy. With the Cloud Security Alliance announcement and 1st deliverable, Jericho Forum’s cloud cube model, lots of panels talking about cloud security, and John Chambers talking about the vast security problems in cloud computing, cloud security was the topic du jour.
Other notes:
Session quality was just OK – need a little more diversity of speakers, and more case studies. I got the most out of a session by Jose Varghese, of Paladion, a MSSP in Mumbai, who provided a case study of lessons learned running security and risk management for a large bank in India. He covered a huge amount of ground, talked very fast, and presented a lot of interesting, real world findings.
Attendance seemed to be a little off to me, and there seemed to be not as many vendors there. Will information security be immune from the present recession? You might think so talking to vendors at RSA, but I think we’ll see serious attrition in the next twelve months. Not consolidation really, just attrition and going-out-of-business sales. It would be a fun time to be a BD/corporate development guy at a security vendor with deep pockets, you could see more broad line security vendors created on the cheap.
Jim Hietala
Jim Hietala, CISSP, GSEC, is Research Director and a
principal of Compliance Research Group,
providing research, analysis, and consulting services in the areas of
compliance, risk management, and IT security. He is also the Vice President,
Security for The Open Group, where he manages all security and risk management
programs and standards activities.
Jim has provided research and consulting services to
organizations such as SANS, The Open Group, and a number of IT security and
compliance vendors. He is a frequent speaker at industry conferences, and he
recently authored a comprehensive course on IT risk management. He participates
in the SANS Analyst/Expert program, having written several research whitepapers
and participated in several webcasts for SANS. He has also published
numerous articles on information security, risk management, and compliance
topics in publications including The ISSA Journal, Bank Accounting &
Finance, Risk Factor, SC Magazine, and others.
An industry veteran, he has held leadership roles at
ControlPath, Avail Networks, Alternative Technologies, eSoft, Qwest, Concentric
Network, and Digital Pathways. He developed and launched the industry’s first
remote access VPN service (Concentric RemoteLink) and encrypting ISDN router
(at Network Express), and launched a compliance and risk management software
start-up in the IT-GRC market.
He holds a B.S. in Marketing from Southern Illinois
University.
