Challenges and opportunities in cyber security innovation
1 / 14

Challenges and Opportunities in Cyber Security Innovation - PowerPoint PPT Presentation

  • Uploaded on

Challenges and Opportunities in Cyber Security Innovation . Fall, 2011. Paul Barford Qualys Inc. and University of Wisconsin. Internet Cambrian explosion. Internet threat landscape exploded in ‘01 Virus, DoS , worms, bots We’re in a time of evolving cyber ecosystems

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Challenges and Opportunities in Cyber Security Innovation' - dior

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Challenges and opportunities in cyber security innovation

Challenges and Opportunities in Cyber Security Innovation

Fall, 2011

Paul Barford

Qualys Inc.


University of Wisconsin

Internet cambrian explosion
Internet Cambrian explosion

  • Internet threat landscape exploded in ‘01

    • Virus, DoS, worms, bots

  • We’re in a time of evolving cyberecosystems

    • Highly complex, dynamic and diverse

    • Expanding challenges and opportunities

  • Addressing threats requires innovation

    • Step functions vs. increments

    • We’ve not seen much in the security domain lately…

Challenge tech vs innovation
Challenge: tech vs. innovation

  • What is the “next big thing”?

    • Threats: many possibilities

    • Counter measures: new architectures

  • Where will the “next big thing” come from?

    • Companies typically develop technology

    • gov/mil are fairly dark and highly diverse

    • Academia needs better processes

    • Entrepreneurs are the innovators

Challenge antiquated edu
Challenge: antiquated edu

  • Processes in academia can stifle innovation

    • Tenure is a conundrum

    • Unenlightened IP management

  • Incubation support is … incubating

    • It’s not just about physical space or $$

    • The Utah example

  • Why isn’t entrepreneurship taught in CS?

    • Gates, Page/Brin, etc. were not B-school grads

    • Young people areoftenignored

Challenge bridging the gap
Challenge: bridging the gap

  • Standard start-up issues

    • Business plan, funding, hiring, execution, etc.

  • Complexities and privacy concerns of security operations

    • Highly sensitive nature of sec ops limit feedback

  • Regulations

    • SOX, PCI, international, etc.

  • Moving targets

    • New threats change perception of value

Challenge metrics
Challenge: metrics

  • How do we assess the impact of something innovative in the security space?

    • No analog of FLOPS or bps

  • Security is good when nothing happens

    • Sends wrong message

  • Changing the conversation

    • Being proactive

    • Being robust

    • Value add for products

Challenge deployment
Challenge: deployment

  • Hardware is pretty much out

    • “You want to deploy IN LINE!?!”

  • Easy integration is essential

    • Complex architectures

    • Home grown solutions

    • Privacy concerns

  • Ad hoc evaluation methods and tools

    • Related to metrics

  • Everyone is busy

Chall atunity o vs d
Chall-atunity: O vs. D

  • Standard focus of cyber security is defense

    • Threats determine policies, processes, systems

    • Robust but fragile

  • Offense (attacker) always has the advantage

    • Only one entry point is required

    • Humans are in the loop

  • Offense can clearly have an impact

    • Stuxnet is a game changer

  • Offense is clearly controversial!

Opportunity data service
Opportunity: data*/service

  • Many security systems and processes depend on different types of data

    • Aggregates

    • Signatures

  • S,S,SaaS via the cloud

    • Simplifies deployment

    • Lowers costs

    • Changes playing field

    • But, risks are difficult to assess

Opportunity secure software
Opportunity: secure software

  • Software system vulnerabilities will be with us forever

    • System complexity

    • Humans in the loop

  • Secure software development methods

    • Requires careful consideration of threats

  • Software testing methods, tools, processes

    • Fast, accurate identification of a myriad of bugs

  • However, humans are in the loop…

Opportunity education
Opportunity: education

  • Educate “consumers” on best practices

    • Private users

      • Simple things can make all the difference

    • Developers

      • Evolving threats make this an on-going challenge

    • Public/enterprise/SMB

      • How to assess risk & make good decisions on security

  • Educate policy makers on security landscape

    • Regulation must be considered VERY carefully

  • Educate the next generation of innovators

    • These resources must be fostered carefully

Opportunity partnerships
Opportunity: partnerships

  • Public + private > {public, private}

    • Sharing perspectives is a good starting point

    • Trusted relationships enable sound decisions and effective use of technology

  • Bring academia to the table (gov/com/edu)

    • Unfettered perspective

    • Neutral third party

  • Foster consistent evaluation for innovative technologies

    • National Cyber Security Assessment Center

Opportunity innovation
Opportunity: innovation

  • Situational awareness

    • Unifying theme for sec ops

  • Embrace cloud-mobile environment

    • Solutions for the cloud and from the cloud

  • Policy, regulation and enforcement

    • Important part of ecosystem

    • Facilitate via gov/com/edu partnerships

  • Change the playing field

    • Group-centric security


  • Dynamic and diverse threat landscape

    • Obviates incremental solutions

    • Necessitates innovation

  • Challenges abound

    • Entrenchment based on unknown risks

  • Opportunities abound

    • Data centric innovation

    • Software security

    • Partnerships

    • Changing the playing field