I attended the RSA Conference in San Francisco last week, a yearly gathering of cybersecurity professionals and security vendors. I attended my first conference as an OX representative last year, and it’s been interesting to see how the security industry has changed (or not!) since then.
Wandering the expo floor is a good way to do this; looking at my blogs from last year I commented on the rise of Machine Learning as an industry buzzword – this has now become endemic, and no self-respecting vendor would fail to include those magic words somewhere in the description of their solution. As always it’s hard to sort out the truth from reality, but what is clear is that Machine Learning is becoming mainstream.
I attended a talk on Wednesday by Microsoft, discussing how they use ML in their Azure service to disrupt attacks and detect compromised servers. This followed on from a talk last year where they discussed how they use ML to detect login abuse. It seems clear that ML has some practical uses in security, however it’s also clear that it is not a panacea; Microsoft admitted themselves that they are still in the early stages of using ML, and that it’s often combined with rules-based models to achieve good efficacy. What is great however is that a lot of tools and services are available to get started with Machine Learning, often open-source or free: e.g. TensorFlow, or Microsoft Machine Learning Studio.
Another great talk I attended yesterday was about Open-Source Security, presented by Nicko van Someren from the Core Infrastructure Initiative. The Core infrastructure Initiative is attempting to improve the security of core internet infrastructure, (for example by funding projects such as openssl), and has many similarities with the folks over at the Mozilla Secure Open Source initiative, whom I’ve blogged about before. Nicko’s presentation was primarily about how to make open-source software secure (a topic close to my heart obviously), although mainly of the points applied equally to *any* software development. I was very pleased to see that we already implement a lot of the processes he recommends, although we definitely could improve in a few areas, particularly threat modelling at the design stage, and use of fuzzing software in our CI processes.
Quite a few of the talks I’ve attended this week have stressed a point which I particularly agree with – “Security is a process, not a product”. Processes don’t have an endpoint (you’re never “done” with security), and we should always aim to improve the process to improve the outcome, which is more secure products for our customers.